[RESOLVED] question about security of php files

VisionsOfCody

this might be a really dumb question but here goes anyway :

Could someone could read the code of a php file on a server if they didn't have the ftp codes ? I mean, if I hard-code a password into a simple authorization routine in an index.php file is it possible for someone to read that ?

ok, so that's 2 questions

thanks

leatherback

As long as your server keeps working properly, there is no real problem.
However.. If your server fails to interpret the php code correctly for whatever reason (Changes settings, compiler error, etcetc) it is -in theory- possible that a person sees the code.

I personally do not worry about it. But I have the passwords etc in a seperate file, which is a clever thing to do, even if only to facilitate changes in the server (If you change the pass/username, you do not need to recode dozens or hundreds of files, but only one config file). This file you could place outside the world-visible section on the server.

Piranha

leatherback wrote:
But I have the passwords etc in a seperate file, which is a clever thing to do, even if only to facilitate changes in the server (If you change the pass/username, you do not need to recode dozens or hundreds of files, but only one config file). This file you could place outside the world-visible section on the server.

I do the same, but with all files. The only thing that is visible to the world is index.php, some js-files and css-files. Everything else is placed in a directory that is accessed by index.php.

VisionsOfCody

Thank your for your replies

when you say :

leatherback wrote:
This file you could place outside the world-visible section on the server.

what exactly do you mean ? how would I place the files outside the root of the shared hosting ?

thanks

leatherback

Visions: Usually you have a folder on the server called e.g., httpdocs, or www where you place files which should be 'visible' on the web. You could place the files in an other folder (If the root of the server is not the webroot). Altyernatively, you could use an .htaccess file in a folder, limiting access to only the scripts on the server

MarkR

Normally I'd put anything sensitive like config info, in a "include" directory which contains .php files which should only be included, never executed directly.

I put something like

Deny From All

In this directory's .htaccess.

This is just a precautionary measure which prevents information leakage in the event of a very badly misconfigured production server. Such a configuration error is extremely unlikely anyway, as it would completely break a production server.

Of course if you're on shared hosting, all bets are off.

Don't do anything which you care about on shared hosting, it's not at all secure against other rogue users, or the attackers of their lame apps.

Mark

VisionsOfCody

Ok I'll give those solutions a try

thanks