We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Direct access to .phtml shows php code. Potential security breach?

Hi there,

Today I tried to access my view files directly by just typing in for example http://localhost/myproject/app/views/test.phtml It resulted in output of php code into the browser (tags, functions names, variable names etc). I understand that it is only a view file, but still, some programmers put confidential information or propriatory code into view files.

Is there any way I can restrict direct access to the view files?

Thank you in advance.

edited Apr '14

Yes. Define virtual hosts in you http server(apache, nginx, etc.). And set the document root to the folder in which index.php is. This way any other file, from other folders above that root folder will not be accesible via browser. The php code you are seeing in that file has to do also with the server. It is not configured to interpret php code in phtml files, so everything in there is considered just text.

So this is a problem with you configuring your server, not phalcon itself.


Hi vlad4800,

Thank you for your answer. I wasn't saying that there is problem with phalcon. I just was wondering if there is any way to protect view files. I'm using WAMP on my local system. In my .htaccess file I have:

  • Options -Indexes
  • RewriteEngine On
  • RewriteCond %{REQUEST_FILENAME} !-d
  • RewriteCond %{REQUEST_FILENAME} !-f
  • RewriteRule ^(.*)$ index.php?_url=/$1 [QSA,L]

My index.php file is located in the root directory:

  • .htaccess
  • index.php
  • app (folder)
  • public (folder)

So where would you put index.php file? And what should I add into .htaccess file in order for it to work?

Thank you for your help.

index.php should be in "public" folder, that's why it's called public :D


Got it. Thanks for the answers.

Great ! Good luck with Phalcon.