Page 1 of 1

WINDOWS vs UNIX

Posted: Sat Oct 23, 2010 1:13 pm
by baroche
Hello All
Please, I am new to PHP and have used it to build a really good site that uses HTML, CSS, PHP, Javascript and Jquery. I am very happy with the dynamic site which is driven by PHP pages. I have the following security concerns:

After some research, I found that I could protect the browsing of my web files by using php redirects or by .htaccess.

My site will be hosted by Godaddy on a Windows server. I am concerned about preventing hackers from browsing my file structure. I put an index.php in every folder to redirect web browser window access to my folders - Now instead of getting a "broken-link" error from my hosting company, attempts to browse any folder e.g http://www.mysite.org/assets/images/ - would redirect users back to the home page. This was done to prevent casual snooping.

QUESTION (1): Does Windows provide a secure enough server or should I really request hosting on a Unix or Linux server? I tried putting .htaccess files in my root directory, but it appears that this may only be relevant for Unix servers. QUESTION (2): Should I really be using CHMOD on Unix server to secure access to folders and files?

(*) I don't want anyone to be able to browse my folders and I want to prevent access to my php files for example:

Anyone can go to my site right now and type http://www.mysite.org/includes/connection.php - and the file will execute a connection to my database! I refuse to upload my site to such an unprotected environment but QUESTION (3): How do I prevent this type of access to my programs? connection.php is a file which connects to a mySQL data base that drives my page content, navigation etc.

Please what do I do? I am such a newbie in these matters can anyone help with my three questions?

Thanks

Re: WINDOWS vs UNIX

Posted: Sat Oct 23, 2010 2:44 pm
by John Cartwright
Generally you want to put all "protected" files outside your document root, so nobody from the internets can directly access them.

Otherwise, you've got 2 more schools of though.

1) As you've already been doing, you can use .htaccess to deny access. On this note, .htaccess is not dependant on your server OS, but your webserver, i.e., Apache (and not IIS). I suspect your using IIS on your windows box, which would break since IIS does not support it. There are however alternatives such as ISAPI_Rewrite

2) Create a file which has a define and include this file on every file you want available to the public. Then on files that you expect to only be included in your scripts, i.e., never accessed directly, check for this constant to exist, and if it does not, then exit()

Re: WINDOWS vs UNIX

Posted: Sun Oct 24, 2010 1:37 am
by Zyxist
The files not supposed to be viewed from the browser (i.e. library scripts included from index.php) should be placed outside the web server public directory.

Second question -> for some reasons, most of the servers are based on Unix-like operating systems. I'm not an expert in server editions of Windows which may differ significantly in critical areas from the personal ones, but nothing will change the fact that this is a "magic" system, because that's its nature. If everything works, it's OK, but when it stops... In the security area, Unix servers are very configurable - there is a wide variety of distributions with different policies, optimizations towards servers etc. Ordinary security subsystem is often enough for private servers, but if you need more, you can always install and configure such tools, as SELinux which greatly improve it.

Re: WINDOWS vs UNIX

Posted: Sun Oct 24, 2010 7:02 am
by baroche
Thanks for the help guys! John I see how your suggestion in (2) would work to create a variable and check for it in each program.

My web host Godaddy has simply given me a root directory where all my files and folders are placed - with this in mind, regarding your comment and that echoed by Zyxist:
John Cartwright wrote:Generally you want to put all "protected" files outside your document root, so nobody from the internets can directly access them.

Where are these protected areas or how do I create them? all I have is a root directory in which all my subdirectories are placed - the public can browse all of these files and folders so I have to protect them in some way. Does your suggestion above refer only to those with their own servers. I have asked my host for private folders or areas the public cannot access, but I have been told that there are no private folders. I'm a bit confused?? If there are private directories this would solve my problems I think.

Thanks for any help.

Re: WINDOWS vs UNIX

Posted: Sun Oct 24, 2010 7:16 am
by s.dot
baroche, on most shared hosting setups i've encountered there's a public_html/ or httpdocs/ folder that contains all folders that are accessible to the public.

Everything a level (or more) up from them is private.

Re: WINDOWS vs UNIX

Posted: Sun Oct 24, 2010 8:12 am
by Eran
Correct, what s.dot is referring to is called the "document root". Everything on the document root folder is accessible through HTTP requests (unless you deny it specifically). Web hosting usually give you one directory level above the document root to use as general storage that is not accessible directly.

Re: WINDOWS vs UNIX

Posted: Mon Oct 25, 2010 2:21 am
by baroche
Thanks Guys! I got it!

There are directories higher up than my "public_html" for example:

/home/username/public_html/....

I did not know this! Thanks for the help!