Log in

View Full Version : Securing PHP files


ralitza
05-27-2006, 07:13 PM
ive been reading an article on php security but i still have the following questions:

1) should i place my connect file(for php scripts) somewhere other then public html?

2) is it normal that users can access files if they know the exact name when i have set index as forbidden?

3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]

i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?

4) what files should be placed in public html and what shouldn't?

5) do password protected directories actually work? and when should they be used?

6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?

7) any genereal suggestions on how to secure my files/web server?
Twey
05-27-2006, 08:19 PM
1) No, as long as they send no output and only set the variables, you're secure.
2) Yes.
3) Not really.
4) Anything you don't want seen, shouldn't be in public_html.
5) Yes; they should be used when you want to password-protect something. :)
6) Depends what you're doing.
7) Far too many to list.
ralitza
05-27-2006, 11:19 PM
thank you, for #7 can you at least say you might use on a website of your own? maybe just the top things?
djr33
05-27-2006, 11:22 PM
php files are by nature secure. That's the point.

it really depends on what you're doing.

if people can get passwords, then you've got problems. if they can use your php scripts against you or to do stuff to access your server with them, then that's a security risk.

There are many many ways in which security could be breached... it's hard to summarize...
Twey
05-28-2006, 12:16 AM
It's hard to summarise because there's nothing universal. How a script can be attacked all depends on how it can use data.
The most important rule, if I must pick one, would be: always validate user input.
djr33
05-28-2006, 12:46 AM
Additionally, my forum was just hacked, using the admin control panel... be VERY careful about what options you have on your site EVEN if they appear to be secure.

Either don't have admin options like that or make them incredibly secure.


Remember, your most secure things are only as secure as the least secure things.... one weak link makes it all easy to hack.
ralitza
05-28-2006, 05:09 AM
thank you, i will keep the suggestions in mind. i have question regarding htaccess - my htaccess file is below i would just like to know if i have placed everything in its correct place and is written as it's suppose to?

i think there is a problem with large bot deny list, the bots are being added to my "allowed access" list for hotlink protection

http://www.iankovi.com/htaccess
Twey
05-28-2006, 12:10 PM
Drop the bot-deny list. It's pointless, you can't hope to cover every single bot in existence.