Posted by Gordon Burditt on 02/18/06 05:02

>I am relatively new to PHP. One of the things that seems glaring obvious
>to me (coming from a C/C++ background) is how 'open' everything seems -
>(AFAIK). For instance, URLs typically have the name of the php script
>that they are calling - also just viewing the source of most web pages
>will show you in glorious detail, the paths and names to any PHP scripts
>they may be using.

HTML is visible. PHP code isn't visible via HTTP.

>If one was to implement user authorisation (or any other module whose
>logic needs to be kept private)

If the *logic* needs to be kept private, it's probably a
security hole.

>in a PHP module (apart from encypting
>the script - which has its own pitfalls) -it makes no sense in having
>such a module (script or set of scripts) plainly visible/accesible to
>the user - who can inspect your user authentication etc at leisure,

If you're talking about a remote user with a web browser, they
*cannot* inspect your PHP code at their leisure.

>whilst sipping his favourite beverage. What is the way to keep your
>script inacesible to users so that they cannot simply FTP or GET your
>script - giving that the path and file name has been kindly provided?

Ensure that you provide *NO* path where a user can simply GET your
protected files without authenticating. This is typically done
with a PHP page which checks the user's authentication, and if it's
OK, outputs a Content-type: header, then does a fpassthru() using
a file name *outside the document tree*.

>I think I remember reading somewhere that this is to do with setting
>file permissions - for example placing the scripts in afolder above the
>web server doc root. But this begs the question that if the user has no
>permision to the folder where the php files are kept - how can he
>execute them. Actually, the last sentence made me realise that the way
>around this (may?) be to have Apache run as a different user from the
>web client. Am I correct in this assumption?. Suggestions welcome.

If you are attempting to protect against someone who is sharing access
to the same server as you are, you're probably screwed.

Gordon L. Burditt

• Next in forum: Re: fopen() Permission denied
• Prev in forum: Re: Advise needed: PHP without webserver + interface to (X)windows
• Thread view: Re: permissions and script 'visibility'

[Reply to this message]