ive been reading an article on php security but i still have the following questions:
1) should i place my connect file(for php scripts) somewhere other then public html?
2) is it normal that users can access files if they know the exact name when i have set index as forbidden?
3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]
i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?
4) what files should be placed in public html and what shouldn't?
5) do password protected directories actually work? and when should they be used?
6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?
7) any genereal suggestions on how to secure my files/web server?
Securing files
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Securing files
Yes, pleace it in your server/virtual server root, onelevel up from public_html.evropa wrote:ive been reading an article on php security but i still have the following questions:
1) should i place my connect file(for php scripts) somewhere other then public html?
You might want to change permissions of a file at the file level (maybe to 000), but that would make essentially unusable.evropa wrote:2) is it normal that users can access files if they know the exact name when i have set index as forbidden?
It takes work, but I think even .htaccess files are succeptable to attack. I could be wrong about this though.evropa wrote:3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]
i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?
Any files you want the gereral public to be able to access.evropa wrote:4) what files should be placed in public html and what shouldn't?
If you are talking about .htaccess protection, it is a fair, but very annoying, way to protect a directory. What are you trying to protect?evropa wrote:5) do password protected directories actually work? and when should they be used?
Dude, this is a question with implications far beyond this little thread. I would take a look at googling 'Securing protecting <insert_server_OS_here>'. On another note, I would also suggest developing with security in mind. There are a lot of little things you can do in your code to make files and directories unreadable.evropa wrote:6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?
See the previous response.evropa wrote:7) any genereal suggestions on how to secure my files/web server?