[SOLVED] PHP permissions

[SirChick]

I was wondering what php permissions is all about? Been trying to get my security more tight but don't know how or where to begin i was told about permissions but I don't really understand them... =/

[trq]

What exactly do you mean... php permissions?

[SirChick]

Well i asked a while back to a friend about security and he said to put the php files into directories so attacks couldn't guess where the php files were, I then later asked on a number of forums to see what the general opinion was about this idea and in short most said it made no difference so it wasn't worth my effort to put my php files into folders etc.

 

But some people mentioned that php permissions will help with my security.. I had never really heard about it and that was the only info I had... so I don't know what php permissions are exactly but if it helps security I am needing to learn it.

 

Becuase im at the security stage development of my site you see.

[revraz]

I think you mean directory permissions.

[SirChick]

well possibly... all my files are in one place which is "htdocs" folder.. so i guess i would only need to set one permission on that folder or something ? =/

 

I'm not 100 % sure on what he meant anyway but im going to assume directory permissions is what he meant.

[trq]

What exactly are you trying to achieve? If you change the permissions on the directory your php files are in so they become un-executable, then, they will be un-executable. Meaning they will not work.

 

They way I have my framework setup, the only php script within the web doc root is the front controller. Every other file is outside. This stops people from being able to access the files directly but even so...

 

The best way to secure your php files is to make sure you check any data that is sent to them properly. eg; If you have a php script that expects values passed to it via a form, make sure you check the form sent the variables and that they are valid prior to th script executing.

 

You don't want (for instance) a script attempting to insert data to a database unless it has that data available to it.

[SirChick]

They way I have my framework setup, the only php script within the web doc root is the front controller. Every other file is outside. This stops people from being able to access the files directly but even so...

 

not sure what you mean by "outside" is the front controller like the front login page?

[revraz]

Sounds like he uses Objects and keeps his main object available via the web root and the rest are behind that so you can't even navigate to them if you tried.

[SirChick]

so like the connect script would be outside then have the login pages in a folder like "login" so that u cant access and files in "login" unless you are already logged in to the site?

[revraz]

More like this is your host's Webroot structure:

 

/users/b1234/domain/htdocs  and htdocs is your folder that holds pages that load if you went to www.domain.com.

 

But from his access, he can put folders and files back one hive and set them in /users/b1234/domain and use absolute paths to get to them, but from a webuser's standpoint, there is no way to navigate before the htdocs folder.

[SirChick]

oh ok so i just make a directory and put htdocs in at the end of the directory.. so just one question if thers only one folder why have a directory at all :S? why not just have it as :

 

/htdocs ?

[trq]

You can't move your web document root unless your using a vps or dedicated server. This is usually controlled via your host.

 

I'll ask again in a different way. What benifits do you hope to achieve by having your php files out of reach?

[trq]

ps: Most websites will not work with there files outside the web root dir, because clients can no longer reach them.

 

I use a framework which has one access point to the entire process. Thus I have the ability to call scripts from outside of the doc root.

[SirChick]

well security increased basically... and to stop people guessing php file names to avoid them running a script which could cause problems to the game.

 

I was told if they are easy to guess the where abouts of the php file and its name then attacks can get at them ?

[trq]

I was told if they are easy to guess the where abouts of the php file and its name then attacks can get at them ?

 

This really depends on what the scripts do, but like I said, If you check your scripts are recieveing the data they expect from where they expect to recieve it you shouldn't have any issues.

 

Moving files outside your docroot is not the solution, but part of a bigger one. Always check your request data.

[SirChick]

how can u test to see where they receive it from ?

 

I can do the the receiving data checks there pretty straight forward.. if == '' header the page etc.. but how can you check where it comes from ?  Would that require sessions again ? Or do $_POST carry some unique ID tag to them so you know what forms they come from ?

[marcus]

$_SERVER['HTTP_REFERRER'];

 

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

[SirChick]

doesnt sound great with the end comment about it being trusted...

 

so i had :

 

form page .php (form goes to process.php)

 

process .php

 

 

which one needs to have $_SERVER['HTTP_REFERRER']; both or just process .php ?

[trq]

I usually set a $_SESSION var in my forms, then check for that in the processing script.

[SirChick]

good idea... ill have to recode my pages now before i have to thousands of them