PHP/MySQL web site security

Ocean_Breeze · March 8, 2010, 10:07pm

I’m looking for some guidance and opinions about security.

I’m developing a web site with PHP/MySQL that contains a password-protected client section. Clients log in with a user name and password. After login, they are directed to a dynamically-created page that lists their projects. When they click on their project, they are directed to a dynamically-created page that lists the documents associated with that project. The documents are hyperlinks to the actual documents which they can view or download.

Thanks to many of you I have all of that working as needed. (Thank you, thank you, thank you!!!)

But I keep thinking about security. I’ve tried to and I hope that I’ve covered all possible bases, but I’m not sure.

The folder structure on the hosting server is such that there is nothing above the root folder unlike others where the web site is in the public html folder and there are places to “hide” things such as uploaded files and mysql_connect.

The way the site is set up, under the root folder is an admin folder with an uploads folder directly under it. This is the final resting place for documents uploaded by the web site owner (not the clients or casual site users). The admin folder also contains all the scripts for the web site owner to add a client, add a project, or add a document (including upload), or view current data. In order to access these other admin files, you log in and sessions are used to verify your access. However, I’m not sure how to keep unwanted users away from the documents that were uploaded. I can password protect the directory but that does two undesirable things: adds another login screen for the authorized users and, worse yet, makes the uploads unavailable to the clients on their page.

I’ve added an index.php page that redirects users to a 404 error page for those who might try to access a directory listing of documents in the folder. After that, I’m stumped about what to do. I know that sometimes you need to make concessions; that your web site isn’t either secure or not secure, but rather more secure or less secure. I just want to make sure I’m coming down on the side of more secure rather than less secure!

My mysql_connect.php is a php file, so I guess that’s as secure as it can be while within the root directory tree.

I would really appreciate your thoughts on any way to better secure the uploads directory.

Thanks in advance for your help.
Cheers!

The site is hosted with a hosting service that runs PHP 4.3.11 and MySQL 4.1.14.

risoknop · March 8, 2010, 10:25pm

The site is hosted with a hosting service that runs PHP 4.3.11 and MySQL 4.1.14.

First step towards security - use the latest stable releases of PHP and MySQL. Is there some specific reason why you are using these ancient versions?

Ocean_Breeze · March 8, 2010, 10:27pm

The company providing the web hosting doesn’t seem to agree with you. Wish they did!!!

force · March 8, 2010, 11:07pm

I would seriously consider looking for hosting elsewhere.

AlienDev · March 8, 2010, 11:10pm

This. If they aren’t running PHP 5.2+ and MySQL 5.1+, they are not reputable and you have to run the other way.

Ocean_Breeze · March 8, 2010, 11:35pm

Can I post their name here? Not sure. Please delete this if I’m not supposed to.

It’s Yahoo! They’re cheap (only $6.95/month) so my client loves them.

AlienDev · March 8, 2010, 11:47pm

Jeez, it’s true! They don’t even allow .htaccess, according to a few search results.

Yet another reason why Yahoo is dying

I’d recommend Amazon EC2 if the site gets medium-large traffic ($100/month will suit a small site), or Lunarpages if the client is a cheapskate.

spiderling · March 8, 2010, 11:53pm

Key word being cheap, not inexpensive.:x

You will have to try and get the client to understand that the hosting provider is not running the most up-to-date (or even close) versions, and there are some potential security issues. They seriously need to consider using some one better and probably a little more expensive.

Ocean_Breeze · March 9, 2010, 12:24am

Any suggestions on what can be done given what I have to work with?

I will discuss this with the client, of course, but I’m not sure how far I’ll get.

sk89q · March 9, 2010, 12:37am

If you have .htaccess, then you can use mod_rewrite to seamlessly block direct requests and yet check the session when a document is requested. However, I am presuming that you don’t even have that.

However, you can still redirect all requests to your own script for documents. For example:
http://example.com/document.php?id=id_of_doc
And then you can check sessions as usual. Send the right headers with header() (namely Content-Type and Content-Length at minimum, as well as a Content-Disposition header to send a reasonable filename) and use [url=http://php.net/readfile]readfile() to output the file.

Since everything is web-accessible, if you want to protect yourself further, you can name all documents with a .php extension and then add in

<?php
__halt_compiler();

at the very beginning of all files. Strip that out when you read the file. See the __halt_compiler docs.

force · March 9, 2010, 12:43am

Give surpasshosting.com a try. They keep things up-to-date and they’re in the same price range for shared hosting.

system · March 9, 2010, 6:28am

I would really appreciate your thoughts on any way to better secure the uploads directory.

Start from search this forum by the download keyword or even content-disposition
You can use PHP to send any file to the client, so, any access rights can be checked and files can be stored below the document root.
Popular photogallery suite, menalto gallery, dares to store even original unresized pictures this way

Your approach with index.php is just silly

Ocean_Breeze · March 9, 2010, 2:24pm

Thanks. I did search the forum but not using those keywords. Makes sense, I just didn’t think of it.

It’s something I learned way back when and I’ve just kept doing. It wasn’t really intended to keep anyone out, just to keep people from “easily” viewing a directory of the contents. Is that silly? Is there a better way to do that? (I hope that doesn’t sound sarcastic–it’s not meant to be. I’m really trying to learn the “right” way to do things)

Thanks for your input. As always, I really appreciate it.

system · March 9, 2010, 6:45pm

No, if you just want to keep people from “easily” viewing a directory of the contents, it’s ok
It’s silly from the PHP/MySQL web site security point of view

lphy · March 9, 2010, 10:30pm

I seen lot of hosting companies who provide PHP 5.3+ around $5, search and see, you can find ton

But I dont know any specific company to recommend, consider virtual server plans, these days lot of companies giving cloud server plans for cheap

Ocean_Breeze · March 11, 2010, 6:03pm

Unfortunately, no.

Can you explain that a bit please? Sorry, I’m not getting it.

Thanks for taking the time to reply to my post. I appreciate it.

sk89q · March 11, 2010, 8:47pm

Well, say you have a file called highly_important_stuff.doc.

Then rather than linking to

http://example.com/documents/highly_important_stuff.doc

, you could link to

http://example.com/document.php?file=highly_important_stuff.doc

. Thus, $_GET[‘file’] will equal “highly_important_stuff.doc”. Now, you can check the session as usual, and then send the file’s contents via your own script.