PHP code hide

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
yesjesh
Forum Newbie
Posts: 1
Joined: Fri Aug 14, 2009 4:40 pm

PHP code hide

Post by yesjesh »

is there any way to hide php code form the address bar and status bar?
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP code hide

Post by jackpf »

Secure what code?
User avatar
swhistlesoft
Forum Newbie
Posts: 9
Joined: Fri Aug 14, 2009 10:53 pm
Location: Ontario

Re: PHP code hide

Post by swhistlesoft »

I am assuming that you are referring to Warnings or Error messages that might be displayed on your site. If this is the case then you would need to turn off error reporting (but keep it logging to file on the server).

If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:

i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login

If you provide a little more information, we might be able to help you out further.

Thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP code hide

Post by kaisellgren »

yesjesh wrote:is there any way to hide php code form the address bar and status bar?
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.
If you are trying to hide something, forget it. That is a doomed solution. You need to take care of the actual problem that I am not fully understanding here.
swhistlesoft wrote:I am assuming that you are referring to Warnings or Error messages that might be displayed on your site. If this is the case then you would need to turn off error reporting.
I don't agree. Error and warning messages should not be hid. They must be handled.
swhistlesoft wrote:If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:

i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login
Which achieves nothing really. Now they can use subdomain.com/login to attack login.php as the server automatically rewrites it. :roll:
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP code hide

Post by jackpf »

Tbh, it sounds like you're not escaping user supplied data in mysql queries.
User avatar
juma929
Forum Commoner
Posts: 72
Joined: Wed Jun 17, 2009 9:41 am

Re: PHP code hide

Post by juma929 »

Hello,

Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
I don't agree. Error and warning messages should not be hid. They must be handled.
I agree with what you are saying here, however I believe both must be done, errors must be handled by the code itself to provide some kind of graceful solution rather than everything just falling over, however, I dont believe that PHP errors or MySQL (or any other database) errors should EVER be displayed and error reports must at most be logged in a secure file.

Custom error handlers and messages must be provided for the user.

Thanks :)
tictac3
Forum Newbie
Posts: 2
Joined: Sat Aug 22, 2009 3:35 pm

Re: PHP code hide

Post by tictac3 »

Great! Thanks for sharing the info.
comparatif simulation credit taux comparer auto - Taux crédit auto. Comparatif des offres! Les meilleurs taux crédit auto sont sur le net !comparatif simulation credit taux comparer auto
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: PHP code hide

Post by John Cartwright »

juma929 wrote:Hello,

Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
I don't agree. Error and warning messages should not be hid. They must be handled.
I agree with what you are saying here, however I believe both must be done, errors must be handled by the code itself to provide some kind of graceful solution rather than everything just falling over, however, I dont believe that PHP errors or MySQL (or any other database) errors should EVER be displayed and error reports must at most be logged in a secure file.

Custom error handlers and messages must be provided for the user.

Thanks :)
There seems to be some confusion about disabling the errors and displaying them. You should never disable error reporting, however, in a live environment you should enact display_errors to false. Like you pointed out, they should be handled gracefully.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP code hide

Post by kaisellgren »

What I do is that I show error messages such as "There was a problem with your upload. Please try again later." and give the full details to those (admins) who have the sufficient rights to see them. I also provide an option for the admin to encrypt important error messages.
Post Reply