The best way of implementing a PHP application

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
beckbapegeneral
Forum Newbie
Posts: 19
Joined: Mon May 08, 2006 8:59 pm

The best way of implementing a PHP application

Post by beckbapegeneral »

hi everyone, i am a .NET programmer here and now i am trying to learn php. in .NET, to ensure security in the application, we code the program in a 3-tier basis. but in php, how do you all actually do the coding in order to provide security, not allow external users to view your coding :?:
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

set up the server correctly and the script code won't be available to anyone but the administrators.
beckbapegeneral
Forum Newbie
Posts: 19
Joined: Mon May 08, 2006 8:59 pm

Post by beckbapegeneral »

may i know what does that means? pardon me for asking so much.. just trying to learn more
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

PHP scripts are processed on the server with their output being sent to the browser requesting it. The code that is inside the script is not available for the browser to see unless you allow it or use file extensions that aren't automatically handled by php's interpreter. For instance, if you saved a script as foo.inc and php only knew to process .php files, foo.inc's code would be accessible to a user's browser request. This is all assuming a fairly vanilla install of many things.
beckbapegeneral
Forum Newbie
Posts: 19
Joined: Mon May 08, 2006 8:59 pm

Post by beckbapegeneral »

ok.. i see.. so you are meaing to say that .php scripts are stored in the server.. but i thought that when doing php programming.. we are coding the php programming language in the html file just that we are naming it as .php?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

A PHP script file can include HTML yes, but the PHP code itself will not be transmitted with it. Instead the output of that PHP code will be intermixed in with the HTML based on where you laid the PHP.
beckbapegeneral
Forum Newbie
Posts: 19
Joined: Mon May 08, 2006 8:59 pm

Post by beckbapegeneral »

okok.. now i understand.. thanks alot for the guiding Modermonkey :D
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: The best way of implementing a PHP application

Post by Christopher »

beckbapegeneral wrote:to ensure security in the application, we code the program in a 3-tier basis. but in php, how do you all actually do the coding in order to provide security, not allow external users to view your coding :?:
The 3-tier architecture is less for security than to provide clear dependencies. In PHP you can implement a 3-tier architecture if you wish, but you need to provide your own discipline.

As feyd says, a properly configured server is the first step in security. Inside the application, probably the most important things in web applications (.NET or PHP) are to filter and validate all untrusted input and to filter and/or escape all untrusted data that you output.
(#10850)
Post Reply