Data above the webroot

Background: I’m developing a PHP/MySQL app where each account has its own MySQL database (an account would be for a company with multiple users, not 1 db for each user). A central ‘users’ database stores all accounts and users and points the incoming user login to their correct account db. One feature of the app is that users can upload and store files on my server.

Ok, I’ve got two concerns…

  1. I’m storing user upload files 1 level above the web-root. This is mainly to protect user’s data. I’m filtering the uploads and only allowing acceptable data types (.pdf, etc… no executables). My question here is: are there any concerns with users uploading malicious files? What could happen?

  2. My other concern is that I have a php file located above the web-root that contains the username and password for the ‘user’ db and all of the account content dbs. Even though the passwords are located outside of the web-root, I’m concerned about every account’s individual database having the same username and password located in a single file. Is this a valid concern?

Thanks for you help.


First, the answer to the unasked question: You can keep your users separate via permissions set for users only allowing access to specified tables and preferably limited to INSERT, UPDATE and DELETE actions.

A1. Of course you should be concerned about protecting user data as, with access (via a PHP script) to files outside the webspace, they can do anything with that including accessing your login script, not just others files. With no way for Apache (or PHP) to differentiate your users from you, they will have all the permissions you have.

You think PDFs are safe? What about the JS contained within the PDF files? They are security issues and have been for some time. I will only allow my clients to upload JPG or GIF images to the upload directory and move them to their website only after recreating the image anew with GD (copy image then resize) for the belief that GD will not pass along any “payload” embedded in the images.

A2. No, you should NOT use the same username and password for your users! As mentioned in response to the unasked question above, keep your db users separated by the tables they’re allowed to access (with very limited access). Anything beyond that is “professional suicide,” IMHO.

Okay, you’re thinking like a host, not a hacker. Change your hat and consider the things you could do to hack your site the way you’ve suggested configuring it. If you can think of the patches necessary to block those hacks, you’ve probably discovered 10% of the hacks good hackers can exploit so my recommendation is to GET PARANOID! You’ve taken the first step by asking your questions, now try to “break it” and see how far you get as your own “black hat” (okay, “white hat” as you don’t want to damage your computer or its files).