English
English
highlight_file is a built-in function in PHP, which is used to highlight the PHP code of the specified file on a web page. The syntax is as follows:
highlight_file('example.php');
This function will read the contents of the specified file and output the PHP code in it in color format, making it easier to view the code structure and logic.
Source code leak <br> Displaying the PHP file source code directly on public websites may expose database connection information, API keys, business logic and even user privacy data, greatly increasing the risk of being attacked.
Code is maliciously exploited <br> The attacker understands the system structure by checking the source code, finds vulnerability entrances, and launches attacks such as SQL injection and remote code execution.
Influence website image and user trust <br> Public source code may make users think that the website is poorly secure and reduce trust.
Make sure highlight_file is only used in development environments or restricted internal environments, and avoid being called in production environments or in public pages.
Use server configurations (such as .htaccess , Nginx rules) to restrict access to source code display pages.
Restrict access through user authentication and only allow administrators or authorized personnel to view the source code. For example:
session_start();
if (!isset($_SESSION['is_admin']) || $_SESSION['is_admin'] !== true) {
die('No permission to access source code');
}
highlight_file('path/to/file.php');
Do not display sensitive files directly. You can first read the file contents for desensitization or partial display. For example, hide the database password:
$code = file_get_contents('path/to/file.php');
$code = preg_replace('/(\$db_password\s*=\s*)["\'].*?["\'];/', '$1"*****";', $code);
highlight_string($code);
Avoid directly using URL parameters as file paths to prevent directory traversal attacks. For example:
$allowed_files = ['config.php', 'index.php'];
$file = $_GET['file'] ?? '';
if (!in_array($file, $allowed_files)) {
die('Illegal request');
}
highlight_file("files/{$file}");
Place the PHP file outside the web root directory, or prohibit access to the source file through the server configuration. For example, in Nginx:
location ~ \.php$ {
deny all;
}
<?php
session_start();
// Only allow administrators to view
if (!isset($_SESSION['is_admin']) || $_SESSION['is_admin'] !== true) {
die('No permission to access source code');
}
// List of files allowed to view
$allowed_files = ['index.php', 'config.php'];
$file = $_GET['file'] ?? '';
if (!in_array($file, $allowed_files)) {
die('Illegal request');
}
$filepath = __DIR__ . "/files/{$file}";
// Read the code content
if (file_exists($filepath)) {
$code = file_get_contents($filepath);
// Simple desensitization example
$code = preg_replace('/(\$db_password\s*=\s*)["\'].*?["\'];/', '$1"*****";', $code);
highlight_string($code);
} else {
echo 'The file does not exist';
}
?>
Although highlight_file makes it easy to view PHP code, unprotected display of source code can lead to serious security issues. Developers should strictly restrict access rights to avoid direct exposure of sensitive files, adopt desensitization and server security configuration to ensure that the source code is not disclosed publicly.
Protecting code security is a key step to ensure the stability of the website and the security of user information. I hope the suggestions in this article can help you use highlight_file safely and avoid unnecessary safety hazards.
