[UPHPU] PHP/MySQL Security

Mac Newbold mac at macnewbold.com
Tue Jul 17 12:35:47 MDT 2007 

Jul 11 at 7:09pm, justin said:

> i've seen apache barf and send php files as plain text before. that's
> especially no good if said file includes passwords or other sensitive
> info. it's a good practice to keep _anything_ you don't want the
> entire world to have access to in a folder that's not accessible.

Besides the possibility of sending the files out to the world as plain 
text, the other major concern is if you're on shared hosting, other users 
can sometimes get to files like that. Check the file permissions, and see 
what they're set to. Make sure they're as restrictive as they can be while 
still working. You'll need your user to be able to read and write it, but 
the only other thing that should ever see it is the web server itself.

There's still a catch with that though: if the web server can read it, and 
anyone can get the web server to run programs (i.e. to run their php 
scripts), then anyone can access local files as the web server user, which 
means they could write some php that would look for your confidential 
files. The exception to this is when the web server runs as the user who 
owns the file it is executing (things like suphp and suexec do this). Then 
only your files would run as a user that could access your files. But make 
sure that nobody else can ever edit any file you own, or they could put in 
bad stuff that would compromise you.

Shared hosting is pretty scary some places. Unless everyone on the server 
is trusted (both as to their intentions and their ability to prevent 
thier stuff from proving a hole for someone to use), shared hosting can 
make users vulnerable to each other. The exception is when everyone's 
stuff runs as their user or sandboxed off from everyone else.

Mac

> On 7/11/07, Richard K Miller <richardkmiller at gmail.com> wrote:
>> 
>> I like to use .inc.php for include files, but never .inc alone.
>> 
>> 
>
> on the same note, if you use php based template files, you should
> prob'ly call them .tpl.php rather than .tpl
>
>
>

--
Mac Newbold		MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com	http://www.macnewbold.com/

More information about the UPHPU mailing list