|
|
Posted by Schraalhans Keukenmeester on 04/02/07 00:47
hansBKK wrote:
> Upfront disclaimer - I am a relative newbie, just starting out learning
> about PHP, mostly by researching, installing and playing with different
> scripts. I am looking for a host that will provide the right environment
> for this - running a wide variety of PHP applications. I realise that
> security is also important, but for now flexibility is more important to
> me.
>
> Note that I'm **not** looking for people to recommend hosting companies,
> I have a good shortlist already. I'm looking for help in choosing
> between these, based on the configuration of their server environment.
>
> I would greatly appreciate your pointing out where my questions reveal
> my ignorance; if possible, help me fix up the questions and explain
> where I've gone wrong.
>
>
> Here is my understanding of these issues so far (assuming Linux/Apache):
>
> Running mod_php is less restrictive and therefore more flexible, and
> faster than running as CGI.
>
> More importantly, I've been told that mod_rewrite REQUIRES php running
> as a module, so on a host running CGI, I CANNOT get permalinks, pretty
> URLs, etc. Is this true?
>
> If so, then I definitely want a host running php as a module, even with
> the insecurity of 777/666 permissions.
>
> I should also ask the potential hosting services about my ability to put
> php configuration directives in custom .htaccess files (and not custom
> php.ini files, correct?)
>
> If this is the case, I assuem it becomes relevant to PHP what the
> server's AllowOverride is set to?
>
> I also understand that I should avoid choosing a host running php in
> safe mode.
>
> Thanks in advance for your taking the time to read this, and especially
> to those who are willing to clarify these issues.
>
Besides stuff like safe_mode, openbasedir restrictions, $GLOBALS being
disabled (I think default for quite a while now), client override
options in .htaccess files (the use of which comes at a slight
performance penalty though), if you plan on using a shared-server
solution beware that -unless apache is set up to run for each virtual
domain/user individually, all work under the same user name. Which makes
it possible for any of the other clients to read your raw php/html (etc)
scripts. Many hosts I've seen haven't excluded the 'potentially
dangerous' functions such as eval, exec, passthru & system. Note egrep
with the -e option internally invokes eval as well) in their php setup,
in that case it is _REALLY_ easy to peek at any other clients data.
Some advise to put everything remotely damaging when in the wrong hands
in database tables rather than regular files when on a shared environment.
But even when PHP is properly secured, if the host also provides Perl or
Python and custom cgi extentions, they can open up a whole new can of worms.
Include files should best be kept in a directory above webroot,
something my own provider took some time to understand. (you can adapt
your include path in .htaccess btw). It helps to block every .inc file
(or whatever extension you prefer for includes) in .htaccess as well.
If you're really concerned about security, also remember to set another
default path for session files, since they mostly end up in /tmp,
accessible for all the clients.
Other than that, you could spend half a lifetime keeping up with every
single potential security issue, so a fair trade-off should be made.
Plenty of good material on the web and in (e)books on php & security.
No connected system is 100% secure, so always use your brain well when
choosing what (not) to put on a (remote!) server.
What makes a provider stand out for me more than the measures they have
already taken is the attitude and willingness to be open for suggestions
and ideas, and act on customer input. Mine got really scared when I
showed him all kinds of saucy data, complete process lists of his own
machines. But he thanked me for noticing, didn't shoot the messenger and
acted, swiftly.
HTH, good luck with your decision!
[Back to original message]
|