PHP site security
I'm developing a small script to put on a web site on a UNIX server. I know that there are some pieces of software that are able to download an entire website into your local disk and therefore, I would like to know how can I prevent this from happening to my website? I'm not interested in having other people snooping around my php script.
A visitor to your site cannot see your PHP code, only the HTML that it outputs.
Yes, I know a visitor can only see my HTML code, but my concern is with the type of software who are able to download a site. I know that there's some security considerations we must apply to avoid this situations. Any ideas?
Originally Posted by Tarh
The software that you are referring to downloads all HTML pages and images on your website and stores it on the user's computer.
There's no way to stop this; as far as your website is concerned, it's just a visitor viewing your pages.
You could probably find some kind of system that locks out users based on request timing, but this would typically lock out normal visitors as well. Not to mention, it could be easily bypassed by adding a delay to the site downloading software.
AFAIK unless you allow FTP of your source files, setting the folder and file permissions to only what is neccessary should make your script files safe from being downloaded.
Let's say I only want to give the enough access to the files is order for the users to use them. What access should I give? (I am a complete lamer in Unix I'm afraid).
Originally Posted by Mittineague
Don't worry about it - the programs can't download any of your code unless you have a seriously unsecure download page.
If PHP wasn't secure, I wouldn't be writing it :)
There are 3 things to set permissions onand 3 levels
There are better definitions, but in my own words AFAIK the User is the server, The Group is others on the server outside of the root, and the World is the web. Read means the file can be requested (getting it's output), Write means the file can be written to, and Execute means the file can be run.
Generally the User settings can be more liberal, as only your own files should be using your own files. Just the same, it is wise not to have them have all User permissions unless they need them. eg. you may not want a config file to be over-written. I usually treat Group the same as World as I am on a shared host, not a network of other "qualified" individuals.
If you don't want the World to do something with a folder or file, don't give it the permission. eg. I strongly suggest that you not give World Write and Execute permission unless you really want them to be able to upload and run code on your server.
Other than reading up on it, you can experiment with a test folder / file to get a feel for things.
Another thing you should do to help with security is to handle script errors. Once you're done developing a script you don't need others to see error message information.