SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Member
    Join Date
    Apr 2001
    Location
    Michigan
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yesterday, I was reading Kevin Yank's internet browser tip in the SitePoint.com newsletter #12 about how to view source code. Kevin stated ...

    <quote>
    By typing "view-source:" followed by a normal URL, you can instruct your browser to display the code for the specified file instead of loading it into the browser window!
    </quote>

    He also gives the example --
    view-source:http://www.sitepoint.com/styles.php

    My concerns about security are the MySQL database 'config' files that contain the database name and database password. It appears that these files can be viewed directly with this method if you know what the name might be.

    I invite comments regarding this issue or experience in this area. I'm concerned about hackers .
    trmweb

  2. #2
    Serial Publisher silver trophy aspen's Avatar
    Join Date
    Aug 1999
    Location
    East Lansing, MI USA
    Posts
    12,939
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP is a server side scripting language. The client side never ever see's it unless it's contained in an HTML file. Well perhaps a rare fluke could happen but its not likely.

    So to make sure your included files are secure give them php extensions and make sure their content is enclused by <? ?> and thats all you need to do.
    Chris Beasley - I publish content and ecommerce sites.
    Featured Article: Free Comprehensive SEO Guide
    My Guide to Building a Successful Website
    My Blog|My Webmaster Forums

  3. #3
    SitePoint Member
    Join Date
    Apr 2001
    Location
    Michigan
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the quick reply!

    My concern is with the .inc files that are part of some of the MySQL/PHP setup source code. I tried this 'view-source:' and was able to view the sql setup info ... including the password!

    Maybe putting the <? ?> in the .inc will correct the problem. I'll try it.

    Thanks again.
    trmweb

  4. #4
    SitePoint Member
    Join Date
    Apr 2001
    Location
    Michigan
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I tried it with the <? ?> and <?php ?> and I was stille able to view the source code. It appears to be the extention .php or .php3 or .phtml that makes the difference.

    I wonder if .asp can be viewed this way?
    trmweb

  5. #5
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    Instead of saving them with .inc use *.inc.php

    This is so that they are parsed by the server.

  6. #6
    Serial Publisher silver trophy aspen's Avatar
    Join Date
    Aug 1999
    Location
    East Lansing, MI USA
    Posts
    12,939
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what hartmann said

    and I'll add to it.

    You can also set up your server to treat .inc files as php files - meaning the files will go through the php interpreter before they are sent anywhere.

    If you know how to do this great, if not contact your server administrator.
    Chris Beasley - I publish content and ecommerce sites.
    Featured Article: Free Comprehensive SEO Guide
    My Guide to Building a Successful Website
    My Blog|My Webmaster Forums

  7. #7
    SitePoint Wizard westmich's Avatar
    Join Date
    Mar 2000
    Location
    Muskegon, MI
    Posts
    2,328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Again, PHP MySQL is outside of my area, but when working with Access databases, I have always stored them above the www root level for security.

    Are MySQL databases stored on the www root? Why?
    Westmich
    Smart Web Solutions for Smart Clients
    http://www.mindscapecreative.com

  8. #8
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, you should make an include directory to put all the important include files there and use .htaccess to fetch the include path

    About where MySQL stores its data, it's not within the document root (not even within the user's directory)
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  9. #9
    SitePoint Addict Percipient's Avatar
    Join Date
    Jun 2000
    Location
    Summerland, BC, Canada.
    Posts
    226
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    View-source isn't any more or less of a security risk that just typing in http://mydomain.com/config.inc and choosing "View Source" in the appropriate menu. Try it with your own config.inc file, and see just how unsecure it's been, even before you discovered view-source.

    I discovered something similar to what you did, a few days ago. I switched to a .php file, and made sure the parameters were enclosed in <?PHP ?> tags.

    For added security, the config file could also reside in a protected folder with no username and password associated with it. This would mean the file could only be accessed locally, from the server.
    Last edited by Percipient; Apr 19, 2001 at 11:33.
    Ed Rands

  10. #10
    SitePoint Enthusiast
    Join Date
    Mar 2001
    Location
    Washington State
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have a look around here (most importantly, the user comments) :

    http://phpbuilder.com/tips/item.php?id=66

    The easiest way is to name your files something that parses, which it looks like .php does this so : config.php And note that a server can be setup to parse any extension as PHP, even .inc and .foobar

    Also consider putting included files outside the web root.

  11. #11
    SitePoint Member
    Join Date
    Apr 2001
    Location
    Michigan
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you all!

    I'm getting both an education and an understanding of the issues involved.

    So far I understand that the issue isn't with the "view-source:" command, rather it relates to the server processing the code contained between the <% %>.

    Since I don't have access to the server. I am planning on looking into using '.htaccess' and seeing how that works. As well as creating a 'protected' folder for my include files. I like the idea of renaming the .inc to .inc.php as well.

    I sure appreciate all the good feedback. I'm impressed with this forum!

    P.S.

    Philip -- thanks for the url. I checked it out and it seems that this exact issue was addressed. Thanks!
    trmweb

  12. #12
    SitePoint Addict
    Join Date
    Sep 2000
    Location
    Ontario, Canada
    Posts
    320
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have about 20 virtual hosts on my server and all of them have shtml files that look to a directory /includes/ which is aliased (in the srm.conf file) over to a main includes directory under the root dir.

    Alias /includes/ /usr/local/etc/httpd/htdocs/includes/

    If I change this to a directory above the root dir, I can still view all of my .inc files even if I rename them to .inc.php

    These files are just plain text that get included into all of the virtual hosts. There are some php scripts in there too that all of my VH's need to use.

    I tried to do the deny *.inc but doing so just made it so the browser can't even include them. So that won't do the trick.

    Is there any way that I can make these .inc files not readable by viewing them directly in the browser and still be able to include them into documents?

    Any ideas to sort this out are greatly appreciated.
    Jason Dulberg
    Extreme MTB
    http://extreme.nas.net

  13. #13
    Gong!
    Join Date
    May 2000
    Location
    Helsinki, Finland
    Posts
    229
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rename them to .php and include them into another .php file when needed?

    Or another point of view: never, EVER keep your database's username, password and name in a directory, which is accessible directly from the web. Instead, if your main WWW root directory is public_html, place the file one level up from that and include it from there.
    HighCheats - game cheats, codes, tips and tricks for PC and various console platforms


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •