Very Basic Security Questions

astralweeks

I am almost done with my site and all my files are under a www directory at my host site, such as www/images www/jobseekers. I need help setting up basic security. Currently anyone can type the URL: www.mysite.com/images and is lists all the files. When I password protect all these directories then when anyone tries to access my site www.mysite.com it pops up a username password window.

How do I get this secure so that the website works but no one can access my files within a directory ?
Currently my mysql username and password are hardcoded into my code with the $connect statement. Can someone use view source to see my ID & Password ? If so how do I prevent this ?

Info is appreciated. Thanks

drawmack

put an index.html page in each directory that redirects them to your main page.

Davy

As to your first question - Drawmack gave a perfectly good answer. In fact you don't even have to redirect your users to another page...

Take for example a community site. If a member was to type in www.something.com/images then the index.html of this directory could display a page for uploading member photos to an online album or maybe thier avatar?

Just an idea. The most common use of this is the www.something.com/forum or /board as bb apps use this as standard for thier forums. (I believe)

And for question 2 - by asking that question you ahve just taken the whole point of PHP and why it was invented in the first place and questioned it's existence!!

PHP is pre-processed. It is server side. Meaning unless a user has access locally or remotely to the server, nobody can see your PHP. If they view sourced all they will get is the output HTML.

for example:

$date = date(l);
echo "Today is ";
echo $date;

When view source'd, the user will only see:

Today is Saturday

So, in short: No. Your user/pass is as safe as your server.

EDIT: I have just realised something else. You can see php source by adding the extension with an s to *.phps so make sure these aren't enabled on your server.

laserlight

Another way to solve #1 would be to disable directory listing on the web server.
For example, for Apache webserver, you can use IndexIgnore * in httpd.conf or some relevant .htaccess file.

For #2, your current method should be okay, but safer yet is to use space above your document_root (a.k.a. public_html) directory (i.e. your web space), so that even in the event that your web server fails to parse the PHP, your sensitive data will not be compromised.
Otherwise, you would simply depend on the webserver parsing the PHP, which it should do most, if not all, of the time.