PHP Security Question

Soldato
Joined
20 Jul 2008
Posts
4,363
This may seem like a stupid question but I've only just started PHP so play nice :D

I've just finished a tutorial that uses an MVC style approach to build a simple login page that redirects the user to a Member's Area. It works brilliantly.

Question: What is to stop someone downloading all your PHP files straight off the webserver, opening them in notepad and viewing code like the following:

PHP:
// database settings
$server = 'localhost';
$user = 'root';
$pass = 'starbucks';
$db = 'pop_login';

// connect to the database
$Database = new mysqli($server, $user, $pass, $db);

// error reporting
mysqli_report(MYSQLI_REPORT_ERROR);

Thus gaining access to sensitive information.

I can see how content in the MySQL database is secure but what about content in the actual PHP files?

Cheers
 

daz

daz

Soldato
Joined
18 Oct 2002
Posts
24,073
Location
Bucks
Any sensitive information like that, you'd put in an include file with 600 permissions. Ideally, you'd then run Apache under a different user to your PHP scripts. This would prevent Apache or any other system users from reading the file to access it - it would only be able to be read by your user or via an include from your own PHP scripts.
 
Soldato
Joined
18 Oct 2003
Posts
19,413
Location
Midlands
Unless there are some major security flaws then PHP is a server side language and as such the scripts are executed whenever they are accessed by a user. You can't access the true source unless you have access to the file system. In which case you've got bigger fish to fry.
 
Permabanned
Joined
21 Nov 2010
Posts
2,315
Location
Newton Aycliffe
Unless there are some major security flaws then PHP is a server side language and as such the scripts are executed whenever they are accessed by a user. You can't access the true source unless you have access to the file system. In which case you've got bigger fish to fry.

This!

Were is the tutorial your learning from if you don't mind me asking?
 
Soldato
OP
Joined
20 Jul 2008
Posts
4,363
Scott, this type of PHP info can't be accessed just by viewing the source. Try it.

I know it can't, I understand you only see the results of your php code but aren't there programmes that let you basically download the contents of a website without knowing the ftp details? In which case couldn't one just pull out all the php files off the server?

Or would you need to know your hosting details (ftp details etc) in order to download the actual PHP files from the server?

Unless there are some major security flaws then PHP is a server side language and as such the scripts are executed whenever they are accessed by a user. You can't access the true source unless you have access to the file system. In which case you've got bigger fish to fry.

So basically it isn't something I should worry about for the sort of projects I'm working on?

At the moment it wouldn't be the end of the world if someone accessed the 'members page' as it's more of a gimmick for what one client has in mind but in the future I just want to have a greater understanding of the security risks of PHP.

This!

Were is the tutorial your learning from if you don't mind me asking?

http://www.youtube.com/watch?v=vC6pzV1_fv8

You have to be a premium member to access the full course on their website. I did pay for it but so far it's money well spent. I've learnt an enormous amount and he goes over things slowly enough for a newbie to follow.
 
Last edited:
Soldato
OP
Joined
20 Jul 2008
Posts
4,363
Instead of me asking a million questions perhaps someone knows of something I can read (not too advanced though) that highlights the security issues with PHP etc.
 
Soldato
Joined
18 Oct 2003
Posts
19,413
Location
Midlands
There are many tutorials out there covering PHP security specifics and it's a good idea to take a look at a number of them.

Your concern about the files though is primarily unnecessary. If a program tried to download the contents of a PHP site it would be served the executed source, not the script source. The program or person would need access to the file system to see the script's contents, as you say via FTP or shell/root access and those really fall under server security.

PHP powered application's security holes mainly revolve around inputs and sessions. Every time you make an input you've got to be asking yourself how someone might exploit it. Similarly you need to protect your sessions so that you know the right people are accessing the right areas in your site. This is all well documented so a few googles should get you up to speed.

edit: this is actually written by a chap from here, it's not been updated for a while but still relevant info: http://php.robm.me.uk/
 
Last edited:
Soldato
Joined
13 Nov 2002
Posts
3,589
Assuming public_html is your document root, you could put the sensitive files one level higher.

Then just include them in your non-sensitive files.

Code:
<?php
  include('../my_includes/topSecret.inc.html');
?>
 

daz

daz

Soldato
Joined
18 Oct 2002
Posts
24,073
Location
Bucks
It's not impossible that PHP files might get exposed and served as text if a PHP upgrade goes wrong, or if you add something incorrectly to your .htaccess file, so using includes and making sure the permissions are correct is still something worth doing.
 

daz

daz

Soldato
Joined
18 Oct 2002
Posts
24,073
Location
Bucks
If you made a mistake with an AddType/AddHandler declaration in your .htaccess, or you copied across a .htaccess from another server which had a different set up to the one you're on.
 
Associate
Joined
14 Feb 2012
Posts
455
I know it can't, I understand you only see the results of your php code but aren't there programmes that let you basically download the contents of a website without knowing the ftp details? In which case couldn't one just pull out all the php files off the server?

Or would you need to know your hosting details (ftp details etc) in order to download the actual PHP files from the server?

Applications like that only download what you would see in the browser (IE. the rendered HTML) including images linked within the HTML, so if you execute a HTML file which prints out "Hello World" you're likely to get only a file that outputted that, if it's clever enough anyway.
 
Back
Top Bottom