PHP Security Question

Barks

Barks

Barks

Soldato
Joined
20 Jul 2008
Posts
4,539
This may seem like a stupid question but I've only just started PHP so play nice :D

I've just finished a tutorial that uses an MVC style approach to build a simple login page that redirects the user to a Member's Area. It works brilliantly.

Question: What is to stop someone downloading all your PHP files straight off the webserver, opening them in notepad and viewing code like the following:

PHP: 
// database settings
$server = 'localhost';
$user = 'root';
$pass = 'starbucks';
$db = 'pop_login';

// connect to the database
$Database = new mysqli($server, $user, $pass, $db);

// error reporting
mysqli_report(MYSQLI_REPORT_ERROR);

Thus gaining access to sensitive information.

I can see how content in the MySQL database is secure but what about content in the actual PHP files?

Cheers
 
Any sensitive information like that, you'd put in an include file with 600 permissions. Ideally, you'd then run Apache under a different user to your PHP scripts. This would prevent Apache or any other system users from reading the file to access it - it would only be able to be read by your user or via an include from your own PHP scripts.
 
Unless there are some major security flaws then PHP is a server side language and as such the scripts are executed whenever they are accessed by a user. You can't access the true source unless you have access to the file system. In which case you've got bigger fish to fry.
 
gord said:
Unless there are some major security flaws then PHP is a server side language and as such the scripts are executed whenever they are accessed by a user. You can't access the true source unless you have access to the file system. In which case you've got bigger fish to fry.
Click to expand...

This!

Were is the tutorial your learning from if you don't mind me asking?
 
mrbell1984 said:
Scott, this type of PHP info can't be accessed just by viewing the source. Try it.
Click to expand...

I know it can't, I understand you only see the results of your php code but aren't there programmes that let you basically download the contents of a website without knowing the ftp details? In which case couldn't one just pull out all the php files off the server?

Or would you need to know your hosting details (ftp details etc) in order to download the actual PHP files from the server?

gord said:
Unless there are some major security flaws then PHP is a server side language and as such the scripts are executed whenever they are accessed by a user. You can't access the true source unless you have access to the file system. In which case you've got bigger fish to fry.
Click to expand...

So basically it isn't something I should worry about for the sort of projects I'm working on?

At the moment it wouldn't be the end of the world if someone accessed the 'members page' as it's more of a gimmick for what one client has in mind but in the future I just want to have a greater understanding of the security risks of PHP.

dfarrall said:
This!

Were is the tutorial your learning from if you don't mind me asking?
Click to expand...


You have to be a premium member to access the full course on their website. I did pay for it but so far it's money well spent. I've learnt an enormous amount and he goes over things slowly enough for a newbie to follow.
 
Last edited:
Instead of me asking a million questions perhaps someone knows of something I can read (not too advanced though) that highlights the security issues with PHP etc.
 
There are many tutorials out there covering PHP security specifics and it's a good idea to take a look at a number of them.

Your concern about the files though is primarily unnecessary. If a program tried to download the contents of a PHP site it would be served the executed source, not the script source. The program or person would need access to the file system to see the script's contents, as you say via FTP or shell/root access and those really fall under server security.

PHP powered application's security holes mainly revolve around inputs and sessions. Every time you make an input you've got to be asking yourself how someone might exploit it. Similarly you need to protect your sessions so that you know the right people are accessing the right areas in your site. This is all well documented so a few googles should get you up to speed.

edit: this is actually written by a chap from here, it's not been updated for a while but still relevant info: http://php.robm.me.uk/
 
Last edited:
Assuming public_html is your document root, you could put the sensitive files one level higher.

Then just include them in your non-sensitive files.

Code: 
<?php
  include('../my_includes/topSecret.inc.html');
?>
 
It's not impossible that PHP files might get exposed and served as text if a PHP upgrade goes wrong, or if you add something incorrectly to your .htaccess file, so using includes and making sure the permissions are correct is still something worth doing.
 
If you made a mistake with an AddType/AddHandler declaration in your .htaccess, or you copied across a .htaccess from another server which had a different set up to the one you're on.
 
scott212 said:
I know it can't, I understand you only see the results of your php code but aren't there programmes that let you basically download the contents of a website without knowing the ftp details? In which case couldn't one just pull out all the php files off the server?

Or would you need to know your hosting details (ftp details etc) in order to download the actual PHP files from the server?
Click to expand...

Applications like that only download what you would see in the browser (IE. the rendered HTML) including images linked within the HTML, so if you execute a HTML file which prints out "Hello World" you're likely to get only a file that outputted that, if it's clever enough anyway.
 
You must log in or register to reply here.
Back
Top Bottom