Page 1 of 1

PHP code hide

Posted: Fri Aug 14, 2009 4:45 pm
by yesjesh
is there any way to hide php code form the address bar and status bar?
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.

Re: PHP code hide

Posted: Fri Aug 14, 2009 6:44 pm
by jackpf
Secure what code?

Re: PHP code hide

Posted: Fri Aug 14, 2009 11:49 pm
by swhistlesoft
I am assuming that you are referring to Warnings or Error messages that might be displayed on your site. If this is the case then you would need to turn off error reporting (but keep it logging to file on the server).

If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:

i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login

If you provide a little more information, we might be able to help you out further.

Thanks

Re: PHP code hide

Posted: Sat Aug 15, 2009 2:45 am
by kaisellgren
yesjesh wrote:is there any way to hide php code form the address bar and status bar?
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.
If you are trying to hide something, forget it. That is a doomed solution. You need to take care of the actual problem that I am not fully understanding here.
swhistlesoft wrote:I am assuming that you are referring to Warnings or Error messages that might be displayed on your site. If this is the case then you would need to turn off error reporting.
I don't agree. Error and warning messages should not be hid. They must be handled.
swhistlesoft wrote:If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:

i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login
Which achieves nothing really. Now they can use subdomain.com/login to attack login.php as the server automatically rewrites it. :roll:

Re: PHP code hide

Posted: Sat Aug 15, 2009 6:19 am
by jackpf
Tbh, it sounds like you're not escaping user supplied data in mysql queries.

Re: PHP code hide

Posted: Thu Aug 20, 2009 8:38 am
by juma929
Hello,

Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
I don't agree. Error and warning messages should not be hid. They must be handled.
I agree with what you are saying here, however I believe both must be done, errors must be handled by the code itself to provide some kind of graceful solution rather than everything just falling over, however, I dont believe that PHP errors or MySQL (or any other database) errors should EVER be displayed and error reports must at most be logged in a secure file.

Custom error handlers and messages must be provided for the user.

Thanks :)

Re: PHP code hide

Posted: Sun Aug 23, 2009 3:41 pm
by tictac3
Great! Thanks for sharing the info.
comparatif simulation credit taux comparer auto - Taux crédit auto. Comparatif des offres! Les meilleurs taux crédit auto sont sur le net !comparatif simulation credit taux comparer auto

Re: PHP code hide

Posted: Sun Aug 23, 2009 4:07 pm
by John Cartwright
juma929 wrote:Hello,

Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
I don't agree. Error and warning messages should not be hid. They must be handled.
I agree with what you are saying here, however I believe both must be done, errors must be handled by the code itself to provide some kind of graceful solution rather than everything just falling over, however, I dont believe that PHP errors or MySQL (or any other database) errors should EVER be displayed and error reports must at most be logged in a secure file.

Custom error handlers and messages must be provided for the user.

Thanks :)
There seems to be some confusion about disabling the errors and displaying them. You should never disable error reporting, however, in a live environment you should enact display_errors to false. Like you pointed out, they should be handled gracefully.

Re: PHP code hide

Posted: Sun Aug 30, 2009 1:18 am
by kaisellgren
What I do is that I show error messages such as "There was a problem with your upload. Please try again later." and give the full details to those (admins) who have the sufficient rights to see them. I also provide an option for the admin to encrypt important error messages.