Can I have a php file download without it being executed?
I recently got a phishing mail of unusually bad quality; "Please immediately sign in under the following link, as we are your bank, you know"-ish. The link points to an unconvincing URL with .php at the end.
I was asking myself why they might use a PHP script instead of just faking the look of the given page and submitting entered data to a form.
I don't really want to click the link to find out, but I would love to get to know what this PHP file is about to do. Is there a way of downloading the script, such as you could with the client-sided JavaScript?
Or am I not able to access the PHP file, as it is executed by the server? Are there other ways of analysing this file and its behaviour without any danger?
As others have said, the PHP file download is executed server-side, unless the server is so badly set up that it will simply serve the source.
If you would like to examine what is sent to your client without the possibility of it doing anything untoward, use a text editor like Notepad to open the URL. That is, use File → Open but open the URL rather than a real file.
The server will interpret the request and send what it would normally send to a browser. Your text editor will receive it, but all a text editor can do is display it for editing. It will never get near a browser or other rendering engine to be executed.