Home arrow PHP arrow Page 2 - Securing Your PHP Website

Hiding Sensitive Data - PHP

In this second part of a three-part series on secure PHP programming, you'll learn how to hide the fact that you're using PHP to drive your site, how to hide sensitive data, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

  1. Securing Your PHP Website
  2. Hiding Sensitive Data
  3. Sanitizing User Data
  4. Sanitizing User Input: The Solution
By: Apress Publishing
Rating: starstarstarstarstar / 4
August 19, 2010

print this article



Any document located in a Web serverís document tree and possessing adequate privilege is fair game for retrieval by any mechanism capable of executing the GET command, even if it isnít linked from another Web page or doesnít end with an extension recognized by the Web server. Not convinced? As an exercise, create a file and inside this file type my secret stuff. Save this file into your public HTML directory under the name of secrets with some really strange extension such as .zkgjg . Obviously, the server isnít going to recognize this extension, but itís going to attempt to serve up the data anyway. Now go to your browser and request that file, using the URL pointing to that file. Scary, isnít it?

Of course, the user would need to know the name of the file heís interested in retrieving. However, just like the presumption that a file containing the phpinfo() function will be named phpinfo.php , a bit of cunning and the ability to exploit deficiencies in the Web server configuration are all one really needs to have to find otherwise restricted files. Fortunately, there are two simple ways to definitively correct this problem, both of which are described in this section.

Hiding the Document Root

Inside Apacheís httpd.conf file, youíll find a configuration directive named DocumentRoot. This is set to the path that you would like the server to consider to be the public HTML directory. If no other safeguards have been undertaken, any file found in this path and assigned adequate persmissions is capable of being served, even if the file does not have a recognized extension. However, it is not possible for a user to view a file that resides outside of this path. Therefore, consider placing your configuration files outside of the DocumentRoot path.

To retrieve these files, you can use include() to include those files into any PHP files. For example, assume that you set DocumentRoot like so:

DocumentRoot C:/apache2/htdocs     # Window s DocumentRoot /www/apache/home      # Unix

Suppose youíre using a logging package that writes site access information to a series of text files. You certainly wouldnít want anyone to view those files, so it would be a good idea to place them outside of the document root. Therefore, you could save them to some directory residing outside of the previous paths:

C:/Apache/sitelogs/     # Windows
/usr/local/sitelogs/    # Unix

Denying Access to Certain File Extensions

A second way to prevent users from viewing certain files is to deny access to certain extensions by configuring the httpd.conf file Files directive. Assume that you donít want anyone to access files having the extension .inc . Place the following in your httpd.conf file:

<Files *.inc>
Order allow,deny
Deny from all

After making this addition, restart the Apache server and you will find that access is denied to any user making a request to view a file with the extension .inc via the browser. However, you can still include these files in your scripts. Incidentally, if you search through the httpd.conf file, you will see that this is the same premise used to protect access to .htaccess .

>>> More PHP Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: