Php Secret files in web hosting?

silvia

Hi,
I've a host space that a Provider give to me for 20 $ / Year

I've a question😕

How can I protect my php files, expecially the file that contain my database connection?

I'm searching the answer all around the web.

If you have any suggestion, I'll be glad and happy.

Thank you in advance and have a nice day!!!

Ps: Sorry for my English, I'm Italian and I studied spanish better than english (this is not so good in computer programming)

dagon

simply having the details in a *.php file will protect it from the users

NogDog

dagon wrote:
simply having the details in a *.php file will protect it from the users

This is true assuming the user is accessing the host via HTTP and the host has not had something abnormal (and probably stupid) done like restarting the web server process but not restarting PHP; and also that things like FTP is not enabled if the directory does not have a default file. You can mostly avoid these issues if you save any such files outside of the web document root directory. E.g.: if your web root is /home/yourname/public_html/, then store the file in a directory such as /home/yourname/includes/.

However, if you are on a shared host, this may still be a problem if other accounts on the host can read your directories/files via their own scripts. (Even if the site has the PHP open_basedir setting set up to prevent PHP scripts from doing this, that does not prevent someone from using a Perl script to do that, for example.) Your file might then be viewable either by a malicious user with an account on that host, or by an outside hacker who broke into another account on the host and uploaded his/her own script onto it.

If you're talking about a site with truly sensitive information that would be harmful in the hands of the wrong people, then you probably need to look into a dedicated host, SSL, and making sure things are set up and configured by a security expert. You may also want to get and read a couple times (it's short) Essential PHP Security.

If we're talking about a site where there is not critical data stored, and the main damage a hacker could cause would be loss of some data since the last back-up and some aggravation; then you can use a shared host, "hiding" such files outside of the web root. It might even help a little to give them innocuous names, such as "/home/yourname/recipes/aunt_bettys_apple_pie.txt" instead of "/home/yourname/includes/db_config.inc". It does not guarantee nobody will ever find and read it, but it's just one more layer that might prevent a hacker from finding it, and instead going on to another site that's easier to crack.

silvia

Thank you very much!!! Your answer is very complete! Have a nice day🙂
Silvia

MarkR

A .php file can't be retrieved easily by third parties with no level of access, unless there is a bug in your application or an error by your operations staff.

If you're on shared hosting there is almost certainly nothing you can do against owners of applications which you share hosting with.

If these applications are poorly built and compromised, or their owners machines are compromised some other way, it's probably the case that someone can compromise your application.

Consider how valuable your data would be to an attacker, and how valuable they are to their owner. If the answer is "more than a little", then use dedicated hosting.

Mark