PHP app installation on Apache advise plz

[Neutrino Sunset]

Just about to start work on my first php application, first non-dotnet non-IIS web server application actually. The PHP documentation contains all the information I need regarding how to use the language but I'm having trouble finding anywhere that describes the application architecture and optimal deployment and security stratgies.

 

Specifically when this application is installed it will need access to a database which it will need to initialise. I envisage a config file will be needed plus an install script and some static data.

 

This will only be a small simple application and I'd rather not use any third party tools to handle this, I just need to know where the different types type of stuff should go so that it is only accessible to the right people, and what else needs to be done to enable website admins to remotely install and initialise the application while still remaining secure.

 

Does anyone know a good resource covering these kinds of questions specifically for PHP on Apache and ideally explaining this stuff in pretty simple terms.

 

Cheers.

[whansen02]

What kind of development have you done so far?

 

Where is this app going that it would need to initialize the database?

Most webservers or workstations that require a database like mysql will have the database running in the background on boot.  You can find code to initialize your db connection via php on tizag dot com - optional whether your store the db user/pass etc in a config file or not

 

If you do use an external file say config.php - when you include it best not to use include(config.php) - better to use require(config.php) for security reasons.

If your config.php file is located in another directory and you have to reference it require(/usr/home/config.php) (bad example) you might think oh I should put the path in a variable... $config_path = '/usr/home/';  DON'T - if you're on a web server that (god forbid) has an older version of php or happens to have register globals enabled that suddenly becomes a potential gaping security hole.  But if you declare the path as a constant instead of a variable that's great and perfectly safe.

 

PHP applications aren't really "installed" per say.. they're just uploaded to a web accessible directory via FTP most commonly. (assuming it's to be accessed from the web)

 

If you have this on the internet and want to limit access and are using Apache - the quickest thing to do is look up "htaccess password protection" on google.  If this is on your own server you'll have to figure out how to create the apache users and passwords at the command line.  Otherwise if it's on a web host they "may" have a tool that can do this for you.

 

For more details, google is your friend, or just post more detailed questions here and some of us will see if we can help.

 

Cheers

[Neutrino Sunset]

I've done lots of n-tier development on Windows both tcp and web based mostly using Dotnet and ASP.

 

This app would probably be living on a Linux box running Apache and MySQL although I'll be developing it on Windows using Apache and MySQL.

 

By 'initialise the database' I just mean populate it with the static data required for this application rather than anything to do with actually starting the database or anything like that. So that would be an 'on install' operation that would only need to occur once when my PHP app is installed on the server.

 

I'm envisaging a situation where an admin has the ability to ftp the installation up to the server, I then want him and him alone to be able to run the installation script, and then want the application to have a config file that is accessible to itself but not anyone else browsing the webserver in which the database connection details will live.

 

Most likely the person installing this application will only have ftp access to the webserver and they will only be able to access a few web accessible folders and not locations like /usr/home. I imagine I might be able to achieve what I have in mind by having an application 'bin' directory somewhere accessible by ftp but not exposed via the web (perhaps configured using the htaccess file as you suggest), and then have the PHP application itself reference that location from a client facing location from where it is published by the web server (which is accessible to end users to run the PHP app). Alternatively perhaps the install script and config file might live actually in the web facing directory itself but just have a file suffix which isn't published by the webserver or something like that (although that seems more risky). But before I go testing my own (quite likely half-baked) ideas of how this could work I'm trying to determine whether there is some standard pattern for handling initialisation scripts, static data and config files in this situation.

 

I did try Googling for PHP application installation and initialization but got unrelated hits to do with installing PHP itself rather than installing PHP apps on a webserver. I suspect this is one of those occasions where there's is probably information out there but disambiguating it from other closely related topics requires you to hit on just the right search string.