|
|
Posted by Gordon Burditt on 07/13/05 04:49
>I have been learning PHP on my own time and have an Apache server on my
>network at home. Obviously security is not a problem on this setup.
If it is accessable from the Internet, which it probably is if it
has a public IP, security IS an issue. Even if it's only on a
dialup line. Please don't run yet another infected zombie that can
be instructed to attack other systems.
>But as I begin to think about actually using code on a publicly addressably
>server someday, the examples in my books seem to be wide open to the world.
>
>Most use an HTML form that calls a separate php program. Most of the
>passwords are either hard coded in that php module or are in a file
>accessable by that module.
If PHP is set up properly, Apache will *NOT* serve the text of a
PHP page, it will serve the OUTPUT of that page. Test it yourself
with a browser or telnet directly to port 80 of your Apache server.
Should you ever manage to break PHP, which I note happens briefly
during upgrades if I don't shut off Apache during the upgrade, it
could serve the text, which is a problem.
My solution (hardly original) is to put the passwords in an include
file *OUTSIDE* the document root. It might look like:
<?php
$mysql_server = 'mysql.mydomain.com';
$mysql_user = 'me';
$mysql_password = 'drowssap';
$mysql_db = 'weasels';
?>
and it might reside in /usr/local/share/php as "weasels.inc". You
use these variables as arguments to mysql_connect() or mysql_pconnect()
and mysql_select_db(). Another advantage of this is that you can
change which database you are using by changing ONLY the include file.
Also, give the user 'me' minimal privileges that it needs to do its
job. This might be SELECT only, or it might be SELECT, UPDATE,
INSERT, DELETE on one database only. It shouldn't be able to alter
the schema. Many hosts for web/db setups will allow you at least
two MySQL logins, one for admin, the other for web use on the
same database.
If PHP is broken, Apache won't access the include file since it's
outside the document root. If PHP is not broken, you get the output
of the page, not the code. So, either way, you don't get the passwords.
Also, your MySQL permission setup should allow user 'me' to access
the database from only a small number of IP addresses (your web
site, and the site you do maintenance from, both of which might be
'localhost' only). That way, in order to *USE* the password if
they manage to steal it, they have to be able to write scripts onto
your web server and run them.
>Heck, anybody can download the php script and look at the passwords. Or,
>use it to see what file it is pointing to.
>
>Am I missing something here?
No, anybody CANNOT download the php script, assuming that Apache
recognizes it as a script to be run with PHP.
Note that my suggestion does not help you in defending your site
against other customers (potentially competitors or scammers wanting
to steal credit card numbers) on a hosted site using the same server.
Gordon L. Burditt
Navigation:
[Reply to this message]
|