Page 1 of 1

safe use of php code (hiding stuff well)

Posted: Sat Aug 21, 2010 1:29 pm
by t45418
Hi,

This may seem like a really simple question but I am unsure what steps I need to take to porperly secure my php code on the website I am currently building. I am using php and mysql to build a database driven website. Now certain bits of code need to be inaccessable by anyone using the site, such as the username and password used to connect to the database.

I was trying to see what should be used to do this (had ideas about using the 'require' function to call on files from a path not available from the internet) and noticed that php doesn't show at all in the IE 8 view source.

Is php hidden in some way?

I am wondering if I am missing something really important and would be glad of any info or advice anyone is able to offer as I don't want to leave something out in the open which shouldn't be and have problems :(

Re: safe use of php code (hiding stuff well)

Posted: Sat Aug 21, 2010 1:50 pm
by josh
If the server is properly configured you need not do anything special. Its not like HTML where they can view the source, because PHP is something that executes *on* the server, and in turn generates HTML which in turn gets sent. So only the *output* from your script should be sent over the wire.

However if your system administrator goofs up and uninstalls PHP, it will be treated as .txt, and the source will be sent. So it is advisable to write code in classes (php.net/class) that live outside of the document root

/public_html/index.php <-- All requests go here via apache's "mod_rewrite" (SEO URLs)
/modules/login/login.php <-- depending on what the users request is, some file outside the public_html is included.

As for MYSQL, make sure that user has only the necessary permissions. If your app needs read only access, only make a read only user. Change the passwords frequently. MYSQL can also be locked down to only allow connections from localhost. Security depends on more than one thing and I think you will be fine with your .php scripts, just don't go writing any bank software this early on ;-)

Re: safe use of php code (hiding stuff well)

Posted: Sat Aug 21, 2010 1:57 pm
by t45418
Thanks. That makes it a lot clearer :D