mooeypoo Posted March 2, 2004 Posted March 2, 2004 Hi, question: in order to connect to a mySQL db through PHP i need to supply username and password. Is there *any* way you could think of to prevent people from downloading those php pages? 'cause i know that if they click "view source" they only get the HTML without php but I am not 100% sure that those php files CANNOT be downloaded. Which actually means that if anyone downloads my php source page - i'm screwed and my DB is open to hacks. Anyone has any ideas how to prevent that? ~moo 1
Guest Pyro Posted March 2, 2004 Posted March 2, 2004 Nice post... but i was thinkin about it the opposite way is there any way to download someones php source
mooeypoo Posted March 2, 2004 Author Posted March 2, 2004 hehehe well i guess if you find your answer i'll just have to reverse it and find mine ;p Let meknow, by the way. I actually think (a friend of mine said so) that php is relatively easy to download from the server - hence my fear of being "robbed" of my db. anywas, hah ~moo
Atlantic Posted March 2, 2004 Posted March 2, 2004 php files can only be downloaded on an FTP protocol, if your FTP is password protected (should be by default) then you are ok. Your PHP interface should keep the SQL pretty secure. Of course skilled hackers can break through that code through a UNIX consol lets say...but unless you have Fat Tony's billions of dollars to hide, it shouldn't happen
Sayonara Posted March 2, 2004 Posted March 2, 2004 Atlantic is right - your PHP source can't be viewed from a browser. Even if you call a PHP-only file with the HTTP protocol, the code will be executed on the server and only valid output gets returned. It's one of the advantages of a server-side language
Sayonara Posted March 2, 2004 Posted March 2, 2004 Pyro said in post # :Nice post... but i was thinkin about it the opposite way is there any way to download someones php source Yes - ask them for it. You'd be surprised how many coders will happily oblige. Anything else is theft.
mooeypoo Posted March 2, 2004 Author Posted March 2, 2004 okay kewl -- a friend of mine just happened to know a few things I wrote inside the php files code-wise so I was wondering if maybe my code wasn't very secure. Probably he was just playing games with me... I'll kick his ass anyways for making me worry like that ;p Thanks guys!! that was very helpful. ~moo
Sayonara Posted March 2, 2004 Posted March 2, 2004 It is possible that the MIME-types on a server might be set up incorrectly. This can result in a stream of information being rendered in the browser as text and non-text characters when a file request is made, instead of being correctly handled and responded to by the server (you see this sometimes when trying to download media files from some websites). This is the result of crappy server administration though, rather than an attribute of PHP itself.
mooeypoo Posted March 2, 2004 Author Posted March 2, 2004 Ah. Any ways of checking that to make sure? Like check if there's a "leak" ?
Sayonara Posted March 2, 2004 Posted March 2, 2004 If the MIME is incorrectly set up for PHP, you'll know the instant you request a PHP page.
mooeypoo Posted March 2, 2004 Author Posted March 2, 2004 Ah awsome so if when I request a PHP page I get the HTML source, then the php is safe. I shouldn't be afraid to put userpass inside my db params.. Kewl, thanks heaps Sayonara
Sayonara Posted March 3, 2004 Posted March 3, 2004 I always keep the db connection in a separate file anyway, and include it to scripts that need it. So even if someone did manage to get the code for a user-viewable page somehow, they'd not (immediately) have the db details (and hopefully not have the smarts to work out that it was almost within reach).
mooeypoo Posted March 3, 2004 Author Posted March 3, 2004 Yeah I thought about it but if anyone would be smart enough to get to my php source, he wouldnt have troubles going to the other page, as you said I just made another server handle username that allows only reading, so that even if anyone takes it - he's not the administrator of the Database
mossoi Posted March 3, 2004 Posted March 3, 2004 You might want to read up on sql injection as well - this is a more immediate security problem with php pages and mySQL db's. Also add error handling into your code so if there is a problem the error message won't give a chunk of source code and the db name to anybody. (This won't pass on any login details but it's still a possible risk as it may allow somebody to glean the name of you username form field for a login - this could then be used to break the security through SQL injection).
mooeypoo Posted March 5, 2004 Author Posted March 5, 2004 Thanks mate, that really helped. Long time 'till I understand the ENTIRE thing but it's a start thanks
Guest kook Posted March 13, 2004 Posted March 13, 2004 watch out your backup file such as myscript.php.bak make sure u don't upload them.
mooeypoo Posted March 13, 2004 Author Posted March 13, 2004 ahh wow true , sheesh thanks!! <goes to make sure>
Dave Posted March 31, 2004 Posted March 31, 2004 There's really only two things to consider when you're considering PHP security. The first is file permissions. This usually isn't a problem, but you might want to create a directory for all your include files and make this inaccessible to the outside world with a .htaccess file (assuming you're using apache). The other thing is SQL injection. Basically, make sure that whenever anyone submits any type of data and that data is subsequently used in an sql query, that you use addslashes() to properly escape the data. Otherwise some person could quite happily come along and screw your entire database over for a laugh. And remember, always keep a backup of your database and source files, just in case.
Sayonara Posted April 1, 2004 Posted April 1, 2004 Whether or not the PHP files types can be downloaded will depend on if the MIME-types on the server are set up properly. Bad MIME-types can be disastrous for PHP-based sites. A common trick is to put in a MIME setting that makes the server treat any file with an .xhtml or .dhtml extension as PHP, so people looking for sites to break into will not immediately realise what server-side language is in use. I'm going to experiment with that later so I'll let you know If you are not 100% sure whether your queries are SQL-injection proof, ensure the database user that your query string includes only has SELECT permissions. I only allow dB connection strings to get UPDATE, INSERT or DELETE permissions if the script involved can prove (1) the user's identity and (2) their intentions.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now