How do I secure my php website when using a hosting service?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
XanderG
Forum Newbie
Posts: 3
Joined: Sun Sep 14, 2008 4:20 pm
Location: Scotland

How do I secure my php website when using a hosting service?

Post by XanderG »

Hi all,

I am new to php & I've never used a commercial hosting service before and I was hoping someone could either help me or point me to some tutorials which will show me how to secure my php website once it's hosted on a commercial web hosting service. Also, if anyone can suggest a good low cost web hosting service which includes php and MySQL databases I would be very grateful.

My php website is a very simple app which just displays content from a MySQL db, it also allows me to update content to an events web page on my site.

I don't want anyone to be able to download my php pages or view my MySQL db login details which the site uses to execute select queries to display content when a user browses to the site.

I would be very grateful of any help.

Thanks in advance,

Xander
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How do I secure my php website when using a hosting service?

Post by Mordred »

Web security is a huge topic, your question is way too broad. If you need a quick solution, I suggest hiring a pen-tester. Otherwise - read security books, mailing lists, sites, blogs until you know enough about security to evaluate your own code and ask specific questions.

And nothing personal, but experience shows that if one starts worrying about security after the code is written, then there's definitely something to worry about :)
User avatar
XanderG
Forum Newbie
Posts: 3
Joined: Sun Sep 14, 2008 4:20 pm
Location: Scotland

Re: How do I secure my php website when using a hosting service?

Post by XanderG »

Nothing personal but if you had read the question properly you would have realized that I'm not talking about the security of my app.

I tested my apps security in the dev environment and it is good but that is very different from a commercial hosting company env. From just looking around at the commercial hosting options available online you don't seem to have anywhere near the control over the apache/MySQL apps that you would in your own local env.

I tested a package with a commercial hosting company at the weekend and I was able to download my php files and view my db login details. There didn't seem to be a way to change the security options.

So, my question is... how do I secure my app once it has been put on to a commercial hosting company? Any useful help would be very much appreciated.

Xander.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How do I secure my php website when using a hosting service?

Post by Mordred »

Fair enough, I haven't understood you properly.
Then again, pen-testing may also cover the server setup :)

Try this for some obvious pifalls: http://phpsec.org/projects/phpsecinfo/
As for the security of the hosting itself, it's again too broad a topic - it depends on the os and various servers and their configurations.
... and I was able to download my php files and view my db login details.
How did you manage this? Are you sure it's the hoster's fault?

I'm not sure about what "control" you need in the hosting env, an example? If the company doesn't allow something you need, just move away to someone who does.
User avatar
XanderG
Forum Newbie
Posts: 3
Joined: Sun Sep 14, 2008 4:20 pm
Location: Scotland

Re: How do I secure my php website when using a hosting service?

Post by XanderG »

Yeah that was my question basically, in my home testing environment I can setup the apache server, php software and MySQL db just the way I want them to be very secure but when I buy some web space and deploy my site into a hosting company servers I don't think I will have the same control.

That's why I was looking for someone to offer some advice or point me to some resources which can help show me how to stop people viewing my folder structure on a hosting companies site. If I can stop this, I can stop people being able to "save as..." in a web browser and saving my .php files. I want to do this as I have a config.php file which stores my db login details (including username, password, db name). The username in the file only has 'SELECT' permission set in my MySQL db but I still don't want users knowing this info, so I also need to know how to hide this file from people viewing my site.

My php code uses the select permission username to select content from my db and display it in my webpage.

Any help is much appreciated,

Thanks in advance...

Xander
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: How do I secure my php website when using a hosting service?

Post by alex.barylski »

Depends on who you host your application with.

Just like quality source code...not every host is created equally. Most shared hosts are not configured for security but ease of implementation.

PHP is typically run as user apache/nobody or similar. This is what makes shared hosting so nasty.

Really on a shared host you have nothing to do except keep an eye on your site and report any wrong doings by other users of that host ASAP. If you want tighter security switch to a dedicated host where you have complete control.

You should (at a minimum) make sure you have not missed any SQL injection opportunities AND make sure you cannot remotely include PHP files.

Code: Select all

<?php
  $incfile = $_GET['module'];
  include($incfile); // Bad idea unless you make sure you sanitize that incoming GPC data really well
 
  echo 'Do something more';
Probably the two most frequent attacks which hosting companies care about.
Haravikk
Forum Newbie
Posts: 6
Joined: Thu Sep 18, 2008 7:12 am

Re: How do I secure my php website when using a hosting service?

Post by Haravikk »

XanderG wrote:That's why I was looking for someone to offer some advice or point me to some resources which can help show me how to stop people viewing my folder structure on a hosting companies site.
Easiest way to do this is to make sure every folder either has an index.php or index.html file inside it, you can use dummy (empty) documents and it will prevent it.
You can also set strict permissions on folders so they are not world-readable, most FTP programs give you simplified permission controls that make this fairly easy, but you need to find out what user your php scripts run as so you can make sure they still have access to resources they need.

However, I've never encountered this "exploit" before as you describe it; a properly configured apache host should not allow non-FTP users to get at the contents of a PHP script. Basically when apache opens any resource it looks up behaviour based on type, and PHP by default should be configured to execute when opened, so if anyone did right-click -> "Save As" then all they would get is the data your PHP script outputs, not the contents of the script itself.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: How do I secure my php website when using a hosting service?

Post by Maugrim_The_Reaper »

As to securing commercial hosting. Best thing you could do is sit down and outline the risks you see. Often they are pretty obvious and written about elsewhere in detail.

The main ones tend towards:

- Access control
- PHP/MySQL/Apache versions
- Control over configuration
- Control over installation/compilation
- Apache user account grouping
- Uptime rating

Noting these are the main ones - and from my perspective at least. There are others but it would be a long list and not strictly essential to basic security.

You really have three broad options for hosting. Shared Hosting, User Controlled Shared Hosting, and Virtual Private Servers. Each differs in the level of control over the hosting environment you can have.

The least secure is Shared Hosting - Apache runs under a common user account to other shared users which creates a common security risk. Sometimes the provider will offer Apache running under your user account which removes most of that risk, but not always (might be shared groups). This is the preferable option.

User Controlled Shared Hosting is quite rare but the whole PHP4 vs PHP5 problem has led to an uptake in availability - it's identical to shared hosting except you do have the option of compiling limited things to your own preferences. So you could compile PHP, Python and other libraries/extensions but need to keep the global version of Apache and MySQL. This adds a few benefits like being able to run the latest PHP, extensions, PEAR and even setup opcode caching which is generally impossible otherwise. Nearly always, Apache will run only under your username and separation from other accounts is very strict. The downside is that compilation is required - you can't avail of a Linux package manager. It also doesn't solve the performance issues of sharing resources with other accounts on the same server.

Virtual Private Servers (VPS) are the last step before you enter dedicated hosting. Basically it's getting a guaranteed slice of a dedicated server's RAM and CPU capacity in a virtualised instance of Linux you can customise to your heart's content. The downside is that it's usually a blank slate - you have to install and then maintain everything yourself. Usually this isn't a big deal if you're already Linux trained - a good package manager and common sense does wonders. The other downside is that it's more expensive, generally, and support for server problems is almost non-existent since you're responsible for all non-location maintenance. The upside is that you have dedicated resources no other virtual server can steal you of.

My 2c - I won't reiterate all the security risks/checks from others.
User avatar
phpeace-net
Forum Newbie
Posts: 1
Joined: Sun Sep 21, 2008 10:15 pm
Location: WA, seattle

Re: How do I secure my php website when using a hosting service?

Post by phpeace-net »

Is this the same thing as the https://?
Instead of http://
That is what I am looking for.
Thanks.
Post Reply