4

I'm slowly learning PHP, MySQL, along with some HTML, using localhost as my webserver. However, I'm starting to wonder how my .php files are going to be secured if I put this actually on the Internet.

I have a webpage at localhost/app.php that includes a form, some PHP code, and some MySQL queries. The MySQL credential information is located one directory above where app.php is located, but how do I prevent from strangers accessing the contents of app.php, including MySQL data structure, commands I'm using, etc. When you view the source code in a browser, you only see the HTML part of it, but couldn't someone download app.php and look into the actual file if he wanted to?

What's the proper way of constructing the file structure? Links or comments are greatly appreciated! TIA!

Improve this question
0

4 Answers 4

Reset to default
4

Well, if you're using the .php extension, then Apache will serve up the parsed version -- echo and print will output but your variables won't.

If you're still concerned there's a few ways of making your files more secure.

  • Apache aliasing is common -- it lets you have one directory act like it's another. In this case, you'd alias your PHP directory to some directory on your domain. If your file structure is /home/user/my_files/, you might alias my_files to be www.my-domain.com/files. The script would not be accessible there to the requests, but it would be accessible to something on the server.
  • Symbolic links or symlinks can accomplish the same as the above.
  • simply place the config files somewhere else and directly reference them. Generally not a good idea as it is hard-coding file locations, but it is an option.
  • the CodeIgniter method: in your index.php have define( 'IN_APPLICATION', 1 ); in your config files have if( !defined( 'IN_APPLICATION' ) ) die( 'No direct script access allowed' );
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You can shorten it to: <?php defined('IN_APPLICATION') or die('Not allowed');
3

No. the php is parsed if the page is requested over HTTP. The person would have to know a vulnerability in your app, Apache or PHP or have some other access such as FTP.

You can move the files out of your wwwroot and reference them elsewhere. Also, never name your include files as .inc. always name them `.php.

Improve this answer

1 Comment

I have a question about moving files out of the wwwroot (like on folder up on my server). So what are the benefits in doing this, other obviously than making it unavailable to the user?
2

Try to download the .php file on your localhost. You'll find that all you get is HTML code. This is because of how a server works. Here is an example with a php file

  1. Client (usually a web browser) sends a HTTP request to the server, i.e:

    GET /app.php HTTP/1.1

  2. The server takes the request and processes it. In the case of a php file, the server should process the php file into HTML.

  3. The HTML is returned to the client.

If you are using Apache, and want to make sure that the php files are being processed, make sure these rules are in your apache2.conf:

LoadModule php5_module modules/libphp5.so
AddHandler php5-script .php
AddType text/html .php

And, just for fun, if you did ever want to expose your php source, add this line to apache2.conf:

AddType application/x-httpd-php-source .phps

To be secure, make sure that your mySQL configuration files and anything else you don't want public are stored outside the directory you are serving up. The apache docs are a great resource for understanding how all this works.

Improve this answer

2 Comments

so it is perfectly acceptable (and normal) to write the app.php file to contain, MySQL queries in PHP and whatnot and have user access it at www.mysite.com/app.php then?
In terms of your concerns, yes. Acceptable and normal is a subjective qualification, and I personally don't like seeing raw MySQL scattered around the main page of an app (its not up to my personal coding standards). I would abstract my queries into a class in another file.
1

While there is not a direct problem with doing this, (many applications do this, and since the source cannot be seen without hacking your site), many applications solve this using a 'frontcontroller'. A frontcontroller is used a lot in MVC structured (Model, View Controller) applications.

A typical structure is like this:

app/ (applications, controllers and views)
lib/ (libraries, generic logic)
config/ (your configurations)
web/ (your webproot, only for css, images, javascript etc.)
web/index.php (your frontcontroller)

By only exposing index.php and placing all php and sensitive files outside of your webroot they will not be accessable for anyone from the web.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.