In this second part of a three-part series on secure PHP programming, you'll learn how to hide the fact that you're using PHP to drive your site, how to hide sensitive data, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
Any document located in a Web serverís document tree and possessing adequate privilege is fair game for retrieval by any mechanism capable of executing the GET command, even if it isnít linked from another Web page or doesnít end with an extension recognized by the Web server. Not convinced? As an exercise, create a file and inside this file type my secret stuff. Save this file into your public HTML directory under the name of secrets with some really strange extension such as .zkgjg . Obviously, the server isnít going to recognize this extension, but itís going to attempt to serve up the data anyway. Now go to your browser and request that file, using the URL pointing to that file. Scary, isnít it?
Of course, the user would need to know the name of the file heís interested in retrieving. However, just like the presumption that a file containing the phpinfo() function will be named phpinfo.php , a bit of cunning and the ability to exploit deficiencies in the Web server configuration are all one really needs to have to find otherwise restricted files. Fortunately, there are two simple ways to definitively correct this problem, both of which are described in this section.
Hiding the Document Root
Inside Apacheís httpd.conf file, youíll find a configuration directive named DocumentRoot. This is set to the path that you would like the server to consider to be the public HTML directory. If no other safeguards have been undertaken, any file found in this path and assigned adequate persmissions is capable of being served, even if the file does not have a recognized extension. However, it is not possible for a user to view a file that resides outside of this path. Therefore, consider placing your configuration files outside of the DocumentRoot path.
To retrieve these files, you can use include() to include those files into any PHP files. For example, assume that you set DocumentRoot like so:
DocumentRoot C:/apache2/htdocs # Window s DocumentRoot /www/apache/home # Unix
Suppose youíre using a logging package that writes site access information to a series of text files. You certainly wouldnít want anyone to view those files, so it would be a good idea to place them outside of the document root. Therefore, you could save them to some directory residing outside of the previous paths:
C:/Apache/sitelogs/ # Windows /usr/local/sitelogs/ # Unix
Denying Access to Certain File Extensions
A second way to prevent users from viewing certain files is to deny access to certain extensions by configuring the httpd.conf file Files directive. Assume that you donít want anyone to access files having the extension .inc . Place the following in your httpd.conf file:
<Files *.inc> Order allow,deny Deny from all </Files>
After making this addition, restart the Apache server and you will find that access is denied to any user making a request to view a file with the extension .inc via the browser. However, you can still include these files in your scripts. Incidentally, if you search through the httpd.conf file, you will see that this is the same premise used to protect access to .htaccess .