Why to use PHP

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).

The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..

Any ideas as to what I can tell him?

Tell him to learn what file permissions and users are.
A PHP script runs as a certain user (often apache or www-data or nobody),
and thus PHP has the rights of that user.
So running PHP is no different from having more users on the same system.
If you store a file in your private home directory, and you decide to give
the world read/write permissions on that file, anybody can read/change it.

This is a matter of good usermanagement, and educated users. PHP has nothing
to do with that.

Tel him that.

Also, what OS are we talking about? Some *nix or W$? If the latter, don't
mind talking about security, the number of patches (to patch rootaccess)
for W$ released indicated that W$ will never be anywhere near secure in the
near future.

If he doesn't listen, ask him for detailed arguments, and post them here. I
am sure somebody will help you to make your case for the sake of PHP.
:-)

Regards,
Erwin Moller

Sorry, I meant to include a few extra things in that last email that I
thought of after sending. (as I generally always do)

#1: It's a Mac OS X system.
#2: I'll be installing the PHP build "Entropy" by Marc Liyanage.
#3: I generally get on quite well with him, I just need to convince him
that PHP when running as (www) user can't do anything dangerous.

Is there some obvious document which says all of this (which us
developers know automatically)?

Those who can't do something, teach it!

Erwin Moller wrote:

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).

The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..

Any ideas as to what I can tell him?

Tell him to learn what file permissions and users are.
A PHP script runs as a certain user (often apache or www-data or nobody),
and thus PHP has the rights of that user.
So running PHP is no different from having more users on the same system.
If you store a file in your private home directory, and you decide to give
the world read/write permissions on that file, anybody can read/change it.

This is a matter of good usermanagement, and educated users. PHP has nothing
to do with that.

Tel him that.

Also, what OS are we talking about? Some *nix or W$? If the latter, don't
mind talking about security, the number of patches (to patch rootaccess)
for W$ released indicated that W$ will never be anywhere near secure in the
near future.

If he doesn't listen, ask him for detailed arguments, and post them here. I
am sure somebody will help you to make your case for the sake of PHP.
:-)

Regards,
Erwin Moller

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).

The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..

Any ideas as to what I can tell him?

If the other students can upload to the server, sure they can, unless
your teacher knows how to set permissions properly (which it sounds like
he doesn't). But in that case there probably are other programming
languages on the system the person could use.

And if others don't have upload capability, there's no problem as long
as you design the site properly.

The bottom line is - without a programming language you'll be stuck with
static pages. And if you want/need dynamic pages, you need *some*
programming language. And in many cases PHP is a good solution.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

If uploading enabled, file permissions can't stop a user from
uploading a file, say "hole.php", then executing that file with the
URL http://host/uploaddir/hole.php. All PHP files just have rw or just
r permissions and they are still executed by the server. Seems like a
PHP issue. Are we leaving this up to developers to take care not to
create this hole?

BTW, how do I fix this in an administrative way?

Thx
-R

BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

HTH,
-R

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).

The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..

Any ideas as to what I can tell him?

If you have no ideas why you'd want to use PHP then maybe it's not a
good idea.

R K wrote:

>BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

Upload/tmp directories shouldn't even be accessable by http....

/dir/
/uploadtmp/
/wwwroot/
--
Rik Wasmus

Rik wrote:

R K wrote:

BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

Upload/tmp directories shouldn't even be accessable by http....

/dir/
/uploadtmp/
/wwwroot/

Yeah, but suppose you wanted an upload to be web accessible after it's
moved from the tempdir?

That final directory needs the .htaccess, doesn't it?
-R

R K wrote:

Rik wrote:

>R K wrote:

>>>BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

Upload/tmp directories shouldn't even be accessable by http....

/dir/
/uploadtmp/
/wwwroot/

Yeah, but suppose you wanted an upload to be web accessible after
it's moved from the tempdir?

That final directory needs the .htaccess, doesn't it?

Well, I'm very curious.
You want PHP to be available, but disabled?
When do you want PHP to run?
And it's far better to put these kinds of settings in httpd.conf then
..htaccess, and forbidding to use .htaccess to change these values. If they
have access to the directory, what stops them from deleting or altering the
..htaccess file, thus enabling PHP? I assume that when a user uploads a
file, he is allowed the either edit or delete it..
--
Rik Wasmus

Rik wrote:

R K wrote:

Rik wrote:

R K wrote:
BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

Upload/tmp directories shouldn't even be accessable by http....

/dir/
/uploadtmp/
/wwwroot/

Yeah, but suppose you wanted an upload to be web accessible after
it's moved from the tempdir?

That final directory needs the .htaccess, doesn't it?

And it's far better to put these kinds of settings in httpd.conf then
.htaccess, and forbidding to use .htaccess to change these values. If they

Then I'd have to reboot the server for every change, not interested in
that. Already short on time and this is not my real job.

have access to the directory, what stops them from deleting or altering the
.htaccess file, thus enabling PHP? I assume that when a user uploads a
file, he is allowed the either edit or delete it..

Wouldn't permissions on .htaccess prevent overwrite if the server is
not running as root? guess there's one way to find out...

-R

R K wrote:

Then I'd have to reboot the server for every change, not interested
in that. Already short on time and this is not my real job.

Well, there's security and there's the illusion of security. Good luck.
--
Rik Wasmus

Rik wrote:

R K wrote:

Then I'd have to reboot the server for every change, not interested
in that. Already short on time and this is not my real job.

Well, there's security and there's the illusion of security. Good luck.

It's worked for me so far. Gold plating every damn thing hasn't. Back
at ya.

-R

R K wrote:

Rik wrote:

>R K wrote:

>>Then I'd have to reboot the server for every change, not interested
in that. Already short on time and this is not my real job.

Well, there's security and there's the illusion of security. Good
luck.

It's worked for me so far. Gold plating every damn thing hasn't.
Back at ya.

Hmmmf.
Last piece of advice:
if you have different users, different user-dirs, but want to apply
unoveridable settings to every dir:
http://httpd.apache.org/docs/2.0/mod/mod_userdir.html
http://httpd.apache.org/docs/2.0/howto/public_html.html

And check AllowOverride

For more information alt.apache.configuration
--
Rik Wasmus

Rather than an upload directory, it has been set up to use the user's
"Sites/" folder.

I think that the end solution will be to point out that few students
will know how to code and use the PHP on the system, and none of the
students I know can actually use PHP to hack a server.

The other thing is that it isn't part of the Internet, only the
school's Intranet.

Thanks everyone, I'll see how I go tomorrow.

Rik wrote:

R K wrote:

Rik wrote:

R K wrote:
Then I'd have to reboot the server for every change, not interested
in that. Already short on time and this is not my real job.

Well, there's security and there's the illusion of security. Good
luck.

It's worked for me so far. Gold plating every damn thing hasn't.
Back at ya.

Hmmmf.
Last piece of advice:
if you have different users, different user-dirs, but want to apply
unoveridable settings to every dir:
http://httpd.apache.org/docs/2.0/mod/mod_userdir.html
http://httpd.apache.org/docs/2.0/howto/public_html.html

And check AllowOverride

For more information alt.apache.configuration
--
Rik Wasmus

TheTeapot wrote:

none of the
students I know can actually use PHP to hack a server.

I wouldn't assume that if I were you. You're just asking for trouble.

>
The other thing is that it isn't part of the Internet, only the
school's Intranet.

It would be better the other way around. On the internet, they
wouldn't be able to cause much damage, but if they find a hole
somewhere in your local intranet, then, well... let's just say that I
hope nothing private or critical is stored where they can get to it
such as social security numbers, grades, or medical information.

>Upload/tmp directories shouldn't even be accessable by http....

>>
/dir/
/uploadtmp/
/wwwroot/

Yeah, but suppose you wanted an upload to be web accessible after it's
moved from the tempdir?

That final directory needs the .htaccess, doesn't it?

Not necessarily. You can make a file "web accessible" without putting it
in a publicly accessible directory. You can create a php file (publicly
accessible) that sends the appropriate Content-Type header and sends the
contents from a file (that is not publicly accessible) to the client.
Also, the file does not necessarily exist on the server as it is sent to
the client (you can open an image, rescale it, add a copyright message
and send the result of that to the client, for example).

You can control the "downloader" php file with GET-parameters or with
session data, so have much control over the accessibility.

Best regards

TheTeapot wrote:

Rik wrote:

>>R K wrote:

>>>Rik wrote:

R K wrote:

>Then I'd have to reboot the server for every change, not interested
>in that. Already short on time and this is not my real job.

Well, there's security and there's the illusion of security. Good
luck.

It's worked for me so far. Gold plating every damn thing hasn't.
Back at ya.

Hmmmf.
Last piece of advice:
if you have different users, different user-dirs, but want to apply
unoveridable settings to every dir:
http://httpd.apache.org/docs/2.0/mod/mod_userdir.html
http://httpd.apache.org/docs/2.0/howto/public_html.html

And check AllowOverride

For more information alt.apache.configuration
--
Rik Wasmus

Rather than an upload directory, it has been set up to use the user's
"Sites/" folder.

I think that the end solution will be to point out that few students
will know how to code and use the PHP on the system, and none of the
students I know can actually use PHP to hack a server.

The other thing is that it isn't part of the Internet, only the
school's Intranet.

Thanks everyone, I'll see how I go tomorrow.

(Top posting fixed)

I agree with Moot. Students are much smarter and capable than you
think. Some of them may have been doing PHP for several years - and
would know a lot more than you do.

If you don't know how to properly secure your system you are not only
looking for trouble - you're opening the door wide and putting a huge
"Welcome" mat on the porch.

And what's it going to cost your school in attorney's fees, reputation,
etc. if someone hacks the grades database? Or gets a list of SSN's, etc.?

If you can't secure it properly, don't have *any* access to anything
private available. Better yet, don't allow students on the system in
the first place. Set up a different server for them which is isolated
from the rest of the school's network.

P.S. Please don't top post. Thanks.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================