Re: [PHP] securing an 'includes' dir
>>> "Justin French" <[EMAIL PROTECTED]> wrote in message >>> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... 1. Name all included files .inc >>> >>> If you name them *.php then put anything in them inside a function, then >>> when the user browses to that file he/she won't see anything at all. >> >> You've already moved them out of the web tree so that they can't browse to >> them in the first place... > >Actually, the OP was about securing an includes directory which COULD NOT be >placed outside the docroot. Change web hosts. :-) Seriously. It's cheaper than buying the Zend Encoder (or knock-off copies thereof), which is your only other real alternative. The rest of your options aren't worth considering, unless you just don't care if your db data is publicly write-able or not. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
On Tuesday 02 July 2002 18:02, Justin French wrote: > on 02/07/02 5:41 PM, Richard Lynch ([EMAIL PROTECTED]) wrote: > >> "Justin French" <[EMAIL PROTECTED]> wrote in message > >> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >> > >>> 1. Name all included files .inc > >> > >> If you name them *.php then put anything in them inside a function, then > >> when the user browses to that file he/she won't see anything at all. > > > > You've already moved them out of the web tree so that they can't browse > > to them in the first place... > > Actually, the OP was about securing an includes directory which COULD NOT > be placed outside the docroot. Can we kill this thread. Please? It's going round and round in circles. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Violence is molding. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
on 02/07/02 5:41 PM, Richard Lynch ([EMAIL PROTECTED]) wrote: >> "Justin French" <[EMAIL PROTECTED]> wrote in message >> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >>> 1. Name all included files .inc >> >> If you name them *.php then put anything in them inside a function, then >> when the user browses to that file he/she won't see anything at all. > > You've already moved them out of the web tree so that they can't browse to > them in the first place... Actually, the OP was about securing an includes directory which COULD NOT be placed outside the docroot. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
>"Justin French" <[EMAIL PROTECTED]> wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> 1. Name all included files .inc > >If you name them *.php then put anything in them inside a function, then >when the user browses to that file he/she won't see anything at all. You've already moved them out of the web tree so that they can't browse to them in the first place... It's better to clearly denote them as *NOT* "entry point" .php (or .htm) files than to possibly upload them into htdocs. When you see .inc in htdocs, you know you screwed up. Vice versa for .php in your includes directory, which is not in htdocs. Works for me. :-) YMMV. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Steve Yates wrote: > >If you name them *.php then put anything in them inside a function, then > >when the user browses to that file he/she won't see anything at all. > > > I think this is a very poor tactic, because it "covers up" the problem > rather than doing anything about it. >(...) > It's much better to properly name your included files *.inc as suggested > by Mr. French and either: > 1. don't put them under document root (my preference) > or: > 2. configure your Web server to not allow access to .inc files I guess I wasn't trying to say that my suggestion was a complete solution, but one thing to consider. For instance, what happens if the .htaccess file is accidentally deleted? Then there's no protection. Or say the host upgrades PHP or Apache and for whatever reason PHP files aren't being parsed? Then my suggestion doesn't solve things (but moving them outside the htdocs structure will, if available as an option). Is there an advantage to not putting code in included files inside functions? I wasn't sure if you were critiquing that part of my suggestion also. - Steve Yates - Edit. Assemble. Link. Run. Curse. Boot. / Taglines by Taglinator - www.srtware.com / -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
Steve Yates wrote: >"Justin French" <[EMAIL PROTECTED]> wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > >>1. Name all included files .inc >> >> >If you name them *.php then put anything in them inside a function, then >when the user browses to that file he/she won't see anything at all. > I think this is a very poor tactic, because it "covers up" the problem rather than doing anything about it. You still allow people to access your modules directly, and worse, you allow them to execute these modules out of context. By restricting your modules to only allow function declarations, you also make things more difficult on yourself without any real benefit. It's much better to properly name your included files *.inc as suggested by Mr. French and either: 1. don't put them under document root (my preference) or: 2. configure your Web server to not allow access to .inc files Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
"Justin French" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > 1. Name all included files .inc If you name them *.php then put anything in them inside a function, then when the user browses to that file he/she won't see anything at all. - Steve Yates - A fool and his money... Hey! Where's my wallet? / Taglines by Taglinator - www.srtware.com / -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
On Friday, June 28, 2002, at 04:25 AM, Nick Wilson wrote: > How might I make an 'includes' dir inside the http root and stop users > being able to browse it? chmod go-rwx dirname But this will probably stop the web server from reading the file. Perhaps the administrators can provide a script (SUID) that allows a user to change the group association of the file to that of the web server? Yet without making the user a part of the group itself, otherwise all users would be able to see all of these files... Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
On Friday 28 June 2002 16:40, Nick Wilson wrote: > * and then Jason Wong declared > > > If using Apache, you would set a directive to deny all access to that > > directory. > > Gotcha. Can you domonstrate? Deny from All Remember this is only safe from browsers. PHP itself can still access those files. Combining this with all the other suggestions would make it pretty secure. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* The trouble with doing something right the first time is that nobody appreciates how difficult it was. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
> 1. Name all included files .inc I do this for many reasons, but mainly
> to help me know which are executables, and which are includes. It also
> helps with step 3.
Just for an added layer of security (incase step 3 isnt effective due to
mis-configuration or what have you), name them .inc.php and at the top of
the code put something like this (eg: filename == mysql.inc.php):
if ($SCRIPT_NAME=="/inc/mysql.inc.php")
die("you shouldnt be talking to me!");
or if your really clever - you could throw a 404: not found or a 301:
access denied.
This also means that your script will be relatively harmless and the PHP
code would never be divulged. If it was in a .inc file alone, then if the
..htaccess wasnt being effective (or it was accidentally uploaded to an
alternate location) then it would be completely exposed.
> 3. Include a .htaccess file in the /inc/ directory (or further up
> towards your docroot with the following:
>
>
> Order Allow,Deny
> Deny from all
>
Change the first line to in order to fit this more
secure procedure.
--
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
Assuming you have Apache/Unix (don't know about any other set-ups), I do the following. 1. Name all included files .inc I do this for many reasons, but mainly to help me know which are executables, and which are includes. It also helps with step 3. 2. I always keep them in a separate dir to the rest of my code, eg /inc/ 3. Include a .htaccess file in the /inc/ directory (or further up towards your docroot with the following: Order Allow,Deny Deny from all Basically, it denies direct (http) access to all *.inc files. This means the only way you can use/view/execute .inc files is by things like include() in another php script. I believe that Apache spits out a 500 error page if you try to access something.inc via the URL. 4. In addition (and a small deterrent in itself if step 3 is unavailable), I include a blank or redirecting index.html file in the /inc/ directory, so that they can't view the directory listing at all. An additional security measure might be to ensure that only certain scripts can access the inc files, but I haven't gone that far yet :) I'm unsure how well this prevents other users on the server from accessing the files though. Unfortunately this will require the admin to allow you to use htaccess files in your on disk hierarchy, or possibly requesting him/her to make the changes needed themselves. Justin French on 28/06/02 6:25 PM, Nick Wilson ([EMAIL PROTECTED]) wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all > I'm setting up a site for a client and his host refuses to create (or > allow me to) a directory outside of the http root. > > How might I make an 'includes' dir inside the http root and stop users > being able to browse it? > > Many thanks > - -- > Nick Wilson // www.explodingnet.com > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > > iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y > Frz+dRz/FyOCSvXdXl9MytE= > =AAVD > -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * and then Jason Wong declared > If using Apache, you would set a directive to deny all access to that > directory. Gotcha. Can you domonstrate? Cheers... - -- Nick Wilson // www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9HCDsHpvrrTa6L5oRAuufAJ0apB2jZgTfjQdoCZXIUS6PeN4qrwCgrYdX 8owgJn47S1DUJtr+ys8shTI= =1p01 -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] securing an 'includes' dir
and using IIS use windows security > -Original Message- > From: Jason Wong [mailto:[EMAIL PROTECTED]] > Sent: 28 June 2002 9:31 AM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] securing an 'includes' dir > > > On Friday 28 June 2002 16:25, Nick Wilson wrote: > > Hi all > > I'm setting up a site for a client and his host refuses to > create (or > > allow me to) a directory outside of the http root. > > > > How might I make an 'includes' dir inside the http root and > stop users > > being able to browse it? > > If using Apache, you would set a directive to deny all access to that > directory. > > -- > Jason Wong -> Gremlins Associates -> www.gremlins.com.hk > Open Source Software Systems Integrators > * Web Design & Hosting * Internet & Intranet Applications > Development * > > /* > "How many people work here?" > "Oh, about half." > */ > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing an 'includes' dir
On Friday 28 June 2002 16:25, Nick Wilson wrote: > Hi all > I'm setting up a site for a client and his host refuses to create (or > allow me to) a directory outside of the http root. > > How might I make an 'includes' dir inside the http root and stop users > being able to browse it? If using Apache, you would set a directive to deny all access to that directory. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* "How many people work here?" "Oh, about half." */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] securing an 'includes' dir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I'm setting up a site for a client and his host refuses to create (or allow me to) a directory outside of the http root. How might I make an 'includes' dir inside the http root and stop users being able to browse it? Many thanks - -- Nick Wilson // www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y Frz+dRz/FyOCSvXdXl9MytE= =AAVD -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
