SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Oct 2007
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP site security

    Hi!

    I'm developing a small script to put on a web site on a UNIX server. I know that there are some pieces of software that are able to download an entire website into your local disk and therefore, I would like to know how can I prevent this from happening to my website? I'm not interested in having other people snooping around my php script.

    Thanks!

  2. #2
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A visitor to your site cannot see your PHP code, only the HTML that it outputs.

  3. #3
    SitePoint Member
    Join Date
    Oct 2007
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I know a visitor can only see my HTML code, but my concern is with the type of software who are able to download a site. I know that there's some security considerations we must apply to avoid this situations. Any ideas?


    Quote Originally Posted by Tarh View Post
    A visitor to your site cannot see your PHP code, only the HTML that it outputs.

  4. #4
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The software that you are referring to downloads all HTML pages and images on your website and stores it on the user's computer.

    There's no way to stop this; as far as your website is concerned, it's just a visitor viewing your pages.

    You could probably find some kind of system that locks out users based on request timing, but this would typically lock out normal visitors as well. Not to mention, it could be easily bypassed by adding a delay to the site downloading software.

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,174
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)

    permissions

    AFAIK unless you allow FTP of your source files, setting the folder and file permissions to only what is neccessary should make your script files safe from being downloaded.

  6. #6
    SitePoint Member
    Join Date
    Oct 2007
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Let's say I only want to give the enough access to the files is order for the users to use them. What access should I give? (I am a complete lamer in Unix I'm afraid).

    Quote Originally Posted by Mittineague View Post
    AFAIK unless you allow FTP of your source files, setting the folder and file permissions to only what is neccessary should make your script files safe from being downloaded.

  7. #7
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Don't worry about it - the programs can't download any of your code unless you have a seriously unsecure download page.

    If PHP wasn't secure, I wouldn't be writing it
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  8. #8
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,174
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)

    perrmissions

    There are 3 things to set permissions on
    • User
    • Group
    • World
    and 3 levels
    • Read
    • Write
    • Execute

    There are better definitions, but in my own words AFAIK the User is the server, The Group is others on the server outside of the root, and the World is the web. Read means the file can be requested (getting it's output), Write means the file can be written to, and Execute means the file can be run.
    Generally the User settings can be more liberal, as only your own files should be using your own files. Just the same, it is wise not to have them have all User permissions unless they need them. eg. you may not want a config file to be over-written. I usually treat Group the same as World as I am on a shared host, not a network of other "qualified" individuals.
    If you don't want the World to do something with a folder or file, don't give it the permission. eg. I strongly suggest that you not give World Write and Execute permission unless you really want them to be able to upload and run code on your server.
    Other than reading up on it, you can experiment with a test folder / file to get a feel for things.

    Another thing you should do to help with security is to handle script errors. Once you're done developing a script you don't need others to see error message information.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •