Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I am developing an ERP application.
Next month I will recruit 2 employees, developers.
The application consists of two parts:
The core of the system
modules.
Is there a way to "protect" the core of the system for a possible theft from new employees? I do not want to see my codes with competitors in a few months (risk exists).
I thought to limit access via FTP, SVN work, etc.. but thinking about it, I found that the developer has always a way to know the core of the system files (a simple display php directory) or execute a script that will rename the. php. txt to be able to download it...
Encoding the core with Ioncube will be suffisant ?
Other solution ?
This is really a legal and not a programming matter. You should have them sign non-disclosure and non-competition agreements and call it a day - coming up with unneccessarily complex solutions is really unneccessary.
I thought to limit access via FTP, SVN work, etc.. but thinking about it, I found that the developer has always a way to know the core of the system files or execute a script that will rename the. php. txt to be able to download it...
Obviously. Realise that any security invented by a human can be circumvented by another. You still should impose such restrictions - if they do gain access to the application core, you may need to prove that this could only be possible by intentionally circumventing security measures.
To be blunt, always give employees the access they need to do their job, but never more than that.
Related
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Not much ago I upgraded to a dedicated server, and I order to make it more cost efficient for me, I decided rent some space on the server to people I know (friends, family). Some of the people I know have some other guy that is in charge of the website development, and I want to protect myself from an unauthorized access to my, or any of the other guys I rented to.
One of the cases which concerns me the most is PHP getting access to other users or me by accessing ../ from their root.
For instance, they could do something like this: foreach(glob('../*/*.*') as $some_file){unlink($some_file);} which would delete all the files from a sibling user.
How do I avoid people from doing this sort of things?
This sounds like an issue that can be resolved through system administration.
Edit your php.ini file, restricting the values in open_basedir
Make sure your users are assigned to different groups
chmod your home directories og-wx (e.g. 744, 740, 700, etc...)
Run multiple instances of apache server, possibly under different users/groups
It really depends on how much effort you want to put into it and how robust the security needs to be.
http://www.php.net/manual/en/ini.core.php#ini.open-basedir
http://wiki.apache.org/httpd/RunningMultipleApacheInstances
You should consider dctrucker post on permissions and make sure the apache process if you are running php with mod_php or the php processes if you are running it on fast-cgi dont have the permissions to change permissions. I wouldnt advice the base_opendir approach if security is your concern because then one can just use ini_set to override it (so if using that approach you should disable ini_set as well ).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I do quite large project for a client and I would like (somehow) to secure code form event that mid dishonest client was not going to pay me for the work. :)
The contract is written that the project must provide application with a sources.
So far I mostly been writing in .NET where I was protecting myself against such an eventuality in way that I was creating class witch get POST some parameters with shutdown application. This class was thrown into a dll witch was already compiled, so no one could change the source.
Is there a similar possibility in PHP? I can do the same thing (as in .NET case) but clever customers with access to PHP can find above class and I just cut it.
Maybe it is some other way to secure myself?
Suturing of the database also eliminated for similar reasons as above.
PHP is an interpreted language; as a result, it doesn't compile your code. Your best bet is to stick with .NET, where you can compile the functional part of the application into a .dll, or use Java and compile it into a bytecode.
PHP wasn't built for compiling.
What you can do is probably host the application on your server till the client has made a payment, and then upload it to the client's server.
Or you can make it downloadable from your server (only after payment), along with configuration scripts that is configurable by anyone with a few clicks of the button; something similar to the way some of the PHP frameworks (e.g. WordPress) work.
You can protect your code with Zend Guard (http://www.zend.com/en/products/guard/).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'm sorry if this is not really an appropriate question to ask on here, but this has happened to me a number of times and I don't understand what's going on because I do not have an upload form on my website. Somehow someone is uploading lots of PHP files to my FTP server. These files were even picking up traffic thru Google Analytics. I have a contact form, and it does need to be beefed up security wise, but can a hacker UPLOAD files and alter my .htaccess file through it?
What type of hack is that? I would love to do more research on it to take preventative measures.
It is very possible for a hacker to upload files through a PHP site. I've seen it many times.
PHP has the potential to be very insecure. Getting in through PHP isn't very hard if your configuration is weak. Check your access logs and look for anything that seems wrong, particularly a whole bunch of requests from a single IP address. If they are in that deep, your access log may itself be compromised, and beyond even that.
Contact forms and database driven pages are easy to create with vulnerabilities, and no amount of PHP configuration tweaking will fix that. Look for cross-site scripting vulnerabilities, If you're using a database, SQL Injection attacks, and make sure that there is nowhere in your website that uses a GET parameter in a file path, like reading a file, or writing a file. Don't count on stripping a GET parameter, don't count on regexing it clean, just don't do it.
With regard to FTP, if you can, just turn it off and only upload files through SFTP or SCP. If possible, don't use password authentication, use public key instead.
Ultimately if they are changing files on your file system, you may end up saving yourself time by fixing any vulnerabilities you can find, re-installing the OS from scratch, and reconfiguring PHP and FTP to be secure.
There are some toolkits out there than will do basic tests against your site that are worth a look too. Check out https://www.owasp.org/index.php/Main_Page
Does the form have an upload function? Do you check file types etc? Could easily upload a PHP shell(c99, c100) and alter whats on your account.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'm in need of some sort of software based way to reserve the use of a couple machines. There about 5 different machines used in a lab that are shared among everybody but people need to schedule the days/times they want to use these machines. This is currently handled with pen/paper and you need to physically walk place to place to see when they're free and available for sign-up. I've been tasked with moving this system to a private webserver that currently runs an installation of mediawiki.
I've looked for extensions for mediawiki itself, but I couldn't find any kind of scheduler/planner/queue system that is premade that allows users to reserve a time frame/day to use machine. Additionally it would be nice if anyone could sign up but users were restricted from removing others from the queue(which is why a traditional calendar software with the honor system wouldn't exactly work). The solution doesn't need to be embedded within medawiki itself but must be able to be hosted off of a webserver, do you guys have any suggestions on how I can approach this? The best I can come up with is to buckle down and write my own php/django based site to handle this(I'm not very experienced with either). While I do have time I want to make sure there isn't something available I missed before dedicating my time to writing a custom application, and would appreciate anyone who could help.
While I've not used this:
phpscheduleit
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I am trying to create a blog using blogspot. It seems it is not possible to upload anything other than image files to blogspot. I want to upload a PHP file. I managed to upload the file to google sites, but it is coming as downloadable there instead of executing.
Is there a work-around here other than buying my own server space?
Is there a work-around here other than buying my own server space?
Nope. You can upload PHP files to those services all you want, but you'll never have them executed.
Buying your own server space is usually the best way to go.
There are free hosting offers around but I know of none that is any good, except maybe for the Google App Engine that is free up to a (very generous) traffic limit, in combination with Quercus. That, however, is a very specialized solution, going to be a lot of work to even get started with, doesn't support all modules of PHP, and something rather for professional applications.
But you could simply pay some cheap hosting for PHP, and move your stuff to wordpress.
There's hundred of hostings out there for as low as $1.99 a month, and with that you can host as many PHP files as you like.
Alternatively, you could stick to blogspot, and when you want to use PHP, you can just link to your other server (the one hosting PHP).