Wrox Programmer Forums
|
Moderated Pro PHP This is a moderated forum for discussing advanced, professional level issues with PHP. Your posts will not appear until a moderator approves them. Posts that are not the right level for this forum will be responded to and you'll be asked to post them in the [url="http://p2p.wrox.com/sql-server-2000-20/9"]Beginning PHP[/url] forum instead.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Moderated Pro PHP section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old February 7th, 2005, 10:02 AM
Authorized User
  
Join Date: Dec 2004
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to colin.horne
Default A note on Security
Recently I've had several people coming to me claiming that their scripts have been 'hacked'. Looking at their source code, and their permissions, I've not been surprised.


Connecting to MySQL from PHP:


Readable passwords:
When you connect to MySQL using mysql_connect(), you may have to specify a password. This instantly presents a security hazard, because you are storing a plaintext password in a file, which is readable by users other than yourself.

Permission problems:
Unfortunately, if PHP is running as an apache module you cannot simply chmod your script to something like 0750 (full permission for 'user', read + execute permission for 'group', and no access for 'other'). Why? Because when apache is run, it should run as a unprivileged user and group (such as 'www'). This means that unless you and apache share the same group, apache wont be able to read your file.

Resolving permission issues:
The solution? Change your scripts group to the group that apache runs as (eg: www). To find out what group apache is running as, make a phpinfo() script, and view it from a browser.

Safemode:
So now our script's permission is 0750, and it's group is 'www' (so that apache can read it). We should be happy, right? No users other than us and apache can read our script, so our passwords should be safe? Unfortunately, we still have one problem. While other users cannot _directly_ access your script, they can still access it from php. Because apache runs as 'www' for _all_ users, any other user on the system can make a php script to read your file and dump the output somewhere. To fix this, you have to turn on safemode, and turn off safe_mode_gid in php.ini. This means that only people who own your script can view it from php, even if they're in the same group.

Not totally secure:
This will only work for php. If, for example, apache has a perl module installed on it, then users can simply create a perl script to read your file since perl will also be running as 'www' (assuming it is a module). Hopefully perl and other such languages have similar equivalents to phps safe mode to resolve this issue.

Keep it safe:
If your site is hosted on a shared server (which is most likely), then there's often very little you can do to secure your scripts - it's up to your sysadmin to keep the server secure. Unfortunately, they're often fairly lousy at this, so it's good practise to assume that someone is going to find out your MySQL password, and they're going to try and do nasty things with it.

Need to know:
In the army, soldiers are told as little as possible about the background of their mission. It's a need to know basis - if they don't need to know it, they aren't told it. Why? So that if they're captured, they can't babble away secret plans and suchlike. Programming is just the same (except without the nuclear bombs, chemical warheads and super sonic fighter jets). If you don't ever need to write to your database, don't give yourself permission to write to the database. If you only need to write to the database (and never read), then don't give yourself enough permissions to read from it. This makes it much harder for the cracker to understand how your site works, and crack it.

Passwords - keep 'em separate:
It's bad practise to keep your cheque book and credit card together, isn't it? If someone steals them, they can copy your signature from your credit card into your cheque book, and forge checks. Similarly, keep your MySQL password away from your bash/ftp password. If someone finds out your MySQL password, that's annoying enough, but just make sure they can't get your bash password too. My bash password is always totally different from my MySQL password so that if a cracker cracks my database, they still can't get the rest of my account.


Useful resources:

http://uk2.php.net/manual/en/security.intro.php
http://uk2.php.net/manual/en/securit...-injection.php
http://uk2.php.net/manual/en/feature....safe-mode-gid

I'll make another post on SQL injections, and how to prevent them later :-)

--
Please contact me at:
Colin (dot) Horne (at) gmail (dot) com
My blog: http://colinhorne.blogspot.com
__________________
--
Please contact me at:
Colin (dot) Horne (at) gmail (dot) com
My blog: http://colinhorne.blogspot.com





Similar Threads
Thread Thread Starter Forum Replies Last Post
XnaPong ball movement note jedifreeman BOOK: Professional XNA Programming 2nd Edition ISBN: 978-0-470-26128-6 0 May 11th, 2008 03:01 PM
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
Just a quick note rocky2083 Wrox Book Feedback 0 December 19th, 2004 06:04 PM
ActiveX Controls - Calendar Control, Note/Memo Con twsinc Access VBA 9 February 29th, 2004 07:51 AM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.