WINDOWS vs UNIX

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
baroche
Forum Newbie
Posts: 3
Joined: Wed Oct 13, 2010 2:57 pm

WINDOWS vs UNIX

Post by baroche »

Hello All
Please, I am new to PHP and have used it to build a really good site that uses HTML, CSS, PHP, Javascript and Jquery. I am very happy with the dynamic site which is driven by PHP pages. I have the following security concerns:

After some research, I found that I could protect the browsing of my web files by using php redirects or by .htaccess.

My site will be hosted by Godaddy on a Windows server. I am concerned about preventing hackers from browsing my file structure. I put an index.php in every folder to redirect web browser window access to my folders - Now instead of getting a "broken-link" error from my hosting company, attempts to browse any folder e.g http://www.mysite.org/assets/images/ - would redirect users back to the home page. This was done to prevent casual snooping.

QUESTION (1): Does Windows provide a secure enough server or should I really request hosting on a Unix or Linux server? I tried putting .htaccess files in my root directory, but it appears that this may only be relevant for Unix servers. QUESTION (2): Should I really be using CHMOD on Unix server to secure access to folders and files?

(*) I don't want anyone to be able to browse my folders and I want to prevent access to my php files for example:

Anyone can go to my site right now and type http://www.mysite.org/includes/connection.php - and the file will execute a connection to my database! I refuse to upload my site to such an unprotected environment but QUESTION (3): How do I prevent this type of access to my programs? connection.php is a file which connects to a mySQL data base that drives my page content, navigation etc.

Please what do I do? I am such a newbie in these matters can anyone help with my three questions?

Thanks
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: WINDOWS vs UNIX

Post by John Cartwright »

Generally you want to put all "protected" files outside your document root, so nobody from the internets can directly access them.

Otherwise, you've got 2 more schools of though.

1) As you've already been doing, you can use .htaccess to deny access. On this note, .htaccess is not dependant on your server OS, but your webserver, i.e., Apache (and not IIS). I suspect your using IIS on your windows box, which would break since IIS does not support it. There are however alternatives such as ISAPI_Rewrite

2) Create a file which has a define and include this file on every file you want available to the public. Then on files that you expect to only be included in your scripts, i.e., never accessed directly, check for this constant to exist, and if it does not, then exit()
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: WINDOWS vs UNIX

Post by Zyxist »

The files not supposed to be viewed from the browser (i.e. library scripts included from index.php) should be placed outside the web server public directory.

Second question -> for some reasons, most of the servers are based on Unix-like operating systems. I'm not an expert in server editions of Windows which may differ significantly in critical areas from the personal ones, but nothing will change the fact that this is a "magic" system, because that's its nature. If everything works, it's OK, but when it stops... In the security area, Unix servers are very configurable - there is a wide variety of distributions with different policies, optimizations towards servers etc. Ordinary security subsystem is often enough for private servers, but if you need more, you can always install and configure such tools, as SELinux which greatly improve it.
baroche
Forum Newbie
Posts: 3
Joined: Wed Oct 13, 2010 2:57 pm

Re: WINDOWS vs UNIX

Post by baroche »

Thanks for the help guys! John I see how your suggestion in (2) would work to create a variable and check for it in each program.

My web host Godaddy has simply given me a root directory where all my files and folders are placed - with this in mind, regarding your comment and that echoed by Zyxist:
John Cartwright wrote:Generally you want to put all "protected" files outside your document root, so nobody from the internets can directly access them.

Where are these protected areas or how do I create them? all I have is a root directory in which all my subdirectories are placed - the public can browse all of these files and folders so I have to protect them in some way. Does your suggestion above refer only to those with their own servers. I have asked my host for private folders or areas the public cannot access, but I have been told that there are no private folders. I'm a bit confused?? If there are private directories this would solve my problems I think.

Thanks for any help.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: WINDOWS vs UNIX

Post by s.dot »

baroche, on most shared hosting setups i've encountered there's a public_html/ or httpdocs/ folder that contains all folders that are accessible to the public.

Everything a level (or more) up from them is private.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: WINDOWS vs UNIX

Post by Eran »

Correct, what s.dot is referring to is called the "document root". Everything on the document root folder is accessible through HTTP requests (unless you deny it specifically). Web hosting usually give you one directory level above the document root to use as general storage that is not accessible directly.
baroche
Forum Newbie
Posts: 3
Joined: Wed Oct 13, 2010 2:57 pm

Re: WINDOWS vs UNIX

Post by baroche »

Thanks Guys! I got it!

There are directories higher up than my "public_html" for example:

/home/username/public_html/....

I did not know this! Thanks for the help!
Post Reply