pulling files off other servers

Anon

I'm trying to implement password protection into a script I'm working on. It doesn't have to be anything complex or high security, and I haven't found any tutorials on how to add password protection in PHP. So my idea is to simply have a $pwd variable in a config file where the user can manually set a password.

Is this relatively secure? It's a simple script that no one would bother taking the time to password crack, but I have a question about that. Could someone create a PHP script that just says:
<?
require("http://www.server.com/config.php");
echo($pwd);
?>
where server.com is the server using my script. Would doing this and running the script from another server actually pull the file contents off and let someone see what's in it? I tried it myself, and it partially worked - require()'ing a file actually displayed the HTML in it, but wouldn't echo() a variable.

mithril

In theory, that could work if you're server's permissions are setup really badly. They couldn't get it through require("http://....");, they'd need to specfic the full path on your server like require("/var/www/apache/php_include/config.php"); That problem can be solved by denying all access to your php_includes folder from connections other than 127.0.0.1.

The file() method will however grab files via http. To prevent that, just make sure that your php_includes folder is not in your webroot. For example, if your webroot is /var/www/apache/htdocs, make your php_includes folder /var/www/apache/php_includes. The server can now still access the files it needs (with the proper changes to php.ini of course), but it can't serve the content of the include files.

All of this example has obviously assumed you're running Apache on *Nix, so you'll have to modify it to fit with other platforms or servers. If you are on Apache, look into using .htpasswrd files to protect full directories where applicable. Much more secure since the passwords are stored encrypted. Apache's manual should fill you in on that aspect. An example of password protection using HTTP Authentication can be found in the PHP Manual at:

http://www.php.net/manual/en/features.http-auth.php

HTH,

Cheers,

Geoff A. Virgo

kparker

you don't have to worry so much, because the only thing that will be delivered is the OUTPUT of the file, and a typical header won't have much other than variable and function definitions. You definitely won't get $pwd as a variable in the including script.

Anon

if variables can't be retrieved, just output, my method should be fine. what do more secure scripts use, without creating a setup hassle for the user? any good tutorials would be great

mithril

Well, depending on the size and scope of what you're trying to accomplish with the application, you're best bet is probably to store the usernames/password in a database and then authenticate login attempts against said database. Put that on an SSL connection and you should be ready to cruise. Something like:

$sql = "SELECT COUNT(*) FROM table WHERE username='" . $HTTP_POST_VARS["$username"] . "' AND password='" . $HTTP_POST_VARS["$password"] . "'";

if (is_resource(mysql_query($sql)))
// user is authenticated
else
// login failure

where $username and $password come from a form submission (POST of course) should do the trick. Substitute mysql_query with the method for your database system. Regarding tutorials, I can't think of any off the top of my head. Sorry🙂 HTH,

Cheers,

Geoff A. Virgo

mithril

Quite true, however bear in mind that if the server is misconfigured (ie. doesn't read PHP as being separate from HTML) all your PHP code will be output to the screen. It still won't show the contents of included files, but it will reveal their filenames and paths relative to the php_includes directory.

Cheers,

Geoff A. Virgo

Anon

I'm not sure I follow...the server could show PHP code output, but not the contents of the included file? does that mean it won't show the actual PHP code, just the output of it? and with certain server configurations it wouldn't show anything at all?

and what exactly do you mean by it reveals filenames?

Anon

thanks for help everyone...I don't know any SQL yet so I guess it's time to find tutorials 🙂

mithril

Ok, let's assume you've got a page called test.php and this is the code in it:

<?php

require("/common/cart/pswrd.php");

echo "This is some text<br>\n";

echo "This is some more text<br>\n";

The file pswrd.php simply contains a list of username and passwords, like in the example you used. In a properly config'ed server, the only html output will be the strings in the echo statments. Now if for some reason your server isn't config'ed to recognize the .php extension as a PHP file, the output to the screen is going to be the code block above... script tags and all.

The end user isn't going to see the contents of pswrd.php, rather they see the require() statement used to call it from the includes foder. But they now know that there is a file called pswrd.php and it's in the /common/cart folder in the php_includes directory. By making sure that your php_includes directory is not in the webroot, there's no way I should be able to open that file with my web browser. Conversly, if the php_includes directory is in the webroot all I need to do is experiment with paths and I may eventually be able to view the contents of the pswrd.php file. Does answer your questions? HTH.

Cheers,

Geoff A. Virgo

Anon

I think I see what you mean. I guess I'll setup the php_includes directory then, that should do it. thanks for the help!