Reply to Re: permissions and script 'visibility'

Your name:

Reply:


Posted by Jerry Stuckle on 02/18/06 16:56

Dave Schwimmer wrote:
>
>
> Gordon Burditt wrote:
>
>>> I am relatively new to PHP. One of the things that seems glaring
>>> obvious to me (coming from a C/C++ background) is how 'open'
>>> everything seems - (AFAIK). For instance, URLs typically have the
>>> name of the php script that they are calling - also just viewing the
>>> source of most web pages will show you in glorious detail, the paths
>>> and names to any PHP scripts they may be using.
>>
>>
>>
>> HTML is visible. PHP code isn't visible via HTTP.
>
>
> WRONG !. It is EXACTLY this kind of laid back approach to security (and
> programming in general) that lets me worry about scripters and scripting
> languages. I have been playing around with PHP in just 2 days, I see an
> obvious security 'hole' and you casually tell me that PHP code isn't
> visible via PHP - well try this for size:
>
> type this at your shell/command prompt and see what you get back:
>
> GET http://yourhostname/notsecure.php HTTP/1.1
>

Gordon is correct. HTML is visible. PHP is not.

And from your operation I get the HTML - not the PHP code.

If you're getting something else, you have things set up improperly.

>>
>>
>>> If one was to implement user authorisation (or any other module whose
>>> logic needs to be kept private)
>>
>>
>>
>> If the *logic* needs to be kept private, it's probably a
>> security hole.
>>
>
> wtf are you talking about?. Why would you want the whole world to know
> how you authenticate users (you may just as well publish all your
> usernames/passwords onto the internet if you're that lax about security).
>
>

Again - it's not available.

>>
>>> in a PHP module (apart from encypting the script - which has its own
>>> pitfalls) -it makes no sense in having such a module (script or set
>>> of scripts) plainly visible/accesible to the user - who can inspect
>>> your user authentication etc at leisure,
>>
>>
>>
>> If you're talking about a remote user with a web browser, they
>> *cannot* inspect your PHP code at their leisure.
>>
> Really ?. See my response to your first answer.
>

Really.

>>
>>> whilst sipping his favourite beverage. What is the way to keep your
>>> script inacesible to users so that they cannot simply FTP or GET your
>>> script - giving that the path and file name has been kindly provided?
>>
>>
>>
>> Ensure that you provide *NO* path where a user can simply GET your
>> protected files without authenticating. This is typically done
>> with a PHP page which checks the user's authentication, and if it's
>> OK, outputs a Content-type: header, then does a fpassthru() using
>> a file name *outside the document tree*.
>>
> This seems more like it. But it skirts around the issue. Where do you
> keep the PHP which ckecks the user's authentication? (this was precisely
> my question in the first place).
>

I keep mine in web pages where the code can't be seen.

>>
>>> I think I remember reading somewhere that this is to do with setting
>>> file permissions - for example placing the scripts in afolder above
>>> the web server doc root. But this begs the question that if the user
>>> has no permision to the folder where the php files are kept - how can
>>> he execute them. Actually, the last sentence made me realise that the
>>> way around this (may?) be to have Apache run as a different user from
>>> the web client. Am I correct in this assumption?. Suggestions welcome.
>>
>>
>>
>> If you are attempting to protect against someone who is sharing access
>> to the same server as you are, you're probably screwed.
>
>
> True, but its a no brainer to solve that one (just use a dedicated server).
>
>>
>> Gordon L. Burditt
>
>

I suggest you learn more about how PHP and web servers work before you
start throwing stones.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация