I have been learning PHP on my own time and have an Apache server on my
network at home. Obviously security is not a problem on this setup.
But as I begin to think about actually using code on a publicly addressably
server someday, the examples in my books seem to be wide open to the world.
Most use an HTML form that calls a separate php program. Most of the
passwords are either hard coded in that php module or are in a file
accessable by that module.
Heck, anybody can download the php script and look at the passwords. Or,
use it to see what file it is pointing to.
Am I missing something here?
Where should the logon security for the web site actually be?
Thanks anybody
Phil 6 1303
Phil Coen says... Most use an HTML form that calls a separate php program. Most of the passwords are either hard coded in that php module or are in a file accessable by that module.
Heck, anybody can download the php script and look at the passwords. Or, use it to see what file it is pointing to.
Phil,
The PHP include() function, unlike the HTML include, can reference files
which are outside the Apache docroot.
If you *have* to hard-code passwords somewhere, at least put them in a
file outside the Apache docroot and use a PHP include() call to reference
them in any PHP scripts which are within the scope of the Apache docroot.
Geoff M
>I have been learning PHP on my own time and have an Apache server on my network at home. Obviously security is not a problem on this setup.
If it is accessable from the Internet, which it probably is if it
has a public IP, security IS an issue. Even if it's only on a
dialup line. Please don't run yet another infected zombie that can
be instructed to attack other systems.
But as I begin to think about actually using code on a publicly addressably server someday, the examples in my books seem to be wide open to the world.
Most use an HTML form that calls a separate php program. Most of the passwords are either hard coded in that php module or are in a file accessable by that module.
If PHP is set up properly, Apache will *NOT* serve the text of a
PHP page, it will serve the OUTPUT of that page. Test it yourself
with a browser or telnet directly to port 80 of your Apache server.
Should you ever manage to break PHP, which I note happens briefly
during upgrades if I don't shut off Apache during the upgrade, it
could serve the text, which is a problem.
My solution (hardly original) is to put the passwords in an include
file *OUTSIDE* the document root. It might look like:
<?php
$mysql_server = 'mysql.mydomain .com';
$mysql_user = 'me';
$mysql_password = 'drowssap';
$mysql_db = 'weasels';
?>
and it might reside in /usr/local/share/php as "weasels.in c". You
use these variables as arguments to mysql_connect() or mysql_pconnect( )
and mysql_select_db (). Another advantage of this is that you can
change which database you are using by changing ONLY the include file.
Also, give the user 'me' minimal privileges that it needs to do its
job. This might be SELECT only, or it might be SELECT, UPDATE,
INSERT, DELETE on one database only. It shouldn't be able to alter
the schema. Many hosts for web/db setups will allow you at least
two MySQL logins, one for admin, the other for web use on the
same database.
If PHP is broken, Apache won't access the include file since it's
outside the document root. If PHP is not broken, you get the output
of the page, not the code. So, either way, you don't get the passwords.
Also, your MySQL permission setup should allow user 'me' to access
the database from only a small number of IP addresses (your web
site, and the site you do maintenance from, both of which might be
'localhost' only). That way, in order to *USE* the password if
they manage to steal it, they have to be able to write scripts onto
your web server and run them.
Heck, anybody can download the php script and look at the passwords. Or, use it to see what file it is pointing to.
Am I missing something here?
No, anybody CANNOT download the php script, assuming that Apache
recognizes it as a script to be run with PHP.
Note that my suggestion does not help you in defending your site
against other customers (potentially competitors or scammers wanting
to steal credit card numbers) on a hosted site using the same server.
Gordon L. Burditt
> The PHP include() function, unlike the HTML include, can reference files which are outside the Apache docroot.
If you *have* to hard-code passwords somewhere, at least put them in a file outside the Apache docroot and use a PHP include() call to reference them in any PHP scripts which are within the scope of the Apache docroot.
Thanks, Geoff. That got me a keyword to find in my php books.
Phil
Thanks Gordon If it is accessable from the Internet, which it probably is if it has a public IP, security IS an issue. Even if it's only on a dialup line. Please don't run yet another infected zombie that can be instructed to attack other systems.
I hate zombies too.
No. The Debian/Apache server is only on my home network and is not set up
to see the Internet. I would actually be putting any real code on the
school admin server and it uses MS IIS which I don't know anything about
and don't want to know anything about. Especially since we have to
maintain a suicide watch over the poor folks whose job it is to maintain
it. I wish I could convince the powers that be to plop in a Linux server. If PHP is set up properly, Apache will *NOT* serve the text of a PHP page, it will serve the OUTPUT of that page. Test it yourself with a browser or telnet directly to port 80 of your Apache server.
No, anybody CANNOT download the php script, assuming that Apache recognizes it as a script to be run with PHP.
You are right. I can see the HTML stuff in my modules, but so far haven't
been able to download or see the php script as an ordinary user. So I was
under the wrong impression about that. Good. Well, I just started PHP a
week ago and am still in the thrashing around mode - barely beyond the
"Hello World" point.
I have written quite a few web pages over the years, all hobby type, and
never worried about security because I WANTED everyone to be able to see
everything. It was the hosters problem to keep people from trashing it or
whatever. But now as I begin to think about sites that are ONLY for
authorised users, all kinds of problems arise. Like realising that with
all the HTML sites that I have made before which were nothing but multiple
pages linked to each other, anybody could "deep link" to any one of them
without going through the index.html even it it had a login.
All of my PHP books are just for learning the language. Very little about
actual security in them. I am going to have to pick up a book that
discusses the layout of a real web server.
Thanks again
Phil
Phil Coen wrote: I have been learning PHP on my own time and have an Apache server on my network at home. Obviously security is not a problem on this setup.
You think?
But as I begin to think about actually using code on a publicly addressably server someday, the examples in my books seem to be wide open to the world.
Most use an HTML form that calls a separate php program. Most of the passwords are either hard coded in that php module or are in a file accessable by that module.
Heck, anybody can download the php script and look at the passwords. Or, use it to see what file it is pointing to.
Are we talking about passwords used by your PHP scripts to authenticate
against some other service (like MySQL) or to authenticate web users?
The former (which the previous 2 responders seem to be addressing) will
require to be stored in an unencrypted form (as someone else said - if your
webserver is setup correctly, they should not be visible). However the
latter (which you seem to be talking about) should never require an
encrypted password. Really, the stored token should be kept in a
non-reversible hash.
Unix authentication systems are well documented. Originally these used crypt
to hash the password, but more recently 3DES or MD5. Where you keep the
data is up to you - but even a 100% secure hash will not protect your
system against brute force attacks (particularly if the black hat can copy
the password file to his/her own machine and recreate the algorithm).
Of course you also need to think about how to secure the passing of
information to/from the browser. SSL is the obvious choice but introduces
of its own.
Where should the logon security for the web site actually be?
Kinda depends...
C.
Phil,
Although I see many answers to your questions there is another VERY
important issue that has not been addressed. When you move your website
to a host will it be dedicated or shared?
* If it is dedicated then keeping your user/pass outside the webroot
directory will secure the file from being displayed over the internet
in the event apache breaks or a configuration has been mistakenly
changed.
* If it will be on a shared server then you must make sure you host has
configured the server correctly for security. Being on a shared host
means that there will be other accounts that will be able to login to
the server. If PHP is installed as a cgi and apache is using suexec
then all your PHP files will execute are your user name. PHP files can
have permissions that only your user can read them. This means your
files are secure.
* If PHP is installed as an apache module (most hosts do) then your php
files, including the file where your user/pass is in, must be readable
by apache. So they must be world readable. Without getting to indepth
and confusing you, the following must be observered.
1) All users accounts on the shared server must be jailed. This means
that a user is trapped inside their home directory when logged in (ssh,
telnet, ftp) which restricts them from reading files outside their
directory.
2) PHP's safe_mode must be on. This restricts a users scripts (which
are executing as apache) from reading files that it has permission to
if they are not readable by that user account.
I am a consulted and have worked on more then one project where it was
possible to retrieve other user/pass crediantials on a shared server.
Make sure your server is secure.
Phil Coen wrote: I have been learning PHP on my own time and have an Apache server on my network at home. Obviously security is not a problem on this setup.
But as I begin to think about actually using code on a publicly addressably server someday, the examples in my books seem to be wide open to the world.
Most use an HTML form that calls a separate php program. Most of the passwords are either hard coded in that php module or are in a file accessable by that module.
Heck, anybody can download the php script and look at the passwords. Or, use it to see what file it is pointing to.
Am I missing something here?
Where should the logon security for the web site actually be?
Thanks anybody Phil This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: John Davis |
last post by:
I put a little login (username and password textfields) in a web page, and
once the user able to login, I want the username and password textfields
will disappear, and replace with text " has Login!]" in the same
position.
My question is how to make the username and password textfields disappear
and replace with " has Login!]" in the same position?
This is the code I have done so far, but it has another problem: Even I
first check if...
|
by: Christian Ista |
last post by:
Hello,
I have 2 questions :
1. On an ASP.NET page I have several controls (5 TextBox, 1 Dropdown and 1
button)
Only the dropdown is AutoPostBack = true, the TextBox are SingleLine
When I execute the page, I fill in the textbox, I change the dropdown
selection, the page is reloaded no problem I see the textbox still fill in.
|
by: bienwell |
last post by:
Hi all,
I have a problem with using myCommand.ExecuteScalar(). My question is :
If the Web setup is incorrect, does it make command ExecuteScalar() work
improperly ?? In my program, I was using ExecuteScalar() to count the
number of records from the query. The return value is always 0. If number
record is 0 then it will go the Page1.aspx page by (response.redirect) . If
not, it will go to Page2.aspx page. The result is it's...
|
by: serge calderara |
last post by:
Dear all,
I have a web form on which certain controls are visible according to a
certain status.
For example a list box with items is visible only if there are items to be
displayed.
What is the best way in asp.Net to handle such case with dynamic visibility
of controls?
|
by: =?Utf-8?B?Sm9l?= |
last post by:
I need to store a password for use later in my web app and
I would like to use FormsAuthentication.HashPasswordForStoringInConfigFile.
The question is, once it's hashed and stored, do I need to
unhash it to pass to windows for authentication? Or can
I set something in Web.Config that will do that?
I haven't found any documentation that points me to what to do
next.
| |
by: eggie5 |
last post by:
I have a form where a user can change his password, but I'm confused
on how to prevent this from being transmitted in plain text.
Well, I know how not to transmit it in plain text - use any type of
encryption, but then the problem is, how do I decrypt it on the server
to store it?
If I use some type of key based encryption, the how do I get the key
to the client without it being intercepted, rendering the whole
process useless.
|
by: bhipwell via AccessMonster.com |
last post by:
I am getting the 3048 error: "Cannot open any more databases." I have a
couple forms loaded with tabs covered in combo boxes, list boxes, etc. The
error occurs when running a form with 12 subforms on it.
The form and subforms all reference the same table (they are separate forms
so I can use the visibilty function to move data vertically when necessary).
This fact I think elimiates Table IDs being created due to too many queries
or...
|
by: runway27 |
last post by:
i am helping a friend to build a forum website which uses php and mysql database. i am working on the registeration page for the forum website and its validation. i am using php 5.2.5
i am able to validate and do other tasks, however i really need help as i am stuck with regards to database injection.
please answer the following questions. any help will be greatly appreciated.
1. USER NAME VALIDATION
username = eregi("^+$",...
|
by: Ken Fine |
last post by:
I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the PasswordRecovery with a
Password reset required; a temporary password is sent to the account on
file. I want an extra layer of security to accommodate the very unlikely
contingency that someone's e-mail account is compromised. Challenging with
the...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |