PHP includes and security
This is a response from a web host regarding tightening up security on PHP include files:
"tweak the permissions so that people from the outside cannot read your includes, but can still run your script."
If setting up include folders on the web root level is unavailable, how can the above quote be incorporated (script examples) for sensitive files?
Thanks,
TonyMontana
Renegade posted this at 05:41 — 26th August 2003.
He has: 3,022 posts
Joined: Oct 2002
Well maybe a .htaccess file could help you out there, not sure how though...
m3rajk posted this at 16:53 — 26th August 2003.
They have: 461 posts
Joined: Jul 2003
easiest thing to do, have it .php
now they can't get it served to them in plaintxt.
to add to that. move it outside the web dir... ie:
you get ~/user/ for your dir. you put your web stuff on ~/user/web/ ave your includes in ~/user/includes/
the serving software can still get to it, as can you via ssh (telnet over ssl) but not anyone doing webbrowsing.
you have now resticted tothe machine. going beyond that... you will either need to chgrp it and chmod (640) it so that ls -la gives something like:
-rw-r----- user server file.php
this means you own it and the group it's in is the webserver. the owner has read/write. the webserver just read
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
TonyMontana posted this at 18:06 — 26th August 2003.
They have: 218 posts
Joined: Apr 2001
"to add to that. move it outside the web dir..."
m3rajk, is it common for shared web hosts to allow clients to add folders out of the web directory? I don't have this ability with a current host.
TM
m3rajk posted this at 20:23 — 26th August 2003.
They have: 461 posts
Joined: Jul 2003
i don't know. i haven't done much with getting things hosted outside fo the space i had at school. personally i think it's foolish to have everything about a client in webspace, because you don't wan their e-mail web accessable and some people (like me for instance) like to use pine (or something similar) to screen e-mails before downloading.
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Mark Hensler posted this at 06:35 — 27th August 2003.
He has: 4,048 posts
Joined: Aug 2000
Many hosts give you access to `/home/username` with your Document_Root set to `/home/username/public_html`. Anything within `/home/username` but outside of `/home/username/public_html` is considered outside of the web root.
Mark Hensler
If there is no answer on Google, then there is no question.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.