What if ... ?

Anon

Hi,

Not so very long ago, my hosting company had a problem with PHP and disabled this for a day or so.

When I visited my PHP build forum, I noticed that while PHP was not functioning on the server, the webpage revealed most of it's code.

I decided to test this by putting an "include" file (include.php) on a website that doesn't support PHP (to simulate lack of PHP service). The code either reveals itself as plain text, or you are prompted by your browser if you would like to open this file, or download it. (also tried include.inc.php)

Either way, it was as easy as 1,2,3 to figure out which file was included, and requesting the included file it was peanuts to see vars like:

$username = "mylogin";
$pwd = "mypwd";
$host = "myhost";
[etc]

Although someone would need to hack into the server (which is normally supposed to be the hosting companies worries) and put's his own script there at least he's able to drop tables or do anything with your database.

Simply because that one time PHP failed on your hosting company, he/she was able to figure out your login and passwords.

At the very least, this somewhats troubles me. Is there anything to make this harder or perhaps even impossible?

Is there perhaps something the hosting provider can do to prevent this in events of PHP failures / shutdown etc.

BTW. I'm aware that the most secure enviroment would be a computer that's been turned off. But I'd like to hear about ways to make it at least a bit less easy.

Martin.

Anon

Hi Mate,

The solution around this problem is to put any include files in a directory above the www dir.

Create a php folder in the same dir as htdocs. Then simply include these files using the full path. It is a bit of a pain having to specify the full path for the include file but it gives you that extra layer of security.

So say you had a php page that needed to include a db connection the first line would be
' include("/home/httpd/php/local.inc") '

Hope it helps

Ray

Anon

Hi,

Thanks for your help, however (and I should have mention this) the server is NT4/IIS4.

I run Apache at home for testing, so I know what you mean and makes alot of sense.

I've been testing locally on NT4/IIS4 also, and there is (as far as I know) no proper way to do the same.

Unless of course your hosting provider is willing to create a directory that would not allow browsing, or set permissions only to the IWAM user or something like that.

Anyway haven't thought about that possibility (go figure) so thanks alot for your tip! I'll check to see if my provider is willing to create such a directory.

Martin.

Anon

It's easier than that. Your include directory should be under your htdocs root, such as:

htdocs = c:\inetpub\wwwroot OR /home/apache/htdocs
Include dir = c:\php\includes OR /home/joeuser/php/includes.

If a user could drop tables with the database connection info you specified, your database is configured badly. PHP should only connect to a db with a user that has insert, update, delete and select privileges. If you need drop, create or others, you site is probably designed badly.

Tom

Anon

This is going to sound harsh, but if I had a Web hosting provider that broke my site and compromised the security of my database, I'd consider that two strikes. Some people might consider NT the third strike "and you're outa here." There's no shortage of providers out there; move along to one that is capable of meeting your needs.

Anon

Hi,

Well of course such a thing (someone dropping tables) never happened.

It's just that I have username and password information in the include file and I'm looking for a way to keep this information invisible, even if PHP goes down.

Users doing a delete * from is almost as bad as doing a drop table.

I have no access to the c:\inetpub\wwwroot\ dir, using FTP it only gives me access to c:\inetpub\wwwroot\myweb. I can't go back ;-(

This is just a problem everyone on NT would have if they don't host their own server, I don't think any sysadmin would give his user the rights to read/write from c:\inetpub\wwwroot.

Because I obviously would need write permission to place my include.php file there, and read access to use it in my script.

Anyway I was hoping for some other solution since I'm limited to my own home directory.

Thanks for your info though!

Martin.

Anon

Well infact, the company I do work for is currently looking into the possibility to do co-location for a webserver. I suggested to use either Unix or Linux and Apache as base for PHP/MySQL.

Of course they asked me to be the sysadmin for that server, and though I've previously worked in Unix enviroments I've never hosted a server other than NT/IIS.

So I'd better install Red Hat Linux or something like that at home to learn ;-)

I'm familair with Apache though.

Anyway, I agree about the "problems" with NT, works fine perhaps for ASP guru's but for PHP I rather use Unix or Linux, I can't even place .htaccess file in my directory ;-(