Jump to content

php website security


orange08

Recommended Posts

Take a look at the phpfreaks tutorial: PHP Security.

 

thanks for the tutorial, i have read it a few times, but for my poor english as well as new to php, i found myself quite hard to understand it. so, hope that you guys here can continue to guide me through this hard process, as security is quite important for a website...

 

for the error reporting part, the first issue mentioned in the tutorial...

it mentioned that we should not display out our error for our user, but we must keep those error in a log file, so we can check and fix it.

 

and it can be accomplished by setting the directives in configuration file called .htaccess...i have found this file in my hosting. when open it, i only has this line:

 

Options -Indexes

 

so, i would like to know is that the directives are set here?

Link to comment
Share on other sites

If you're having severe problems understanding it I suggest a good way to learn would be asking for help with security when you post questions asking for help with code.

 

thank you for your reminder, but for this part, it's not concern the code, but where to set the directives according to the tutorial(as i have no basic and still very new, so i just try to follow whatever from the tutorial...seem got something that can't understand then try to asking help here)

 

Apache has some configuration files called.htaccess where you can configure Apache directives for the particular folder (and sub-folders) the 
files is located in. Some hosts do not allow you to use this, but if you can then the PHP module has a directive called phpflag which allows you to set PHP directives.  You simply do it like this:
php_flag directive_name directive_value

 

so, the problem is i can't confirm where to put this code

php_flag display_errors off
php_flag error_reporting 8191
php_flag log_errors on
php_flag error_log /home/someone/logs/php_errors.lo

Link to comment
Share on other sites

To be honest there are so many issues when it comes to security that I don't think it is a good idea worrying too much about this right now because you say you're new to PHP and MySQL.

 

I would learn PHP and MySQL and as you feel confident start asking for help with security.

 

That second chunk you posted needs to be placed inside the .htaccess file at the root of your public area web space (usually public_html or similar)

 

Once there if you can still access your web space things should have worked.

 

Just be sure to replace the "someone" in the last line with a valid full path on your web space.

Link to comment
Share on other sites

To be honest there are so many issues when it comes to security that I don't think it is a good idea worrying too much about this right now because you say you're new to PHP and MySQL.

 

I would learn PHP and MySQL and as you feel confident start asking for help with security.

 

 

yup, i understand that this security issues is not something that easy to deal with, especially as a newbie like me, but my case is while learning, i'm setting up a website, so i must take care of it in this stage...so, really really need you all kindly guys to give me a hand.

 

That second chunk you posted needs to be placed inside the .htaccess file at the root of your public area web space (usually public_html or similar)

 

Once there if you can still access your web space things should have worked.

 

Just be sure to replace the "someone" in the last line with a valid full path on your web space.

 

ya, i found this .htaccess file inside public_html, under cgi-bin folder...

as i have mentioned in the previous post, when i open this file, there is only this line there

 

Options -Indexes

 

so, is that correct to paste those code here? how about the above line? just leave it there?

 

about the path, is that it defines the log file path in our webspace, to keep the occurred error?

 

thanks!

Link to comment
Share on other sites

I don't think it matters where you place it in this case but it's good practice to not disturb what's already there by placing anything new at the end of the file and separate additional chunks with a blank line.

 

again, sorry for my poor english...

you meant you are not recommend to put something new in that .htaccess file? or you meant just leave

Options -Indexes

 

at the original place, then paste my directives setting code at the below, after a blank line?

Link to comment
Share on other sites

Yes.

 

sorry, your 'yes' is refer to which case? i have mentioned two cases in my post...

is that this case?

you meant you are not recommend to put something new in that .htaccess file?

 

or this case?

 

or you meant just leave 

Options -Indexes

at the original place, then paste my directives setting code at the below, after a blank line?

 

thanks!

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.