My php files are not being listed

Website URL:

Error Message:

403 Forbidden


In my website I have a php file called “hello.php” but it is not being listed in the directory listing,
Doesn’t matter whatever name I rename it or create a new php file it’s still not showing there,
What should I do?

hello.php :point_down:

<?php echo "hello"; ?>

This is the code of my “hello.php” file which is just an echo


Try uploading it again? Are you getting any errors when uploading?

Also, I highly recommend that you secure your database, its quite vulnerable right now:


Do you have any .htaccess file which has something to do with the php extension or something similar?

because when I type anything which ends with .php extension leads to 403

e.g. 403

vs good 404


Thanks for the help, the database project was just an test experiment

Happy to hear and I’m glad you liked the 404 page,

The answer to your question is, no I don’t have any .htaccess file please provide some assistance why this this happening and how do I fix it :smiling_face_with_tear:

Hey, Can You Please Provide Some Information

I want to know that how u injected your own php code in the “index.php” file and even when I’m opening the file from a FTP surprisingly your code is not there

I kinda of did the same thing, but on the insert page, and I can confirm your database is in fact vulnerable.

You should first check if the user input contains characters like "',;, and many more, before running your SQL query. (Search Google how to prevent SQL Injection)

For the code, I’m not teaching others how to hack here. (Can I PM the user? Is that allowed?)

1 Like

As it should not be.
The vulnerability is not the file modification type, the exploit could be stored in your database, might want to check the table which is responsibe for storing student info.
I heavily recommend learning about the top ten vulnerabilities listed by OWASP. XSS, CSRF and MySQL injection etc.


I Dident. That was JavaScript. But it would probably work with PHP as well (Which is even worse). I wanted to prove it is broken and vulnerable without actually breaking anything.

Because it’s in the database, not in the files. However, I could modify those files if I actually injected PHP.

Um, why not just escape / encode everything non-alphanumeric? That’s quite the bit easier in my opinion.

And I heavily second that


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.