Securing files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
evropa
Forum Newbie
Posts: 3
Joined: Sun Nov 06, 2005 2:22 pm

Securing files

Post by evropa »

ive been reading an article on php security but i still have the following questions:

1) should i place my connect file(for php scripts) somewhere other then public html?

2) is it normal that users can access files if they know the exact name when i have set index as forbidden?

3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]

i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?

4) what files should be placed in public html and what shouldn't?

5) do password protected directories actually work? and when should they be used?

6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?

7) any genereal suggestions on how to secure my files/web server?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Securing files

Post by RobertGonzalez »

evropa wrote:ive been reading an article on php security but i still have the following questions:

1) should i place my connect file(for php scripts) somewhere other then public html?
Yes, pleace it in your server/virtual server root, onelevel up from public_html.
evropa wrote:2) is it normal that users can access files if they know the exact name when i have set index as forbidden?
You might want to change permissions of a file at the file level (maybe to 000), but that would make essentially unusable.
evropa wrote:3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]

i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?
It takes work, but I think even .htaccess files are succeptable to attack. I could be wrong about this though.
evropa wrote:4) what files should be placed in public html and what shouldn't?
Any files you want the gereral public to be able to access.
evropa wrote:5) do password protected directories actually work? and when should they be used?
If you are talking about .htaccess protection, it is a fair, but very annoying, way to protect a directory. What are you trying to protect?
evropa wrote:6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?
Dude, this is a question with implications far beyond this little thread. I would take a look at googling 'Securing protecting <insert_server_OS_here>'. On another note, I would also suggest developing with security in mind. There are a lot of little things you can do in your code to make files and directories unreadable.
evropa wrote:7) any genereal suggestions on how to secure my files/web server?
See the previous response.
Post Reply