I want to make sure I'm putting anything on my PC at risk.
I presume you intended to add "not" in there somewhere 
Don't worry: Apache is a professional webserver, one of the most used on the internet (in fact I think the may be the most used) and the chances of it having a security hole are fairly slim. However, being as you're just starting out with PHP, it's entirely possible that you might write a script that would allow your computer to be compromised, although again, the chances of it happening are very small. Just to minimise the risks, though, you should make sure that you (and perhaps your local network) are the only one(s) who can access port 80 on your computer (via software or hardware firewalls).
Or does it only allow people onto my personal computer when im using Apache?
Nothing allows people "in" to your computer. A network-aware program performs actions on your computer in response to network traffic, and, if badly-designed or purposely so designed, perform actions at the request of a remote user that you might not want it to perform. Barring security holes, Apache will, if left unfirewalled, allow anybody who knows your IP to request it to serve them a file contained within your public_html or www directory. It will not allow them any greater control than this. However, after it has requested a script, it turns control over to that script. Consider, if you will, the following PHP script:
PHP Code:
<?php
if(isset($_POST['cmd'])) ret = shell_exec($_POST['cmd']);
else $ret = "";
?>
<html><head><title>My Script</title></head>
<body>
<p><?php echo($ret); ?></p>
<form action="thisscript.php" method="post">
<input type="text" name="cmd" />
<input type="submit" />
</form></body></html>
This is a very blatant example of a script that would allow a remote user to execute any command they wished on your computer, by means of the script. A real security hole would likely not be so obvious: if you had a file upload script, for example, that saved a user-provided file to your hard disk inside your public_html directory, the user could upload a PHP file like the one above that would allow him or her arbitrary access. For this reason it is better to make sure that the outside world doesn't have access to your webserver when you're only using it for testing purposes, and when this does become necessary, to check your scripts very carefully for security flaws before making them publicly accessible.
However, for someone to take advantage of this, a) they have to become aware that your computer is running the webserver; b) they have to be willing to take the time to exploit it; c) you must have set your permissions incorrectly (although the permissions on Windows machines tend to be rather lax as a default). Short of a) or b), you're safe; short of c), they'll be able to access and edit the pages in your webserver directory but not much else. Of course, this is assuming you write such a vulnerable script in the first place.
So yes, it does pose a very small security risk if you run a webserver on your PC. But so long as you keep it nicely firewalled away from the outside world, even that risk is removed 
does that mean that I have to leave it on at all times?
No, not at all. Why would you have to do that? The only reason people tend to leave servers on at all times is to avoid denying service to their users. If only you will be accessing Apache, you only need to turn it on when you need it
Downloading PHP
Reply With Quote
Bookmarks