www.webdeveloper.com
Results 1 to 11 of 11

Thread: Security issues

  1. #1
    Join Date
    Nov 2009
    Posts
    20

    Security issues

    -where to place the connection string
    -what about mysql security
    -sessions
    -what is web accessble folder
    -do I need to compile the php code
    -user-role securty system
    -anything else..

    Regards.

  2. #2
    Join Date
    May 2004
    Location
    chennai, tamil nadu, India
    Posts
    445

    answers

    Where to place the connection string

    http://php.net/manual/en/function.mysql-connect.php

    -what about mysql security

    http://www.tizag.com/mysqlTutorial/m...-injection.php

    -sessions

    http://php.net/manual/en/features.sessions.php

    -what is web accessble folder

    Any directory which you can access by typing a web url ?

    -do I need to compile the php code

    From the user point of view, all you will do is upload the php code to a webserver and access that file.php and it runs.


    P.S:- Are these your "homework" questions ?
    Chris, Senior Developer,
    Php laravel developers,
    www.chrisranjana.com

  3. #3
    Join Date
    Nov 2009
    Posts
    20
    I need to know what is the most secure place for my config files (that contain sensitive data-passwords,connection string etc)?

  4. #4
    Join Date
    Mar 2007
    Posts
    946
    Quote Originally Posted by Birokrat View Post
    I need to know what is the most secure place for my config files (that contain sensitive data-passwords,connection string etc)?
    Not in any web accessible directory.

    http://phpsec.org/projects/guide/3.html

    Potential problems arise when this file is somewhere within document root. This is a common approach, because it makes include and require statements much simpler, but it can lead to situations that expose your access credentials.

    Remember that everything within document root has a URL associated with it. For example, if document root is /usr/local/apache/htdocs, then a file located at /usr/local/apache/htdocs/inc/db.inc has a URL such as http://example.org/inc/db.inc.

    Combine this with the fact that most web servers will serve .inc files as plaintext, and the risk of exposing your access credentials should be clear. A bigger problem is that any source code in these modules can be exposed, but access credentials are particularly sensitive.

    Of course, one simple solution is to place all modules outside of document root, and this is a good practice. Both include and require can accept a filesystem path, so there's no need to make modules accessible via URL. It is an unnecessary risk.
    "Hippies.They're everywhere. They wanna save the earth, but all they do is smoke pot and smell bad."-Cartman

  5. #5
    Join Date
    Nov 2009
    Posts
    20
    mysql_connect('localhost',$_ENV['MYSQL_USER'],$_ENV['MYSQL_PASSWORD']);
    -this is a snippet of code from O'Reilly PHP Cookbook

    I like to create a custom config file (to keep my connection string safe) which will override the main conf file since I 'm using a shared hosting enviorment.

    I 'm lacking expirence on this subject so I was looking for someone to show me a example or point to a reference.

    Regrads.

  6. #6
    Join Date
    Nov 2009
    Posts
    20
    Anyone?

  7. #7
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,334
    See http://shiflett.org/articles/shared-hosting and in particular under the heading "What Can You Do?" However, note that this technique requires assistance from the web server administrator to add the necessary entries in the relevant httpd.conf file (assuming Apache is being used). Depending on the hosting company being used, they may or may not accommodate you.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  8. #8
    Join Date
    Dec 2009
    Location
    Denmark
    Posts
    240
    Why not just put the strings in some PHP variables in a PHP file extension. No one will be able to view it anyway. And if that is not enough, make a rule for that file in your .htaccess file.

  9. #9
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,334
    Quote Originally Posted by dk_zero-cool View Post
    Why not just put the strings in some PHP variables in a PHP file extension. No one will be able to view it anyway. And if that is not enough, make a rule for that file in your .htaccess file.
    The technique above is not to prevent people from seeing it via external HTTP/FTP requests, but via local file system requests via scripts/commands run on the server by someone with another account on the same shared host (or by someone who hacks someone else's account on that host). This is due to the fact that typical shared host configurations have PHP running as an Apache module, which means any file that is readable by your PHP scripts is also readable by anyone else's PHP script (or other script being run by Apache), plus it typically means you have to give the file "world" read access.

    (All this points to why if you are truly dealing with sensitive data, you are better off at least getting a virtual private host account if not a private server, but the above technique will help on a shared host if the hosting company will cooperate with you to implement it.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  10. #10
    Join Date
    Jan 2010
    Location
    Great Britian
    Posts
    21
    If your running on an apache server with URL rewrites, you can denay any and all traffic requests on a web exposed folder and still access via an include.

    You other option is to lower the file permissions to that of a level that they then become invisble to the web but can be accessed locally.

    As for shared servers, if your host is professional enough to take the time, the settings can be made to prohibit server-side access to domains you do not own... This is the case with my web bost, they even have a firewall policy on FTP now to thwart FTP hacks... So it really is down to how fly-by night your web host operations are.

    IMHO you should not have any issues if your include file is in the public domain, just add in an Options -Indexes in the HTAccess file for that folder to stop index requsts, I would also add in redirection to the site root, I would also in the connection script include a self load test to check if the file request is for the file at the URL or not. If its a direct request for whatever reason, diver them to the site root. Do not use .inc, use .inc.php and then the file WILL be parsed for sure and any internal security can be used to check the validity of the request.

  11. #11
    Join Date
    Dec 2009
    Location
    Denmark
    Posts
    240
    #9
    This is due to the fact that typical shared host configurations have PHP running as an Apache module, which means any file that is readable by your PHP scripts is also readable by anyone else's PHP script
    Ok. Did not know that shared hosts had such poor setup.
    I don't see why. It should not be that hard to make a better install and configuration.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles