473,837 Members | 1,696 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Choosing a host based on their PHP "security" measures


Upfront disclaimer - I am a relative newbie, just starting out learning
about PHP, mostly by researching, installing and playing with different
scripts. I am looking for a host that will provide the right environment
for this - running a wide variety of PHP applications. I realise that
security is also important, but for now flexibility is more important to
me.

Note that I'm **not** looking for people to recommend hosting companies,
I have a good shortlist already. I'm looking for help in choosing
between these, based on the configuration of their server environment.

I would greatly appreciate your pointing out where my questions reveal
my ignorance; if possible, help me fix up the questions and explain
where I've gone wrong.
Here is my understanding of these issues so far (assuming Linux/Apache):

Running mod_php is less restrictive and therefore more flexible, and
faster than running as CGI.

More importantly, I've been told that mod_rewrite REQUIRES php running
as a module, so on a host running CGI, I CANNOT get permalinks, pretty
URLs, etc. Is this true?

If so, then I definitely want a host running php as a module, even with
the insecurity of 777/666 permissions.

I should also ask the potential hosting services about my ability to put
php configuration directives in custom .htaccess files (and not custom
php.ini files, correct?)

If this is the case, I assuem it becomes relevant to PHP what the
server's AllowOverride is set to?

I also understand that I should avoid choosing a host running php in
safe mode.

Thanks in advance for your taking the time to read this, and especially
to those who are willing to clarify these issues.

Apr 1 '07 #1
19 2581
On Sun, 1 Apr 2007 13:24:33 +0200 (CEST), hansBKK
<aw************ ***@spamgourmet .comwrote:
>More importantly, I've been told that mod_rewrite REQUIRES php running
as a module, so on a host running CGI, I CANNOT get permalinks, pretty
URLs, etc. Is this true?
I don't think so; many of the mod_rewrite examples explicitly use a CGI script
as the target.

However, something almost opposite may be true - with PHP as CGI you _require_
mod_rewrite to get pretty URLs. In module mode there are ways to implement it
without mod_rewrite, using AcceptPathInfo and possibly content negotiation. I
don't think AcceptPathInfo works correctly with CGI.

So if mod_rewrite is available, then either mode is fine.
>If so, then I definitely want a host running php as a module, even with
the insecurity of 777/666 permissions.

I should also ask the potential hosting services about my ability to put
php configuration directives in custom .htaccess files (and not custom
php.ini files, correct?)
Yes.
>If this is the case, I assuem it becomes relevant to PHP what the
server's AllowOverride is set to?
Yes, I believe you need at least AllowOverride Options.
>I also understand that I should avoid choosing a host running php in
safe mode.
Note that there are "degrees" of safe mode, in that once safe mode is on,
functions can then be selectively restricted - a safe mode host with many
restrictions enabled could be awkward to work on, depending on what features
you actually need.

--
Andy Hassall :: an**@andyh.co.u k :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Apr 1 '07 #2
hansBKK wrote:
More importantly, I've been told that mod_rewrite REQUIRES php running
as a module, so on a host running CGI, I CANNOT get permalinks, pretty
URLs, etc. Is this true?
No, that's rubbish. Were you told this today (1 Apr)?

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Apr 1 '07 #3
hansBKK wrote:
Upfront disclaimer - I am a relative newbie, just starting out learning
about PHP, mostly by researching, installing and playing with different
scripts. I am looking for a host that will provide the right environment
for this - running a wide variety of PHP applications. I realise that
security is also important, but for now flexibility is more important to
me.

Note that I'm **not** looking for people to recommend hosting companies,
I have a good shortlist already. I'm looking for help in choosing
between these, based on the configuration of their server environment.

I would greatly appreciate your pointing out where my questions reveal
my ignorance; if possible, help me fix up the questions and explain
where I've gone wrong.
Here is my understanding of these issues so far (assuming Linux/Apache):

Running mod_php is less restrictive and therefore more flexible, and
faster than running as CGI.

More importantly, I've been told that mod_rewrite REQUIRES php running
as a module, so on a host running CGI, I CANNOT get permalinks, pretty
URLs, etc. Is this true?

If so, then I definitely want a host running php as a module, even with
the insecurity of 777/666 permissions.

I should also ask the potential hosting services about my ability to put
php configuration directives in custom .htaccess files (and not custom
php.ini files, correct?)

If this is the case, I assuem it becomes relevant to PHP what the
server's AllowOverride is set to?

I also understand that I should avoid choosing a host running php in
safe mode.

Thanks in advance for your taking the time to read this, and especially
to those who are willing to clarify these issues.
Besides stuff like safe_mode, openbasedir restrictions, $GLOBALS being
disabled (I think default for quite a while now), client override
options in .htaccess files (the use of which comes at a slight
performance penalty though), if you plan on using a shared-server
solution beware that -unless apache is set up to run for each virtual
domain/user individually, all work under the same user name. Which makes
it possible for any of the other clients to read your raw php/html (etc)
scripts. Many hosts I've seen haven't excluded the 'potentially
dangerous' functions such as eval, exec, passthru & system. Note egrep
with the -e option internally invokes eval as well) in their php setup,
in that case it is _REALLY_ easy to peek at any other clients data.

Some advise to put everything remotely damaging when in the wrong hands
in database tables rather than regular files when on a shared environment.

But even when PHP is properly secured, if the host also provides Perl or
Python and custom cgi extentions, they can open up a whole new can of worms.

Include files should best be kept in a directory above webroot,
something my own provider took some time to understand. (you can adapt
your include path in .htaccess btw). It helps to block every .inc file
(or whatever extension you prefer for includes) in .htaccess as well.

If you're really concerned about security, also remember to set another
default path for session files, since they mostly end up in /tmp,
accessible for all the clients.

Other than that, you could spend half a lifetime keeping up with every
single potential security issue, so a fair trade-off should be made.
Plenty of good material on the web and in (e)books on php & security.

No connected system is 100% secure, so always use your brain well when
choosing what (not) to put on a (remote!) server.

What makes a provider stand out for me more than the measures they have
already taken is the attitude and willingness to be open for suggestions
and ideas, and act on customer input. Mine got really scared when I
showed him all kinds of saucy data, complete process lists of his own
machines. But he thanked me for noticing, didn't shoot the messenger and
acted, swiftly.

HTH, good luck with your decision!
Apr 2 '07 #4
Toby A Inkster <us**********@t obyinkster.co.u kwrote in news:3hm5e4-
9m*****@ophelia .g5n.co.uk:
hansBKK wrote:
>More importantly, I've been told that mod_rewrite REQUIRES php running
as a module, so on a host running CGI, I CANNOT get permalinks, pretty
URLs, etc. Is this true?

No, that's rubbish. Were you told this today (1 Apr)?
No, and I can't track down the source right now to give him feedback, might
have been on webhostingtalk. com.

Thanks for clearing that up for me!
Apr 2 '07 #5
Andy Hassall <an**@andyh.co. ukwrote in
news:so******** *************** *********@4ax.c om:
>>More importantly, I've been told that mod_rewrite REQUIRES php running
as a module, so on a host running CGI, I CANNOT get permalinks, pretty
URLs, etc. Is this true?

I don't think so; many of the mod_rewrite examples explicitly use a CGI
script as the target.
However, something almost opposite may be true - with PHP as CGI you
_require_ mod_rewrite to get pretty URLs.

OK, got it, thanks for the correction. So I won't necessarily demand module
mode, but will look at mod_rewrite as a deal-breaker.

Note that there are "degrees" of safe mode, in that once safe mode is
on, functions can then be selectively restricted - a safe mode host with
many restrictions enabled could be awkward to work on, depending on what
features you actually need.

So to avoid complications, I'll make sure to choose a host with safe mode
turned off.

Apr 2 '07 #6
Schraalhans,

I'm sorry but you've totally lost me, and perhaps misunderstood my
intentions here. From my OP:
>I am looking for a host that will provide the right environment for
this - running a wide variety of PHP applications. I realise that
security is also important, but for now flexibility is more important to
me.

In other words, I'm NOT trying to create a secure system, I'm trying to
find a host where I can basically just upload and install any of the
mainstream scripts and start to use them. I *do not* want to have to
mess with WordPress core code, or try to figure out what drupal modules
I can use and which I can't, I'm "just a user", want to install the app
and use it!

Of course it's in a shared environment, I'm not going to get a VPS just
to play and learn am I?

Why would I care that someone could read my php/html? There's nothing
sensitive there. . .

I really can't understand anything you're telling me, as I said in my
OP, I'm a newbie just starting out. If any of your message could be
helpful to me, I think I need a translator first <g>

But I'll give it a shot:

safe_mode should be off, openbasedir should be off, $GLOBALS should be
on, is that right? Or at least be able to override them in .htaccess or
php.ini?
'potentially dangerous' functions such as eval, exec, passthru &
system. Note egrep with the -e option internally invokes eval as well)
in their php setup, in that case it is _REALLY_ easy to peek at any
other clients data.
As I said I'm not concerned about that - so do I want the functions
allowed or disabled?
Include files should best be kept in a directory above webroot,
something my own provider took some time to understand. (you can adapt
your include path in .htaccess btw). It helps to block every .inc file
(or whatever extension you prefer for includes) in .htaccess as well.
Huh? What is an include file, and why would I want to block it?
>
If you're really concerned about security, also remember to set
another default path for session files, since they mostly end up in
/tmp, accessible for all the clients.
I'm NOT at all concerned about security, getting less so by the minute,
my head hurts!
HTH, good luck with your decision!
Looks like I'll need it! <g>
Apr 2 '07 #7
OK, at the risk of driving all of you (and myself) nuts, here are some more
questions, sorry if there's some overlaps I missed in my earlier hysteria,
I'd composed these earlier when I was feeling saner:
Is there a way to have script-sent emails come from a specified Return-path
email address in the mod_php environment, or do they **have to** come from
nobody/Apache/web user?
Next area - phpsuexec, suExec, SUhosin and suphp - I've mostly seen these
discussed relative to CGI mode. If my host is running php as a module, then
is it safe for me to ignore these, or should I also ask if they are using
any of these?

What should I be looking for in regards to open_basedir and
register_global s? I believe the former can't be switched locally, only
server-wide right? And I believe I should look for a host that allows me to
switch register_global s? Along with things like memory_limit, magic_quotes,
upload-related variables, etc.
Some hosts state that their customers can choose to run either v4 or 5, by
simply changing the file extension on the scripts - e.g. *.php runs version
4, use *.php5 to run v5. This seems like a good thing, right?
What accelerator(s) should I be looking for - good performance without
causing problems?

Finally, if the host will give me access to phpinfo(), can I figure out for
myself how all these factors are configured on their servers without my
having to ask them such a long list of questions?

Apr 2 '07 #8
hansBKK wrote:
Schraalhans,

I'm sorry but you've totally lost me, and perhaps misunderstood my
intentions here. From my OP:
>>I am looking for a host that will provide the right environment for
this - running a wide variety of PHP applications. I realise that
security is also important, but for now flexibility is more important to
me.

In other words, I'm NOT trying to create a secure system, I'm trying to
find a host where I can basically just upload and install any of the
mainstream scripts and start to use them. I *do not* want to have to
mess with WordPress core code, or try to figure out what drupal modules
I can use and which I can't, I'm "just a user", want to install the app
and use it!

Of course it's in a shared environment, I'm not going to get a VPS just
to play and learn am I?

Why would I care that someone could read my php/html? There's nothing
sensitive there. . .

I really can't understand anything you're telling me, as I said in my
OP, I'm a newbie just starting out. If any of your message could be
helpful to me, I think I need a translator first <g>

But I'll give it a shot:

safe_mode should be off, openbasedir should be off, $GLOBALS should be
on, is that right? Or at least be able to override them in .htaccess or
php.ini?
I would never be on a shared host with openbasedir and safemode off. If
they care that little about the security of their system

Also, the problem might not be that they can READ your PHP code. They
can also read the userid/password to your databases - and insert
anything they want in there - including your software. Even worse, they
can completely wipe out your pages and replace them with something else
- something you might not like, for instance.
>'potentially dangerous' functions such as eval, exec, passthru &
system. Note egrep with the -e option internally invokes eval as well)
in their php setup, in that case it is _REALLY_ easy to peek at any
other clients data.

As I said I'm not concerned about that - so do I want the functions
allowed or disabled?
You should be concerned about that. VERY MUCH CONCERNED.
>Include files should best be kept in a directory above webroot,
something my own provider took some time to understand. (you can adapt
your include path in .htaccess btw). It helps to block every .inc file
(or whatever extension you prefer for includes) in .htaccess as well.

Huh? What is an include file, and why would I want to block it?
>If you're really concerned about security, also remember to set
another default path for session files, since they mostly end up in
/tmp, accessible for all the clients.

I'm NOT at all concerned about security, getting less so by the minute,
my head hurts!
Then I don't want to be anywhere near your site. Security should be
your FIRST concern - not your last.
>HTH, good luck with your decision!

Looks like I'll need it! <g>
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Apr 2 '07 #9
hansBKK wrote:
Schraalhans,

I'm sorry but you've totally lost me, and perhaps misunderstood my
intentions here. From my OP:
>>I am looking for a host that will provide the right environment for
this - running a wide variety of PHP applications. I realise that
security is also important, but for now flexibility is more important to
me.

In other words, I'm NOT trying to create a secure system, I'm trying to
find a host where I can basically just upload and install any of the
mainstream scripts and start to use them. I *do not* want to have to
mess with WordPress core code, or try to figure out what drupal modules
I can use and which I can't, I'm "just a user", want to install the app
and use it!

Of course it's in a shared environment, I'm not going to get a VPS just
to play and learn am I?

Why would I care that someone could read my php/html? There's nothing
sensitive there. . .

I really can't understand anything you're telling me, as I said in my
OP, I'm a newbie just starting out. If any of your message could be
helpful to me, I think I need a translator first <g>

But I'll give it a shot:

safe_mode should be off, openbasedir should be off, $GLOBALS should be
on, is that right? Or at least be able to override them in .htaccess or
php.ini?
>'potentially dangerous' functions such as eval, exec, passthru &
system. Note egrep with the -e option internally invokes eval as well)
in their php setup, in that case it is _REALLY_ easy to peek at any
other clients data.

As I said I'm not concerned about that - so do I want the functions
allowed or disabled?
>Include files should best be kept in a directory above webroot,
something my own provider took some time to understand. (you can adapt
your include path in .htaccess btw). It helps to block every .inc file
(or whatever extension you prefer for includes) in .htaccess as well.

Huh? What is an include file, and why would I want to block it?
>If you're really concerned about security, also remember to set
another default path for session files, since they mostly end up in
/tmp, accessible for all the clients.

I'm NOT at all concerned about security, getting less so by the minute,
my head hurts!
>HTH, good luck with your decision!

Looks like I'll need it! <g>
From your original post title I (mis)read you were interested in
security. If all you need is a 'playground' you probably are better off
setting up your own server than pay for a hosting scheme.

And -probably pearls and swine- you -as Jerry said- should definitely
care about security, for a plethora of reasons. If it doesn't interest
you now, you surely gonna look upon it as 'a burden' later, when perhaps
you decide to do more with your acquired skills & knowledge. In which
case, remind me not to hire you ;-)

I'm sorry if I sound sarcastic, but I'm at the point of throwing in the
towel answering people's questions only to find out they don't give a
rat's behind about whatever reply they get.

Nonetheless, good luck, and I hope you belong to the salt of the earth
and take the advice to heart.

Rgds
Sh.
Apr 2 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
6991
by: RJ Dake | last post by:
Having problems with uploaded Database and SharePoint sites. At least one of the errors is mentioned below. Sites do not allow access to DB entry or results. Email feedback is MOST appreciated! Thanks, RJ Error message is as follows:
1
6996
by: McKirahan | last post by:
What is "active content"? My ASP page just returns HTML.... I have a page with an .htm extension that has a form whose action is an ASP page which generates a report after updating a database with the form data. Under Windowx XP SP2 the IE6 "Information Bar" has the message: "To help protect your security, Internet Explorer has restricted this
5
5109
by: RWC | last post by:
Hello, I have a database that I need to connect with that resides on my personal intranet server. I'm on a different subnet than this server (running through two different gateways). When I try to open the database from my laptop, I get the warning "Microsoft Access cannot open this file This file is located outside your intranet or on an untrusted site. Microsoft Access will not open the file due to potential security problems. ...
4
2463
by: Dean Slindee | last post by:
I would like to provide a menu item that the users can click that launches the same "Windows Security" window that doing a Ctrl+Alt+Delete launches, but thru a Process.Start. Is this possible, and what is the name of the ..exe and it's location? Thanks, Dean Slindee
7
11255
by: Henry | last post by:
I am writing a Windows forms VB.Net/MS SQL application via VS 2003 that utilizes Crystal Reports. I want to be able to dynamically set the report data source at run time. I'm trying to change the the reports "integrated security" from TRUE to FALSE via the "Set Location" dialog in the report designer with no success. It is not intuitive (at least not to me.) I get the following error:
1
2868
by: Tom Purdom | last post by:
Hi All, I am developing a Outlook interop plugin which performs task time allocation. However when i attempt to fire my custom event to notify that an allocation has been generated the security exception "Request Failed" is thrown. The events sole subscriber is the main class of the interop plugin. Anyone experienced this problem in the past? Or can you give me more information about this type of security exception. I have read about...
14
4497
by: BillCo | last post by:
Hi folks, I have an a2k ap which is called from a batch file via task scheduler on at night - it runs a bunch of updates, imports stuff from other databases and generally preps the main backend for another day's work. It logs everything and generates an email which it sends to a few people, issuing warnings if there were problems. Have you guessed the problem yet? Outlook 2003 / SP2 - "...Trying to send a mail...", "...use address
2
2337
by: Mike McGuire | last post by:
I currently have a .NET 2.0 Application that uses "Security.SecureString" to securly pass a password to the process that I am starting within the app. I want to create something similar for a few of our web servers, but the web team does not want to install .NET 2.0 on the servers Is there anything similar to "Security.SecureString" for .NET 1.1? Mike
0
9846
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10883
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10579
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9412
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7814
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7007
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5674
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4479
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3126
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.