say if a user knows the path of a php file can the user download the file ? Are there any steps to take to prevent it from happening ?
As long as your webserver if configured to interpret PHP files, those will be interpreted -- which means their output, and not their raw content, will be sent to the users.
Of course, if you have a script that takes a file path as a parameter, and displays the content of that file... you'll have to make sure that script is secured, to not display the content of PHP files ;-)
Assuming you meant "visitor", if you do not have scripts like <?php readfile($_GET['file']); ?> (or other similar holes) you are safe.
If the "user" is someone who can put files on the server (e.g. in a shared hosting environment), it depends on the server. If every PHP file runs under the same user and no strict open_basedir restriction is set, it becomes very easy to read other users files.
Even if PHP is "secured" by open_basedir restrictions, CGI can still bypass these restrictions. Therefore, it's recommended to set the file permissions in such a way that others are not able to read your files: chmod 640 on files, chmod 750 on directories.
Well they will be able to see files on your website, here is a script that I made that allows users to browse files on a website:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Site</title>
<style type="text/css">
/*CSS Document made by Glenn Dayton 8/14/11*/
body{
background-color:#999;
}
</style>
</head>
<body>
<h1>.</h1>
<form method="post" action="<?php $_SERVER['REQUEST_URI']; ?>">
<label style="color:#FFF;">Area<input type="text" name="t" /></label>
<input type="submit" name="submit" value="S"/>
<label style="color:#FFF;">Text Area<input type="text" name="view" /></label>
<input type="submit" name="submit" value="V"/>
</form>
<?php
echo getcwd();
chdir('C:');
echo "<br />";
$s = scandir(getcwd().$_POST['t']);
echo "<b style=\"color:blue;\">".getcwd().$_POST['t']."</b><br />";
print_r($s);
$filename = getcwd().$_POST['view'];
echo "<b style=\"color:yellow;\">".$filename."</b><br />";
$file = file_get_contents($filename, "r");
echo "<br /><hr />";
if($file){
$ex = stat($filename);
echo "<ul>";
for($i = 0;$i <= count($ex);$i++){
echo "<li style=\"color:green;\">$ex[$i]</li>";
}
echo "</ul>";
echo $file;
}else{
echo "<br /><span style=\"color:red;\">Problem</span>";
}
fclose($file);
?>
This will allow you to browse through a website C: drive if the server is poorly configured, it can modified for linux based servers. Whether users can modify files depends on the files permissions, ls -l your files and take a look at the permissions. You can disable PHP functions from being executed.