PHP securities

aarontan78

Hi all,

I developed a web-based system using PHP and Mysql for a friend for intranet usage. I have a few questions regarding security:

How can I prevent a user to go into myphpadmin from any PCs in the intranet? Is there any password restriction on that?
User can distribute the web-based system freely by copying the whole apache, mysql, php folders? How can I restrict this? Can PHP read from the windows registry? I'm using xampplite for my testing purposes, and I can easily copy the whole folder to use it in pther PCs, in which I want to prevent this.
I would like to have a time limitation for the system usage e.g. the web-based cannot be accessed after 31/12/2006. How secure is it to use the SYSDATE() checking?

Thanks.

bpat1434

How can I prevent a user to go into myphpadmin from any PCs in the intranet? Is there any password restriction on that?

Don't allow the "config" option for authentication in phpMyAdmin... use HTTP instead

User can distribute the web-based system freely by copying the whole apache, mysql, php folders? How can I restrict this? Can PHP read from the windows registry? I'm using xampplite for my testing purposes, and I can easily copy the whole folder to use it in pther PCs, in which I want to prevent this.

There's no easy way to do this, except for setting specific permissions on the folder containing it, allowing only you and the web service to view it. Then, just properly set the access file to disallow viewing of anything except the few pages you need. And turn off indexing.

Alternatively, you could purchase a code obfuscator like IonCube or Zend. Now, with those, you have to have one or the other engine installed on the server for them to run. Then your friends could download the code, but couldn't read it because it's byte-code. That's what a lot of "shareware" vendors do.

I would like to have a time limitation for the system usage e.g. the web-based cannot be accessed after 31/12/2006. How secure is it to use the SYSDATE() checking?

Why use sysdate? Why not just use date() to get the date and time? Then you can check if the current time is past the preset time. I don't see a security issue with date or SYSDATE() (not that I know what SYSDATE is)

bradgrafelman

Yeah... I've never heard of sysdate(), nor is it a native function to PHP, but using [man]time/man and [man]mktime/man will easily suit your needs...

if(time() > mktime(23, 59, 59, 12, 31, 2006))
     die('Time period expired.');

aarontan78

Thanks for the prompt reply.
SYSDATE is from the pl/sql, it should be date()...my mistake.

Another question is:
E.g.:
I'm using session for my login.
User A login will go to ....a.php page.
User B login will go to ....b.php page.

However, after user B login, he can go to a.php page by changing the url address, in which a.php page is only restricted to user A.
How do I restrict user B to go into a.php ?

Regards.

bpat1434

set something like:

$_SESSION['allowed_a'] = true;

Then in a.php check if $_SESSION['allowed_a'] is true. If it is, they're allowed. If not, they're not allowed. In b.php if that session var is false, they're allowed in, and if it's true, they're not.

aarontan78

Thanks for the reply.
However, when I backdate the system date in wondows, the security is broken.
Is there anyway to read the date from the BIOS system?

bpat1434

no, php will read the server's date. You could try getting their time-zone (by geographic IP mapping), getting the current GMT time, converting to their time, and then checking. Or use an "AJAXian" solution and use javascript to get the current time (which should be user-side), send the request to the server, let PHP deal with it, send the output in XML format back, and then deal with whether to show the page, or show a div that says "Page unavailalbe from XX to XX every day".