Jump to content

Simple PHP app. Advice regarding security.


pixsector

Recommended Posts

Hi,
- someone coded for me a simple PHP application. The database name and password are in the db.env file. Is it more or less secure? 
- db.env file is blocked in Htaccess. The second image shows the error when you go to this file.  
- the app has 1 input field (text+numbers only) for adding a nicknames
- Is it possible to somewhat improve this app against malware attacks without major changes?
 

0001.jpg

00002.jpg

Link to comment
Share on other sites

Using .env files is best practice, but probably not for the reasons you think.  The main reason for those, is that previously people had a bad practice of actually putting credentials into files, and then they would get stored in source code repositories.

What I would do with your project is to move all the files that can be directly called or referenced from "web space" ie. within or below the "web root" directory for the web server.  What I'm going to describe to you is what pretty much all web projects do these days.

So what I would do here, is create a public folder in your project.

I would then move all the web directories (css, img, js) into it, as well as index.html, leaderboardtable.php and word-comparison.php into that directory.

The .htaccess should also be in /public

Note that these changes will break the application, and you will need corresponding changes, including regeneration of the autoload file with composer (assuming that is being used).

The web configuration should then set the webroot to this projectname/public directory.

At that point, you should notice what is no longer in web space:

  • any project files
  • the .env file
  • dot files in the root
  • the /vendor directory

Depending on your web stack, there are additional tweaks you can make that might have some additional security benefits, if for example you are using fcgi/php-fpm or nginx with those etc.  In those cases, you can utilize separate users for the php code and the web server, but at very least, moving anything out of "web space" means that you no longer have to try and knock down holes in a .htaccess, as users will only be able to directly reference the things you want them to, and there is no way they will be able to explore web space with the web browser, and potentially access a file that is used in your project.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.