SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Enthusiast MikeTheMechanic's Avatar
    Join Date
    Nov 2009
    Location
    Oregon
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security with Shared Hosting Account

    I am building websites for two non-profits, and they can only afford to use Shared Hosting Accounts for now.

    As such, I - as the developer - only have access to the "Web Root".

    Is it dangerous to have the following files located in the Web Root:

    - "database_connect.inc.php"
    - "website_config.inc.php"
    - ".htaccess"
    - "php.ini"

    The PHP books I have been using to learn PHP say that as long as you place configuration/database settings in a PHP file you should be okay, because even if a hacker figured out where the files were located in your Web Root, they cannot open up these files and see what is inside like you can with an HTML file.

    I have tested this concept, and it appears to be true - at least on the surface.

    I am not sure whether you can hack into the "php.ini" and ".htaccess" file?

    My books do recommend storing configuration files outside the Web Root, but that is impossible for now. (Maybe next year after new budgets have been set, I can convince these origanizations to pay for a Virtual Host or even a Dedicated Server?!)

    Our ISP is GoDaddy, and they have repeatedly reassured us that "shared hosting is perfectly safe for non ecommerce sites". Then again, their techs don't seem to be the sharpest!

    Here is hoping that there is a reasonable "middle-ground" for the time being...

    Sincerely,


    Mike

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The .htaccess and php.ini have to go in every folder where you want to apply them anyway.

    You can add entries to the .htaccess to make those files inaccessible from the web.

    With the other files the .php suffix should prevent people viewing them and you can add code to them to prevent their being directly accessed.

    The other alternative is to get shared hosting that provides access outside the web root folder.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Enthusiast MikeTheMechanic's Avatar
    Join Date
    Nov 2009
    Location
    Oregon
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    The .htaccess and php.ini have to go in every folder where you want to apply them anyway.

    You can add entries to the .htaccess to make those files inaccessible from the web.
    Do you know the exact code I would need to add to an .htaccess file to do that?

    Is there a way to better secure the local php.ini file?

    Do I need to be overly concerned that someone would indeed try to hack into either a php.ini file or an .htaccess file?


    With the other files the .php suffix should prevent people viewing them and you can add code to them to prevent their being directly accessed.

    The other alternative is to get shared hosting that provides access outside the web root folder.
    Under my limited circumstances, is placing configuration and database settings in a .php file a reasonable enough approach for now until they can afford to get a better web hosting package?

    Sincerely,


    Mike

  4. #4
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Adding ".php" to the file keeps apache from spitting the contents back at a browser if they, would, say request "http://example.com/config.ini". It won't protect you from another malicious (or just rooted) user on your server using filesystem functions to browse your files. Now, presuming your server is properly configured (big if with most shared hosts), other users on the box shouldn't be able to escape their base directory. Anyhow, in more real terms, the big question is "what are you protecting?" If it is just a personal blog, etc, then you should be good to go presuming you have some backup strategy in place. Worst case scenario is someone defaces the site, then you can just get another host and re-upload and you'll be back in business.

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by MikeTheMechanic View Post
    Do you know the exact code I would need to add to an .htaccess file to do that?
    Code:
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Enthusiast MikeTheMechanic's Avatar
    Join Date
    Nov 2009
    Location
    Oregon
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by wwb_99 View Post
    Adding ".php" to the file keeps apache from spitting the contents back at a browser if they, would, say request "http://example.com/config.ini".
    Okay, that I figured out this morning, but you can't use that fact to protect a php.ini file or an .htaccess file, right?


    It won't protect you from another malicious (or just rooted) user on your server using filesystem functions to browse your files. Now, presuming your server is properly configured (big if with most shared hosts), other users on the box shouldn't be able to escape their base directory.
    Is there any easy way for someone to "hop" out of their space on the shared server and look into our space?


    Anyhow, in more real terms, the big question is "what are you protecting?" If it is just a personal blog, etc, then you should be good to go presuming you have some backup strategy in place. Worst case scenario is someone defaces the site, then you can just get another host and re-upload and you'll be back in business.
    Well, besides content, they want a way for people to create online accounts/profiles. The profiles would contain sensitive information - in my book - because it might have Name, Address, Tele #, E-mail, and other personal things like Family Info, groups etc.

    The goal is for the church to have a way to recruit people for service projects and also to get sign up lists based on interests (e.g. choir, daycare, lectures, etc.).

    I would feel really bad if I didn't use good security practices and the whole congregation's members' info was compromised.

    That is why I am concerned about getting our website listed on Google and letting Web Crawlers poke around.

    Sincerely,


    Mike

  7. #7
    SitePoint Zealot My220x's Avatar
    Join Date
    Dec 2008
    Location
    United Kingdom
    Posts
    197
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only way people would get access to your users details if they hacked into your database. If your hosted with a big host liek GoDaddy then it's unlikely you will get hacked unless you have rubbish passwords or your code is vunerable to things like SQL Injection. As for people viewing your php files well they can't view any code unless you specifcally spit it out the the browser and it's highly unlikely they will get access to .htaccess and the such via the browser.

  8. #8
    SitePoint Enthusiast MikeTheMechanic's Avatar
    Join Date
    Nov 2009
    Location
    Oregon
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by My220x View Post
    The only way people would get access to your users details if they hacked into your database.
    Well, accept that the database connection info which includes the database's username and password is in a file called something like DB_Connection.php

    But it sounds like you are all saying that PHP files are fairly safe from hackers.


    If your hosted with a big host liek GoDaddy then it's unlikely you will get hacked unless you have rubbish passwords or your code is vunerable to things like SQL Injection.
    Actually, that is the host we went with... GoDaddy. They do seem to be fairly up on things including security for a "stack it high and wide and sell it cheap" kind of ISP!!


    As for people viewing your php files well they can't view any code unless you specifcally spit it out the the browser and it's highly unlikely they will get access to .htaccess and the such via the browser.
    Not that I am a hacker - I swear! - but how exactly would a hacker go about getting past the web browser or whatever and peaking inside a PHP file or seeing all of the files in your Web Root?

    It sounds like the only way to do that is either by gaining access to the server itself, or somehow compromising Apache on the Web Server? But who knows?

    I ask just so I better understand where the risks are at, and I do not do anything that is blatantly dumb!

    Sincerely,


    Mike

  9. #9
    SitePoint Zealot My220x's Avatar
    Join Date
    Dec 2008
    Location
    United Kingdom
    Posts
    197
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by MikeTheMechanic View Post
    Well, accept that the database connection info which includes the database's username and password is in a file called something like DB_Connection.php

    But it sounds like you are all saying that PHP files are fairly safe from hackers.




    Actually, that is the host we went with... GoDaddy. They do seem to be fairly up on things including security for a "stack it high and wide and sell it cheap" kind of ISP!!




    Not that I am a hacker - I swear! - but how exactly would a hacker go about getting past the web browser or whatever and peaking inside a PHP file or seeing all of the files in your Web Root?

    It sounds like the only way to do that is either by gaining access to the server itself, or somehow compromising Apache on the Web Server? But who knows?

    I ask just so I better understand where the risks are at, and I do not do anything that is blatantly dumb!

    Sincerely,


    Mike
    I said about GoDaddy because that is who you said your host was and they are a big host so they will be up on security

    Also if they wanted to gain access to your PHP files and see the source code then I believe they would actually need to compromise the server itself or have access to your FTP password.

  10. #10
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by My220x View Post
    Also if they wanted to gain access to your PHP files and see the source code then I believe they would actually need to compromise the server itself or have access to your FTP password.
    Or use a security hole in one of the scripts you have on your site to inject their own PHP to read the files instead of running them.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  11. #11
    SitePoint Zealot My220x's Avatar
    Join Date
    Dec 2008
    Location
    United Kingdom
    Posts
    197
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Or use a security hole in one of the scripts you have on your site to inject their own PHP to read the files instead of running them.
    Ah forgot about that.

  12. #12
    SitePoint Enthusiast MikeTheMechanic's Avatar
    Join Date
    Nov 2009
    Location
    Oregon
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Or use a security hole in one of the scripts you have on your site to inject their own PHP to read the files instead of running them.
    So is that hard to do?

    Is that hard to protect against?

    Sincerely,


    Mike

  13. #13
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by MikeTheMechanic View Post
    So is that hard to do?

    Is that hard to protect against?

    Sincerely,


    Mike
    It depends on what scripts you are running on the site.

    The popular open source scripts such as WordPress occassionally have someone duiscover a way to break in and then a security patch for the software is released to fix it. You protect against threats like that with those sorts of script by always keeping them updated to the latest version.

    If you write your own scripts then you are responsible for applying all the necessary security measures in your own script.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •