I have a server and i need to create a folder in the clients side and store a file for security purpose
Is it possible please let me know. Thank you
The server cannot have this level of interaction with the client. So it's not possible from PHP for sure.
It might be possible with JavaScript, and I'm not even sure there's a reliable way to do it there, because browsers are normally not allowed to touch the file systems.
With PHP its not possible. PHP run on the server. For this you need a programm that has enough rights on your system and it must run on the client side a JAVA Applett or Flash with enough system rights.
But i think its not the best way.
For "security purpose", PHP does not and will never allow this sort of interaction with a computer. You can download files and then the person can put it in the folder, that way the user has knowledge they even have the file on their computer, otherwise there is no way unless using Java (with the correct rights of course)
Related
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
Is there a way to encrypt or enclose my code on my Linux server after deployment? I know Zend does some kind of encryption, right? Is that what people use? Is this even possible? How do I go about keeping my code secure online?
You are right, you can use Zend Encoder, Ion Cube or something like Source Guardian to encrypt your source code.
Its not really needed unless you are giving away your code and dont want people to steal it though.
What is it about your server that you think its insecure?
Periodically check the open ports on you server
Do not trust the data coming from the browser - verify it and validate it.
Periodically do an audit of the processes on your machine and who can access them
Only have files in the document root that should be accessible by the outside world. Include files etc should not exist here
Check the log files periodically to check for suspect access.
For PHP errors/warnings - find a mechanism that does not give the client (browser) any info what has gone wrong. Send that to yourself. This is true for MySql as well.
If the file-system on your server has been compromised, then all is already lost. The best you can do is restrict folders, which are writable by web-server's user.
Also keep the application code outside the DOCUMENT_ROOT. Publicly available should only be the file you actually intend to show user, or which would not show any sensitive informations: like an index.php file which contains and include ../app/bootstrap.php .
You could use Zend Guard, but this would impact owner of the code. You might not be always the one maintaining it.
thanks all of you for patiently answering my question "About exec() function in PHP: About exec() function in PHP", it has given me an idea of how this works and so. Lots of them pointed the syntax error, my pardon forgot to include the quotes.
Actually I have got a requirement in normal conditions the customer has the .exe file which he needs to normally run from command prompt, where he needs to include the path for the license and config files manually, so that application is valid for installation.
Now he wants a php script where he will enter the web page with his valid login details and with the click of link he should be able to run the .exe file to install the software on his machine. Including the license and config file is my job which I have been working on, on the other hand I am still not clear that this is really possible to run the .exe file on the clients machine when the script runs on the php remote server. What can be the other alternatives to accomplish this. Can anyone clear my doubts?
You cannot run anything on the client machine from a PHP script running on the server. It's impossible. What you can do is create an archive (e.g. ZIP) that contains the executable file, the license file and the configuration. Then you can offer this archive to the user as download. After extracting the archive on his machine he then would be able to execute the application.
Other possibilities to execute something on the client machine would be a Java applet or a Flash application. Those are subject to a lot of security restrictions though.
Alternative:
1.Save settings to file
2.Compact programm to archive with setting file && license
3.Download archive
PHP is on the server, the server generates HTML/JS/CSS. The PHP process ends before the web page is displayed to the user.
There's no way, and a VERY VERY good reason why this can not or will never be able to be done.
And why would you want to run an .exe file on someone's computer other than malicious reasons?
You're on the Web, sell subscription, what licensing are you talking about?
There is no way to actually execute a program on the client machine directly from PHP. The best you can hope to achieve is to provide a download for the executable file and then the client can execute it manually. You could provide an archive file with the installation executable and config/license file(s), but the client would still have to execute the file manually.
You could potentially use client-side technologies such as Flash, Java or ActiveX to accomplish this, but this is not a simple task and requires fairly intimate knowledge of the languages on which these technologies are based.
If the file was an MSI, it would be theoretically possible to allow the server to remotely install it on the client machine, however there are some barriers to this:
You need a fully fledged Windows domain for this, and both the server and client machines would have to be members of that domain. There is no way around this.
You would most likely need to know the NetBIOS name of the client machine, and there is AFAIK no 100% reliable way to determine this from PHP.
Your PHP instance would need to be running under an account that has administrative privileges in the domain. This is unlikely to be the case at the moment, and it is not a very good idea to run like this anyway.
Is it possible to fetch ASP.NET or PHP code from a webservers .asp/.aspx/.php files if those files would normally get processed by the ASP or PHP engine?
Not if accessed via http, and the web server is properly configured. This would be a HUGE security hole.
If you have physical access to the server, or access via another method, then yes. If you have a legitimate, legal reason to do so, and you are authorized, the system admin will certainly be able to assist you.
Only if you have real acces to the server either ftp or anything equivalent to that, or if you take the hard drive out and put it inside your computer :)
I just needed to know that is it possible in php to create an ftp user, and then create folders on the server and grant ftp access to selected folders for the ftp user created.
Thanks again!
Native PHP can not do this. The task is way out of PHP's scope.
Depending on the server OS and FTP server software used, however, PHP could call some shell scripts (or WMI / PowerShell scripts on Windows) that accomplish the task. This is not trivial to set up, though, especially not if it's to be done safely (without giving the PHP process root level privileges).
The question may be better suited on Serverfault.com.
There are a few web hosting panels written in PHP that crate ftp accounts among other things so it's definitely possible.
The exact procedure depends completely on the FTP server you use. It may involve creating new Unix user accounts.
This is more an FTP or operating system question than a PHP question though as you need to shell out to do the configuration. As Pekka said you may have more luck asking on Serverfault if you include the details of your setup.
No but if I'm not mistaking you could do something like this
Create a shell script (ftp.sh) that's has SUID (make sure it's owned by root and only can be read/written by root) that creates users, sets the permissions, etc
Call the script from php
system("./ftp.sh ".escapeshellarg($newUsername)." ".escapeshellarg($newPassword))
However I'm pretty sure there are more secure/correct ways of doing this. I can definitely see this becoming a security nightmare.
The answer is "Yes" if the web process where the script runs allows changes on the FTP settings e.g adding users, group etc. either by native PHP function or additional "Shell script" and it would be "No" if the web process doesn't have access nor privilege to make changes.