where to put includes for security

horsetags

Hi
Just learning and worried about hackers being able to see my Login information.

I know the scripts 'include' this file, but don't these files reside in the root directory of the site?

Shows i don't know a lot :-) But i'm trying hard.

I have a names database and the visitor can check if their name is listed. (Thats the idea)

Thanks

Paul

suntra

I'm not sure if I understood well, but...

Personnally, I have to include file for a login verification in an administration section. These files are in a directory in the administration directory (administration folder/include folder). They have the extension .php3, and if you try to see it, it will not output anything. You just have to put the code between <? (or <?php) and ?>. In fact, you have to put it between those tags for the code to be parsed.

For example, my password file (yes, I don't use a database... so sad !!!) is something like :
<?
$utils = array(
"&¶3É" => "âBü'%9Q˜"
);
?>
It does not return anything !

Did I answer your question ? If not, don't be shy, ask again !

horsetags

I don't know whether i understood yours either! :-)

I've been thinking and although i have an administration directory, (phpMyAdmin) i would need a password to get to it (understandably).

Sooooo, if i have the include file (common.php) that has the login info in it, put into that directory, say, then the calling script would have to show the password to get into THAT directory!

If i have a directory that has an index file with a redirect to say, my homepage, and then put my common.php in there, would that be secure?

Did i mumble, or could you understand that?

Thanks

Paul

dalecosp

Originally posted by horsetags
Did i mumble, or could you understand that?

Thanks

Paul

Both a little skosh on details, I'm afraid.

Suntra's may be a bit easier. What I'm receiving is:

 1.  He has a *.php file in an "admin" folder on the webserver with contents something like this:
      <?
        $password="thisismypw";
      ?>

 2.  His login script reads this file to see if the data entered via a webform is correct, and since the webserver would parse that file if called and it contains no output statements, a 'luser/cracker' would see nothing....

Yours is more complex IMO. This is not surprising, there are lots of locations for files on a computer, and lots of possible combinations of permissions for those files. Can you reformat the ? and ask again?

Cheers,

horsetags

Ok
I have a page with a search form which calls a search php. these are not in the root.

the include file (there is a db.inc file and a common.php file.)

The common.php file (which has no print or echo statements) is my concern as it has the login details of the database.

At the moment i have it in the root as the code int he search.php says -
include ("./common.php");

Which in ignorance, i assume is the root folder. The db.inc file has no password info ( i got that bit wrong:-).

So i am concerned that someone could read the common.php.

If i put the common.php file in a password protected folder the calling script (search.php would need the password details!

Am i being paranoid?

Thanks
Paul
Ps like your signature

theDog

Don't take me for any sort of expert, but i think if you have access to your php.ini you can define a default include directory away from your document root.

Else, yeah, that's what i do is put them in a pass-protected directory. And i try to make my own error messages for the really critical files because while i might be paranoid, i don't think anyone needs to know the full paths to my include files, or my db name or login, as default errors are apt to tell them.

🙂

dalecosp

Originally posted by theDog
Don't take me for any sort of expert, but i think if you have access to your php.ini you can define a default include directory away from your document root.

For example, '/usr/local/lib/php' is a BSD default location. I keep some things in "../somedir" ---nobody's going to read them there. Of course, I own* the server, and can put stuff where I like. However, on those sites I've worked on in the past on ProHosters and the like, we always had access to at least one level below the Apache DocumentRoot. Put your stuff there...apache won't let anyone read it. If they CAN get to it somehow, you're busted anyway...hope they're just out for fun and don't have a sadistic streak.......

Else, yeah, that's what i do is put them in a pass-protected directory. And i try to make my own error messages for the really critical files because while i might be paranoid, i don't think anyone needs to know the full paths to my include files, or my db name or login, as default errors are apt to tell them.

🙂

Good doggy!! 😃Have a scooby-snack....

Suppression of error reporting is wise on any well-trafficked site, particularly if you do "real-time development." Of course, on a "well-trafficked" site, you should probably do your development in private, anyway. 😉 You can even use mail() to send the errors to yourself, instead of displaying anything at all. That seems superior to, say, pulling up your webserver log every time you forget to close a bracket 😉

horsetags

Thanks
All