Posted by Dikkie Dik on 09/25/84 11:27

Han wrote:
> Our app runs on end-users machines (apache2.x + php5). At this moment
> it is quite easy for someone (who has access to the console) to insert
> a couple lines of php code to steal sensitive info.
>
> Is there a way to check the integrity of the php and javascript code by
> using digital signatures/simple hash/etc. ?
>
> What do you do to verify that your code has not been changed by someone
> else and everything is leaked to a rogue site?
>
> Thanks for your help
> -Han
>
Normal security measures are often taken on the web server. They include:
- making php files "execute only", so it is very difficult to download
ands investigate them.
- storing passwords, encrypted, somewhere outside of the public web
space. That makes them accessible for the server only. If you could
insert code, you would still need some inside info to find them.
Especially if the password file is called "packman.exe" instead of
"passwords.txt".
- allow uploading only on directories that do not have execute rights.

Off course, it does not stop the need for a PHP programmer to check the
URL request and the POST parameters for injections.

Best regards

[Back to original message]