Results 1 to 5 of 5
  1. #1
    Join Date
    Apr 2004
    Location
    Canada
    Posts
    57

    Unanswered: Prevent download and stealing of PHP files

    Does a simple and efficient method exist to prevent PHP Scripts to be downloaded (for example by a Site Sucker) ??? This will be useful for 'config' files which contain sensitive data like DBConnect parameters...

  2. #2
    Join Date
    Dec 2003
    Location
    Houston, TX
    Posts
    21
    Place it in a /include/ folder outside your webserver root directory so that it is not browseable by anyone and only accessible through FTP or SSH.
    I do not fear computers. I fear the lack of them.
    -Isaac Asimov (1920 - 1992)

  3. #3
    Join Date
    Apr 2004
    Location
    Canada
    Posts
    57
    Thank you for your reply.

    First, I must say that if I am a Mac Power User, I have not great skills in PHP and related stuff.

    All my PHP Files have the .php suffix.
    On my server, all my served files are in a folder called 'httpdocs'.
    The parent hierarchical level is '/'.
    At this level, I have 9 folders called: 'anon_ftp', 'bin', 'cgi-bin', 'conf', 'error_docs', 'httpdocs', 'logs", 'pd', and 'web_users'.

    Amongst these folders, I can upload files in only 3 folders: 'anon_ftp', 'cgi-bin', and 'httpdocs'. I cannot upload files "loose" at the same level and outside these folders.

    If I have a good understanding of your explanation, do you mean that:
    1st - I can upload my config files in one of those two folders: 'anon_ftp' or 'cgi-bin'?
    2nd - I can refer to them by simply writing in each of my .php files: include ("../config.php") or must I write (for example): include ("http://www.mydomain.com/any_of_the_three_above_folders/config.php")?

    Please excuse my ignorance! And thank you for your time and your patience! ;-)

  4. #4
    Join Date
    Sep 2003
    Location
    So. Cal. USA
    Posts
    142
    Howdy, Germaris! Yes, includes can be referred to relatively...

    include ('../cgi-bin/myincludes/youcantgetme.inc.php');

    but I'm not sure your cgi-bin is not browsable. If it's not, then that's the way to go. I don't think your $connect/login info is at much risk, anyway, though, even in your web root folder. PHP is processed server side and PHP code <? ?> in a .php file should not be readable. If you forget your PHP tags, though, you're wide open.

    Now having said that, I don't trust anybody and worried about making mistakes, so we re-configured our Apache configuration file on the server to deny access to all .inc files. On OUR web server, since we did that, any file that ends in .inc cannot be accessed by a browser at all in any way, so we make sure we use .inc for sensitive info like logins/passwords. Since you don't have your own server, though, I think you'll just have to trust <? ?> and .php.

    I'm still relatively new to all this, though, so maybe someone else can add more or correct me.
    --ST

  5. #5
    Join Date
    Apr 2004
    Location
    Canada
    Posts
    57
    Thank you! Thank you! Thank you!

    I have understood everything! Isn't that wonderful?

    If I try to browse my cgi-bin Folder I get the following Error Message:
    "Internal Server Error
    Unable to execute /usr/local/psa/home/vhosts/germaris.com/cgi-bin/index.html: Permission denied."
    So, I think it will be safe to put my sensitive Files into, am I right?

    About the vulnerability of the other PHP Files, I trust you.
    But are the Site Sucker apps able to download such Files?

    Thank you so much, both of you, for your help!
    Cheers!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •