>PHP: Seguridad

add a note User Contributed Notes
Seguridad

djjokla AT gmail dot com
21-Apr-2006 08:22


If a single file has to be included than I use the following



http://indices.com.es/index.html ( where the file is gonna be included )

___________

<?php

    define('thefooter', TRUE);

    include('folder/footer.inc.php');

?>



and the footer file (for example) looks this way then



footer.inc.php ( the file to be inluded )

___________

<?php

    defined('thefooter') or die('Not with me my friend');

    echo('Copyright to me in the year 2000');

?>



So when someone tries to access the footer.php file directly he/she/it will get the "Not with me my friend" messages written on the screen. An alternative option is to redirect the person who wants to access the file directly to a different location, so instead of the above code you would have to write the following in the footer.inc.php file.



<?php

    defined('thefooter') or header('Location: http://www.location.com');

    echo('Copyright to me in the year 2000');

?>



In normal case a redirection to an external site would be annoying to the visitor, but since this visitor is more interested in hacking the site than in reading the content, I think it's only fair to create such an redirection. We dont' realy want someome like this on our sites.



For the file protection I use .htaccess in which I say to protect the file itself and every .inc file



<Files ~ "^.*\.([Hh][Tt]|[Ii][Nn][Cc])">

Order allow,deny

Deny from all

Satisfy All

</Files>



The .htaccess file should result an Error 403 if someone tries to access the files directly. If for some reason this shouldn't work, then the "Not with me my friend" text apears or a redirection (depending what is used)



In my eyes this looks o.k. and safe.

webmaster ätt christophdum ddott com
16-Dec-2005 04:30


that's cool, but i use this code right here:



<?if(!defined('IN_SCRIPT')){header('HTTP/1.0 404 not found');exit;}?>



adding a 404 header will not give the user any clue that the include-file even exists !!!



i also protect the whole include-directory with a .htaccess file that says: "Deny from all"



so i guess that's pretty secure

Thomas "Balu" Walter
16-Oct-2005 01:24


Since many users can not modify apache configurations or use htaccess files, the best way to avoid unwanted access to include files would be a line at the beginning of the include-file:



<?php if (!defined('APPLICATION')) exit; ?>



And in all files that are allowed to be called externally:



<?php define('APPLICATION', true); ?>



     Balu

nick dot hristov at gmail dot com
02-Sep-2004 08:21


A correction to previous post by Dave Mink.



<Files ~ "\.inc$">

   Order allow,deny

   Deny from all

   Satisfy All

</Files>



Will not stop something like

http://www.yourserver.com/includefile.inc?pointlessvar=blahblah



Here is something more sophisticated for this task:



<Location ~ "/[^ ](?=\.inc(\?[^ ]*)?)/">

    Options None

    Order Allow, Deny

    Deny from All

    AllowOverride None

    Satisfy All

</Location>



Also, consider placing in your httpd.conf



<Location ~ "/[^ ](?=\.phps(\?[^ ]*)?)/">

    Options None

    Order Allow, Deny

    Deny from All

    AllowOverride None

    Satisfy All

</Location>

ocrow at simplexity dot net
02-Jul-2003 05:16


If your PHP pages include() or require() files that live within the web server document root, for example library files in the same directory as the PHP pages, you must account for the possibility that attackers may call those library files directly.  



Any program level code in the library files (ie code not part of function definitions) will be directly executable by the caller outside of the scope of the intended calling sequence.  An attacker may be able to leverage this ability to cause unintended effects.



The most robust way to guard against this possibility is to prevent your webserver from calling the library scripts directly, either by moving them out of the document root, or by putting them in a folder configured to refuse web server access. With Apache for example, create a .htaccess file in the library script folder with these directives:



Order Allow,Deny

Deny from any

annonymous at domain dot com
27-Jun-2003 06:08


best bet is to build php as cgi, run under suexec, with chroot jailed users. Not the best, but fairly unobtrusive, provides several levels of checkpoints, and has only the detriment of being, well, kinda slow. 8)

ManifoldNick at columbus dot rr dot com
29-Apr-2003 10:30


Remember that security risks often don't involve months of prep work or backdoors or whatever else you saw on Swordfish ;) In fact one of the bigges newbie mistakes is not removing "<" from user input (especially when using message boards) so in theory a user could secerely mess up a page or even have your server run php scripts which would allow them to wreak havoc on your site.

25-Feb-2003 04:00


For real security you should consider providing chrooted jail's for your users.

add a note

MANUAL DE PHP

windsurf mercedes camper

IV. Seguridad