Advanced Search

Results 1 to 8 of 8

Thread: Securing PHP files

  1. #1
    Join Date
    Feb 2006
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Securing PHP files

    ive been reading an article on php security but i still have the following questions:

    1) should i place my connect file(for php scripts) somewhere other then public html?

    2) is it normal that users can access files if they know the exact name when i have set index as forbidden?

    3) my htaccess file has some ban list which looks like the following:
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
    RewriteRule ^.* - [F,L]

    i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?

    4) what files should be placed in public html and what shouldn't?

    5) do password protected directories actually work? and when should they be used?

    6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?

    7) any genereal suggestions on how to secure my files/web server?

  2. #2
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    1) No, as long as they send no output and only set the variables, you're secure.
    2) Yes.
    3) Not really.
    4) Anything you don't want seen, shouldn't be in public_html.
    5) Yes; they should be used when you want to password-protect something.
    6) Depends what you're doing.
    7) Far too many to list.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  3. #3
    Join Date
    Feb 2006
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    thank you, for #7 can you at least say you might use on a website of your own? maybe just the top things?

  4. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,154
    Thanks
    261
    Thanked 690 Times in 678 Posts

    Default

    php files are by nature secure. That's the point.

    it really depends on what you're doing.

    if people can get passwords, then you've got problems. if they can use your php scripts against you or to do stuff to access your server with them, then that's a security risk.

    There are many many ways in which security could be breached... it's hard to summarize...
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  5. #5
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    It's hard to summarise because there's nothing universal. How a script can be attacked all depends on how it can use data.
    The most important rule, if I must pick one, would be: always validate user input.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  6. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,154
    Thanks
    261
    Thanked 690 Times in 678 Posts

    Default

    Additionally, my forum was just hacked, using the admin control panel... be VERY careful about what options you have on your site EVEN if they appear to be secure.

    Either don't have admin options like that or make them incredibly secure.


    Remember, your most secure things are only as secure as the least secure things.... one weak link makes it all easy to hack.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  7. #7
    Join Date
    Feb 2006
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    thank you, i will keep the suggestions in mind. i have question regarding htaccess - my htaccess file is below i would just like to know if i have placed everything in its correct place and is written as it's suppose to?

    i think there is a problem with large bot deny list, the bots are being added to my "allowed access" list for hotlink protection

    http://www.iankovi.com/htaccess
    Last edited by ralitza; 05-28-2006 at 05:25 AM.

  8. #8
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Drop the bot-deny list. It's pointless, you can't hope to cover every single bot in existence.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •