Earlier we agreed that if you can see “config.php” (inside Web Root) - which points to “database_settings.php” (outside the Web Root) then that sorta defeats the purpose.
Now you are implying that if I move “config.php” to outside the Web Root, but point to it from all of my scripts that would help.
But you are still leaving a trail to my “database_settings.php” file!!
As I see it, for this to work, I need a way to hide the details of where “config.php” and “database_settings.php” are located to calling scripts, otherwise nothing is being accomplished that I don’t already have. (Although I get that at least you can’t easily surf there via HTTP.)
The only way an attacker would know the trail is if they already had access to your system via FTP, SSH, or something similar. At that point, you are screwed no matter what, as they already have physical access.
There would be no way for them to get the location of your files without one of the following:
A way to upload a script and execute it
Physical Access
Since the path would be hard coded (not part of a variable), they couldn’t use an include/require command to get access to the variable to see where the files are located. They’d have to use one of the above techniques to get to it, and if they did that, they could do FAR worse to you than get the path of a few files.
(According to a tech I was chatting with last night at GoDaddy, it is possible for a hacker to “jump the shark” and get into directories above the Web Root. And I’m convinced that the NSA and the Chinese can do ANYTHING!!!)
So you are saying that if I hard-code an Include like this…
So, while I protected the “database_settings.php” file itself, I still somewhat exposed it, because I didn’t protect its location in any scripts including it…
Now that the hacker knows the new location of “database_settings.php”, they can start trying to hack into that directory outside of my Web Root.
Would that be hard to do? Probably.
But according to the guy at GoDaddy last night, it is possible.
I guess what I am trying to figure out, is this…
Is there a way to move sensitive files OUTSIDE of the Web Root, give them a “name” or “pointer” that all scripts in the Web Root can see, but which do not expose where the sensitive files are located? (Almost like a one-way mirror!!)
Follow me?
In another thread of mine, people were saying that PHP Constants are “global”, but I don’t think that is true since you have to Include them in order for them to be seen.
It would be nice if outside the Web Root I could do this…
That way, when some script says the “magic word”, the PHP gods from above know to link the file from above the Web Root to the script in the Web Root, but anyone who get’s access to the script’s contents would only see the obscure reference to…
require_once(DATABASE_SETTINGS);
Follow my line of thinking?
[ot]I know most people don’t care or think I’m paranoid, but I’m telling you that hackers in 2013 have taken the game to a WHOLE NEW LEVEL, and what was sufficient 5 years ago just doesn’t cut it today!!
And if I am ever going to finish this website and get it online, and let thousands of innocent people trust their sensitive info with my website and database, then I want to go above and beyond the call of duty and really go out of my way to protect people’s info!!!
Like everything out there, I am sure there are better solutions, it is just a real challenge to try and out-fox modern day hackers?!
[/ot]
So, sorry for wanting the world, but I just see so many websites fail these days, and I don’t want to take any shortcuts and then later jeopardize my customers’ data…
To date, it has been my experience that if I try hard enough, I have always been able to find solutions that are rock-solid and that keep things safe.
Keep it offline? If it isn’t ever online, it can’t be hacked right? (yes, this is a joke)
Yes, that is called a directory traversal attack. In short, consider the following code (which is INSECURE - DON’T USE IT)
HTTP request sent: test.php?path=…/…/…/
Or with register globals enabled: (file named test.php – HTTP request sent test.php?path=…/…/)
require_once("$path/myfile.php");
Without being able to upload a script an execute it on your server, or physical access, yes that is what I’m saying. At least, I don’t know of a way.
All ways to improve it, usually involve putting the path in a variable, that variable then becomes accessible and thus a point of risk. If you want to do that, that’s fine (as the person will have to guess the variable name), but if you truly wanted to limit your risk, hard code it.
Yes, but if I can read your file, you’ve got bigger problems than worrying about the location of your files. Next time you have it up, I potentially know all of the SQL, XSS, and other vulnerabilities of your site (as I was shown the source code). I also know variable to use to include your database settings, so I could simply execute a script that read the contents of DATABASE_SETTINGS and wrote it out, thus seeing what the file contains.
If you see value in that approach, use it. But if you have a file injection vulnerability, then outputting the value of DATABASE_SETTINGS is child’s play.
Moot point. In 5 more years, the hackers of today will be put to shame by the hackers of 2018. If you sit and wait for a perfect site, you’ll never publish anything, as there is no such thing (just read the news).
There is nothing wrong with wanting the world, until you get to the point of an unobtainable goal. You are at that point. You need to start moving forward. Establish procedures for resetting customer passwords (if they would get breached), etc.
5.) If a hacker was able to get access to the contents of any PHP script, I would have a larger issue at hand than just that they were able to see the path to where my Database Settings are now located outside of the Web Root, right?
is perfectly okay too, so take your pick between #3 and #4.
Yes, as they found a way in, via physical access or some sort of vulnerability in your site. You need to be focused on how they got in, so you can plug it quickly.
There are multiple ways of protecting your database, from physical access, sql injections, and limiting the security of the users who can hit it. mysql_real_escape_string is a bad answer anyway, as it dictates you continue using a deprecated feature in PHP. Instead mysqli or PDO should be used, which give you much more tools in protecting against sql injections.
<?php
// Initialize Session.
session_start();
// Access Constants.
// (This would have to be adapted depending on the location of the script!!)
require_once('../SECURE_OUTSIDE_WEBROOT/config.php');
// Connect to Database.
require_once(DATABASE_SETTINGS);
// Do something with Database Connection...
config.php
// Website Environment
define('ENVIRONMENT', 'development');
// define('ENVIRONMENT', 'production');
// Physical Location (aka Document Root)
define('WEB_ROOT', ENVIRONMENT === 'development'
? '/Users/user1/Documents/DEV/++htdocs/06_Debbie/'
: '/var/www/vhosts/MySite.com/httpdocs/');
// Virtual Location
define('BASE_URL', ENVIRONMENT === 'development'
? 'http://local.debbie'
: 'http://www.MySite.com');
// Database Settings
[COLOR="#FF0000"] // (Note: The THEN branch really needs to be an Absolute Path, but I'm not sure how to do that in NetBeans yet?!)[/COLOR]
define('DATABASE_SETTINGS', ENVIRONMENT === 'development'
? '../SECURE_OUTSIDE_WEBROOT/database_settings.php''
: '/var/www/vhosts/MySite.com/SECURE_OUTSIDE_WEBROOT/database_settings.php');
You’re gonna make me type all of this out, aren’t you?! (:
Okay, rewind…
Most of my problems with paths and includes and security have largely hinged on the fact that I have been unable in the past to make my NetBeans environment the same as my Production environment.
Here is some background on NetBeans…
In NetBeans, everything is based on “Projects”.
So my current endeavor is in the Project called “06_Debbie”.
In each “Project”, are two things…
Source Files (Folder??)
Include Path (???)
The “Source Files” acts as your Web Root by default and is where all of my scripts reside.
Unfortunately, there is no way in NetBeans to create a directory outside of the “Source Files” directory. And that means that I have DISPARATE environments between DEV and PRODUCTION!!
Because I am persistent as hell, I kept playing around with things until 2:00a.m. this morning, and here is what I discovered…
I created a new Test Project called “_Test”
Option #1:
On my Hard-Drive I create a folder called “_SECURE_OUTSIDE_WEBROOT”.
Inside of it I place a dummy “database_settings.php” file.
Next in NetBeans, under “Include Path” I mapped to the file above located on my HDD.
After doing this, it appears that an Include to said location is recognized by Netbeans…
So that appears to be one way to maybe simulate having a directory outside of the Web Root in Development…
Option #2:
This one is trickier, but I sorta like it better…
In my “_Test” Project, I created the following sub-folders inside of “Source Files”…
outside_webroot
web_root
Then in NetBeans’ Preferences, I did this…
[b]Sources:[/b]
[b]Project Folder:[/b] /Users/user1/Documents/DEV/++htdocs/_Test
[b]Source Folder:[/b] /Users/user1/Documents/DEV/++htdocs/_Test
[b]Web Root:[/b] web_root [COLOR="#FF0000"](The default value was "<source folder>" but I changed it.)[/COLOR]
[b]Run Configuration:[/b]
[b]Project URL:[/b] http://local.test
[b]Index File:[/b] index.php
Then in my Virtual Host files, I mapped things so that [http://local.test points to /Users/user1/Documents/DEV/++htdocs/_Test/web_root.
Doing all of this for Option #2 - which was no small feat!!! - seems to simulate what I would have in Production. That is, a Web Root directory and a directory which is outside of the Web Root.
(Not sure if either of these options is legit?!)
So on to your question, CPRadio…
If you look at the red text in my last post, you will see that if I am in DEVELOPMENT, I need a way for the constant DATABASE_SETTINGS to point to an absolute location, because otherwise, as different files in different locations reference this Constant, it reek havoc having a Relative Reference versus an Absolute Reference.
And I haven’t had time to figure out if I can use an Absolute Reference to the “outside_webroot” sub-directory in my “Source Files” folder in NetBeans.