SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 41
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    How to protect Database?

    My website is programmed using PHP, and I would like advice on the best way to protect my Database and Database Settings from hackers.

    Currently I have a "database_connection.php" file which contains all of my connection details (e.g. Database Host, User, Password, Name).

    It is located in a directory called "secure" which has has .htaccess file in the same directory with this code...

    Code:
    deny from all

    Anytime a script needs to access MySQL, it has this code at the top of the file...

    PHP Code:
        require_once(WEB_ROOT 'secure/database_connection.php'); 

    I'm not very experienced on this topic, and fear this could be my Achilles Heal?!

    Sincerely,


    Debbie

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    If your hosting allows it you should move the file with the settings in it above the folder that the web site is in. That way it will only be accessible from PHP and not directly.

    You can also place code in the file itself that tests whether it is being called or accessed directly and which disallows direct access.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    You can also place code in the file itself that tests whether it is being called or accessed directly and which disallows direct access.
    You lost me on this part...


    Debbie

  4. #4
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Similar to this:
    PHP Code:
    if (!is_defined('ACCEPTABLE')) exit; 
    Another file(s) in your script would have the following in it, thus telling your database connection file, it is being included in an approved file.
    PHP Code:
    define('ACCEPTABLE'true); 
    However, I will say, that isn't fool-proof. To make it better, I'd follow @felgall ; initial advice. Place the database connection file outside of your web directory and include it using an absolute path.

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Similar to this:
    PHP Code:
    if (!is_defined('ACCEPTABLE')) exit; 
    Another file(s) in your script would have the following in it, thus telling your database connection file, it is being included in an approved file.
    PHP Code:
    define('ACCEPTABLE'true); 
    Sorry but I'm getting what you are trying to do.

    And "Another file(s) in your script..." make no sense?! (Um, a script is a file... And what "file(s)" and "script" are you talking about??)


    Quote Originally Posted by cpradio View Post
    However, I will say, that isn't fool-proof. To make it better, I'd follow @felgall ; initial advice. Place the database connection file outside of your web directory and include it using an absolute path.
    I have a Virual Private Server with GoDaddy.


    In my config.inc.php file I have this code...

    PHP Code:
        // Physical Location (aka Document Root)
        
    define('WEB_ROOT'ENVIRONMENT === 'development'
                        
    '/Users/user1/Documents/DEV/++htdocs/06_Debbie/'
                        
    '/var/www/vhosts/MySite.com/httpdocs/');

        
    // Virtual Location
        
    define('BASE_URL'ENVIRONMENT === 'development'
                        
    'http://local.debbie'

    If I change the first constant to something like this...
    Code:
    	// Physical Location (aka Document Root)
    	define('WEB_ROOT', ENVIRONMENT === 'development'
    					? '/Users/user1/Documents/DEV/++htdocs/06_Debbie/'
    					: '/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/');
    				: 'http://www.MySite.com');
    ...is that what you are talking about??

    Sincerely,


    Debbie

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Okay, assume you have an index.php, that "includes" the database connection file.

    Your index.php would have the following:
    PHP Code:
    define('ACCEPTABLE'true); 
    Your database connection file would have (should be at the top of the file):
    PHP Code:
    if (!is_defined('ACCEPTABLE')) exit; 
    Since index.php has defined ACCEPTABLE, the include for database_connection will complete.

    If you had another page, let's call it article.php, that DOES NOT define the ACCEPTABLE constant and tries to include the database connection file, the database connection file will exist at the IF check and not load the entire file (so the database connection won't be available to article.php.

    Second part:
    I'm not sure what WEB_ROOT is used for, but you'd only "have" to move your database connection file outside of your httpdocs, although it doesn't hurt to move anything that is used in an include (everything, except your index.php, articles.php -- which are web facing files).

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Okay, assume you have an index.php, that "includes" the database connection file.

    Your index.php would have the following:
    PHP Code:
    define('ACCEPTABLE'true); 
    Your database connection file would have (should be at the top of the file):
    PHP Code:
    if (!is_defined('ACCEPTABLE')) exit; 
    Since index.php has defined ACCEPTABLE, the include for database_connection will complete.

    If you had another page, let's call it article.php, that DOES NOT define the ACCEPTABLE constant and tries to include the database connection file, the database connection file will exist at the IF check and not load the entire file (so the database connection won't be available to article.php.
    Okay, I get what you were saying, but I'm still not following how this makes things more secure?

    It almost sounds like you are trying to handle a scenario where a hacker uploaded their own file or something?

    Can you please explain the overall logic of this more?


    Quote Originally Posted by cpradio View Post
    Second part:
    I'm not sure what WEB_ROOT is used for
    It is what it says it is.

    It is a constant that defines where my Web Root is on either my local dev environment or on my production environment. (I usually prepend that to relative paths so things point to "one source of truth".


    Quote Originally Posted by cpradio View Post
    but you'd only "have" to move your database connection file outside of your httpdocs, although it doesn't hurt to move anything that is used in an include (everything, except your index.php, articles.php -- which are web facing files).
    Right, and that is what I showed in my last post...

    Currently, GoDaddy defines your VPS WEb Root like this...

    Code:
    	define('WEB_ROOT', '/var/www/vhosts/MySite.com/httpdocs/');

    I asked if something like this is what you meant...
    Code:
    	// Physical Location (aka Document Root)
    	define('WEB_ROOT', '/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/');

    Sincerely,


    Debbie

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Okay, I get what you were saying, but I'm still not following how this makes things more secure?

    It almost sounds like you are trying to handle a scenario where a hacker uploaded their own file or something?

    Can you please explain the overall logic of this more?
    Yes, it is to prevent a scenario where someone uploads a file and tries to include your database connection file (or directly access it via HTTP). Granted I'm not a huge fan of this technique myself, primarily because it isn't nearly as protective as the other technique.

    Quote Originally Posted by DoubleDee View Post
    I asked if something like this is what you meant...
    Code:
    	// Physical Location (aka Document Root)
    	define('WEB_ROOT', '/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/');
    Yes, assuming httpdocs is the external facing directory inside MySite.com and MySite.com is not the external facing folder itself (so files inside MySite.com but not inside httpdocs are not accessible via http://MySite.com/.

  9. #9
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,253
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    PHP files are text files.

    So generally if someone tries to go to "http://your-domain.com/secret-database-info.php" they wouldn't see the code (just output if any.).
    But if for some reason the PHP engine fails to run the file, they'll see the text in all it's glory.

    That most likely won't happen, but if "secret-database-info.php" is outside of the root, your site's script can get it but a direct HTTP request for it is impossible.

    The use of "DEFINE("my-sites-file", TRUE)" is often used so that a direct HTTP request for a "secret-database-info.php" file that is under the root will exit. And for the most part this is secure, but having the file outside of the root is more secure.

  10. #10
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Quote Originally Posted by doubledee
    I asked if something like this is what you meant...
    Code:
    	// Physical Location (aka Document Root)
    	define('WEB_ROOT', '/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/');

    Yes, assuming httpdocs is the external facing directory inside MySite.com and MySite.com is not the external facing folder itself (so files inside MySite.com but not inside httpdocs are not accessible via http://MySite.com/.

    I have to re-check with GoDaddy, but I am 90% certain that MySite.com/ is my VPS's directory and that anything inside of it is NOT outward facing. And that you have to have files *inside* of MySite.com/httpdocs/ for them to be outward facing.

    Sincerely,


    Debbie

  11. #11
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    I have to re-check with GoDaddy, but I am 90% certain that MySite.com/ is my VPS's directory and that anything inside of it is NOT outward facing. And that you have to have files *inside* of MySite.com/httpdocs/ for them to be outward facing.
    Sounds like you got a good handle on this now, so I think you'll be able to implement it just fine

  12. #12
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    PHP files are text files.

    So generally if someone tries to go to "http://your-domain.com/secret-database-info.php" they wouldn't see the code (just output if any.).
    But if for some reason the PHP engine fails to run the file, they'll see the text in all it's glory.

    That most likely won't happen, but if "secret-database-info.php" is outside of the root, your site's script can get it but a direct HTTP request for it is impossible.
    Okay.


    Quote Originally Posted by Mittineague View Post
    The use of "DEFINE("my-sites-file", TRUE)" is often used so that a direct HTTP request for a "secret-database-info.php" file that is under the root will exit. And for the most part this is secure, but having the file outside of the root is more secure.
    Let me see if I understand what you and CPRadio were talking about...

    First, Mittineague, if my "database_settings.php" file was in the Web Root, would this code help to prevent it from displaying the actuals settings if some tried to load "www.MySite.com/database_settings.php"...

    configuration/config.php
    PHP Code:
    define('LOAD_FILE'TRUE); 
    database_settings.php
    PHP Code:
    if !(LOAD_FILE){
        exit();



    And as far as what CPRadio suggested, would this code work...

    configuration/config.php
    PHP Code:
    define('LOAD_DB_SETTINGS'TRUE); 

    display_member_listing.php
    PHP Code:
    if !(LOAD_DB_SETTINGS){
        exit();


    (I guess I didn't quite get the need for is_defined...)

    Sincerely,


    Debbie

  13. #13
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,253
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    Except for having different CONSTANT names, those code examples look the same.

    The idea is that in files you want to not be able to be HTTP requested directly, you put the check to see if the CONSTANT has been defined else exit.

    In files that you want to be able to access the "sensitive" file you define the CONSTANT.

    Speaking of is_defined, it's a good idea to wrap your define in if(!is_defined) as trying to define something that already has been can cause errors.

  14. #14
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If I move "database_settings.php" from here...
    Code:
    	/var/www/vhosts/MySite.com/httpdocs/configuration/');
    To outside of the Web Root here...
    Code:
    	/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/
    ...then you guys are saying that is safer because hackers won't be able to access or display the file via HTTP, right?


    If that is the case, then don't I have to be worried about my config.php file which contains this...
    Code:
    	define('ENVIRONMENT', 'development');
    
    	// Physical Location (aka Document Root)
    	define('WEB_ROOT', ENVIRONMENT === 'development'
    			? '/Users/user1/Documents/DEV/++htdocs/06_Debbie/'
    			: '/var/www/vhosts/MySite.com/httpdocs/');
    
    	// Virtual Location
    	define('BASE_URL', ENVIRONMENT === 'development'
    			? 'http://local.debbie'
    			: 'http://www.MySite.com');

    Isn't that "sensitive" information too??

    Sincerely,


    Debbie

  15. #15
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    That's really a question you have to answer. Think of it this way: "If someone got a hold of this, would I care? Would it give them some knowledge about my system that I don't want them to know?" If you answer yes, then you need to protect it the best you can, otherwise, leave it be.

  16. #16
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    That's really a question you have to answer. Think of it this way: "If someone got a hold of this, would I care? Would it give them some knowledge about my system that I don't want them to know?" If you answer yes, then you need to protect it the best you can, otherwise, leave it be.
    If my config.php in inside my Web Root and it got exposed, then hackers would know the location of my "secure_directory_outside_web_root".

    And if they knew where that directory was, then wouldn't that make it easy to hack into that folder, thus threatening the new location of my database_settings.php file??

    That is my concern...

    Sincerely,


    Debbie

  17. #17
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    If my config.php in inside my Web Root and it got exposed, then hackers would know the location of my "secure_directory_outside_web_root".

    And if they knew where that directory was, then wouldn't that make it easy to hack into that folder, thus threatening the new location of my database_settings.php file??

    That is my concern...

    Sincerely,


    Debbie
    That sounds like a very valid concern to me. So protecting that information sounds like a good plan

  18. #18
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    That sounds like a very valid concern to me. So protecting that information sounds like a good plan
    You're a big help sometimes!!


    Debbie

  19. #19
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    To me, the logic is kind of "circular"...

    I need to place my Database Settings in a not_in_web_root_directory for security, but...

    I need a Config file to define where my not_in_web_root_directory is at, and...

    If I place the Config file in the not_in_web_root_directory location, then my scripts in the Web Root can't see it to know where my Database Settings are at?!

    Crazy!!!


    Debbie

  20. #20
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    If I place the Config file in the not_in_web_root_directory location, then my scripts in the Web Root can't see it to know where my Database Settings are at?!
    Your scripts should be able to locate it and use it (via an absolute path, /home/user/MySite.com/mysecretfolder/config.php). It won't be accessible via HTTP requests though, which is a good thing.

  21. #21
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Your scripts should be able to locate it and use it (via an absolute path, /home/user/MySite.com/mysecretfolder/config.php). It won't be accessible via HTTP requests though, which is a good thing.
    Earlier we agreed that if you can see "config.php" (inside Web Root) - which points to "database_settings.php" (outside the Web Root) then that sorta defeats the purpose.

    Now you are implying that if I move "config.php" to outside the Web Root, but point to it from all of my scripts that would help.

    But you are still leaving a trail to my "database_settings.php" file!!

    As I see it, for this to work, I need a way to hide the details of where "config.php" and "database_settings.php" are located to calling scripts, otherwise nothing is being accomplished that I don't already have. (Although I get that at least you can't easily surf there via HTTP.)

    Follow me?


    Debbie

  22. #22
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    But you are still leaving a trail to my "database_settings.php" file!!

    As I see it, for this to work, I need a way to hide the details of where "config.php" and "database_settings.php" are located to calling scripts, otherwise nothing is being accomplished that I don't already have. (Although I get that at least you can't easily surf there via HTTP.)

    Follow me?
    The only way an attacker would know the trail is if they already had access to your system via FTP, SSH, or something similar. At that point, you are screwed no matter what, as they already have physical access.

    There would be no way for them to get the location of your files without one of the following:
    1) A way to upload a script and execute it
    2) Physical Access

    Since the path would be hard coded (not part of a variable), they couldn't use an include/require command to get access to the variable to see where the files are located. They'd have to use one of the above techniques to get to it, and if they did that, they could do FAR worse to you than get the path of a few files.

  23. #23
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    The only way an attacker would know the trail is if they already had access to your system via FTP, SSH, or something similar. At that point, you are screwed no matter what, as they already have physical access.

    There would be no way for them to get the location of your files without one of the following:
    1) A way to upload a script and execute it
    2) Physical Access

    Since the path would be hard coded (not part of a variable), they couldn't use an include/require command to get access to the variable to see where the files are located. They'd have to use one of the above techniques to get to it, and if they did that, they could do FAR worse to you than get the path of a few files.
    I get SOOOO WORRIED about security on my website...

    (According to a tech I was chatting with last night at GoDaddy, it *is* possible for a hacker to "jump the shark" and get into directories above the Web Root. And I'm convinced that the NSA and the Chinese can do ANYTHING!!!)


    --------
    So you are saying that if I hard-code an Include like this...

    Code:
    	require_once('/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/database_settings.php');
    ...in each of my scripts, then there is no practical way for a hacker to SEE that path or to FOLLOW that path by "traditional" hacking via HTTP, right??


    I guess I come back to the circular logic that started all of this...

    Quote Originally Posted by Mittineague View Post
    PHP files are text files.

    So generally if someone tries to go to "http://your-domain.com/secret-database-info.php" they wouldn't see the code (just output if any.).
    But if for some reason the PHP engine fails to run the file, they'll see the text in all it's glory.

    That most likely won't happen, but if "secret-database-info.php" is outside of the root, your site's script can get it but a direct HTTP request for it is impossible.

    Based on that, let's say I have "index.php" with my Include noted above.

    And let's ay that PHP pukes, and exposes all of the file's content out in plain site. (As Mittineague said, unlikely, but possible.)

    So now the hacker knows that I have "the goods" located here...
    Code:
    	require_once('/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/database_settings.php');

    So, while I protected the "database_settings.php" file itself, I still somewhat exposed it, because I didn't protect its location in any scripts including it...

    Now that the hacker knows the new location of "database_settings.php", they can start trying to hack into that directory outside of my Web Root.

    Would that be hard to do? Probably.

    But according to the guy at GoDaddy last night, it is possible.


    -------
    I guess what I am trying to figure out, is this...

    Is there a way to move *sensitive* files OUTSIDE of the Web Root, give them a "name" or "pointer" that all scripts in the Web Root can see, but which do not *expose* where the sensitive files are located? (Almost like a one-way mirror!!)

    Follow me?


    -----
    In another thread of mine, people were saying that PHP Constants are "global", but I don't think that is true since you have to Include them in order for them to be seen.

    It would be nice if *outside* the Web Root I could do this...

    DATABASE_SETTINGS = '/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/database_settings.php';


    And then in any script, just say...
    Code:
    	require_once(DATABASE_SETTINGS);

    That way, when some script says the "magic word", the PHP gods from above know to link the file from above the Web Root to the script in the Web Root, but anyone who get's access to the script's contents would only see the obscure reference to...
    Code:
    	require_once(DATABASE_SETTINGS);

    Follow my line of thinking?


    Off Topic:

    I know most people don't care or think I'm paranoid, but I'm telling you that hackers in 2013 have taken the game to a WHOLE NEW LEVEL, and what was sufficient 5 years ago just doesn't cut it today!!

    And *if* I am ever going to finish this website and get it online, and let thousands of innocent people trust their sensitive info with my website and database, then I want to go above and beyond the call of duty and really go out of my way to protect people's info!!!

    Like everything out there, I am sure there are better solutions, it is just a real challenge to try and out-fox modern day hackers?!



    So, sorry for wanting the world, but I just see so many websites fail these days, and I don't want to take any shortcuts and then later jeopardize my customers' data...

    To date, it has been my experience that if I try hard enough, I have always been able to find solutions that are rock-solid and that keep things safe.

    But on this thread, I obviously need some help!!

    Sincerely,


    Debbie

  24. #24
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,234
    Mentioned
    154 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    I get SOOOO WORRIED about security on my website...
    Keep it offline? If it isn't ever online, it can't be hacked right? (yes, this is a joke)

    Quote Originally Posted by DoubleDee View Post
    (According to a tech I was chatting with last night at GoDaddy, it *is* possible for a hacker to "jump the shark" and get into directories above the Web Root. And I'm convinced that the NSA and the Chinese can do ANYTHING!!!)
    Yes, that is called a directory traversal attack. In short, consider the following code (which is INSECURE - DON'T USE IT)
    HTTP request sent: test.php?path=../../../
    PHP Code:
    $path $_GET['path'];
    require_once(
    "$path/myfile.php"); 
    Or with register globals enabled: (file named test.php -- HTTP request sent test.php?path=../../)
    PHP Code:
    require_once("$path/myfile.php"); 
    Quote Originally Posted by DoubleDee View Post
    So you are saying that if I hard-code an Include like this...

    Code:
    	require_once('/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/database_settings.php');
    ...in each of my scripts, then there is no practical way for a hacker to SEE that path or to FOLLOW that path by "traditional" hacking via HTTP??
    Without being able to upload a script an execute it on your server, or physical access, yes that is what I'm saying. At least, I don't know of a way.

    Quote Originally Posted by DoubleDee View Post
    Nothing personal, but it just seems like there should be a better way.
    All ways to improve it, usually involve putting the path in a variable, that variable then becomes accessible and thus a point of risk. If you want to do that, that's fine (as the person will have to guess the variable name), but if you truly wanted to limit your risk, hard code it.

  25. #25
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    cpradio,

    You're too fast for me today!

    I was still editing...

    What about my "pointer" idea?

    Sincerely,


    Debbie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •