directory structure..

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

directory structure..

Post by SirChick »

Hey guys,

What are the advantages of putting php scripts in folders and sub folders in terms of security.. i know it helps for knowing where everything is and its neater but is there any difference in terms of security?

And also if it does help security should the directories be difficult to guess so that attacks won't happen or something?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The security involved depends entirely on the permissions set on the directories involved. PHP doesn't care beyond "do I have permission to access this?"
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

how do i deal with permissions i've not known how to do it :S

cos i have all my files in one folder named htdocs i didn't separate them all i find it easier that way =/
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

1) Protect scripts from outside access by removing read/write access - not very practical unless you have direct control over the system.

2) Use .htaccess to protect files - again not very practical unless you plan on password protecting scripts.

3) Store scripts outside the docroot. Not practical again unless.


Each of these solutions will prevent your scripts from being directly accessed by the outside world. Some better than others - favour the latter it's most fail safe.

What do you mean by scripts? As in classes, includes, etc or executable scripts, as in index.php, etc???

If the latter, you will likely have to use option #2 above or implement your own access control into each script. The latter here is what is most common.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

Ummm im not sure hang on ill give you an example with what the problem is:

say i have a form which updates users money to + 1000

Now say the form was "moneyprocess.php"

but moneyprocess.php should only run if the user presses a certain button withing a form on the "bank.php" script.

Now say the user decided to change the url so it has http://www.bleh.com/moneyprocess.php then entered it.. the script would run rather than jumping out because the user should have come from the bank.php form rather than just going to it by url...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You need to set up tokens and switch to an interaction model that only has one, or very few, points of interaction.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

What do you mean tokens?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Tokens: single use identifiers generated for a specific request that only work for the page they were intended to be sent to.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

never seen a tutorial on that or is it not an actual built in function ?


do you mean like set a session then check in the process if the session was made?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Search the forums for it. The concept has been talked about a fair bit. Some recently, too.
Post Reply