Jump to content

Safety Of A Php Script


nachtegaal9999
 Share

Recommended Posts

Hai,I am a newbee and had a discussion with somebody who told me that xxx.php files couldbe read out or copied for the code in that file. He couldn't tel me how, so i want to verify this, by specialists.The reason why i want to know this, is that i use passwords in my xxx.php file to acces my msql database.I thought always that it was save!!!Could somebody tell me if it isn't secure and why ?Thanks in advance.Simon

Link to comment
Share on other sites

nachtegaal9999:You can't inherently access the unprocessed PHP source of a document without some form of authentication (i.e. going through a control panel's file manager, FTP, SFTP, SSH etc). So exposing files like <?php $password = 'foobar'; ?> via Apache HTTPd is perfectly safe in most situations provided mod_php is parsing the file. You can have situations where a poorly written web application allows a malicious user to gain access to the local filesystem and thus the file contents, but that's a mistake you would have to make - there's definitely no problem with PHP itself like you describe.Distortion:You are perhaps talking about sanitisation of user input, probably in a database context. In which case you should be using database specific sanitisation methods rather than addslashes (for example, the stock mysql driver provides mysql_real_escape_string which is superior to addslashes for keeping user input in queries safe). You can also use PHP database drivers that provide variable binding when building queries since these will often handle the sanitisation of input automatically.The idea of using methods like these in database queries is that it prevents users from injecting malicious SQL to your database.

Link to comment
Share on other sites

As far as I am aware it isn't possible to view PHP source unless there is an error on the page. It is possible to create errors if you know that appropriate error handling isn't in place, but the worst you'd get is someone seeing the format of a database query or something - one line max. You need to add and strip slashes so that if someone enters code into a form field and you display that code later, it won't contain code that will actually run. For example, imagine I entered in a form field:<p>Ha, dumbass!</p>If you store that as is and then try to output my name as that string, it will render as valid HTML and ruin someone's page. That's just a stupid phreaking example, but you can avoid it by using a built in function like htmlspecialchars. Okay, so that doesn't really explain the slashes. Some characters like quotes are needed for making database queries and if someone had an idea to say display all records in your database table, they could fill in a form fieldbob AND 1=1"Imagine that I saved that as my username. When you next go to display my username, your query might look like:"SELECT * FROM `users` WHERE username = bob AND 1=1"That would select all records, because 1 always equals 1. There are far more ingenious uses, and better explanations, if you :) database query injection.

Link to comment
Share on other sites

Keeping the database connection information and the passwords in a php is 'generally' a safe thing, however, to add some more security, use a configuration file that is not directly web-accessible and 'include' it in your script will add another level of security.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...