I have a login page for my website. In the php script of this page, I have connection.inc which includes mysql connection data. I am aware that this is not secure as anyone can access it by going to www.example.com/connection.inc.
I have added .htacess to the root folder with
<Files ~ "\.inc$">
Order allow,deny
Deny from all
Satisfy all
</Files>
in it.
Now when i go to www.example.com/connection.inc it now comes up with error 403:forbidden.
Is this now highly secured. i.e can no-one now access this information?
If you changed the extension from .inc to .php then you have less risk. If they access the connection.php file from the browser, they will just get served a blank page.
If someone accidentally deletes the .htaccess file, or it became inactive for some reason, it no longer will deny access to the file.
On the flip side, the same can happen with PHP. If someone messes up the server configuration and .php files aren't handled by the PHP engine, they will be output usually as text or octet/stream and the full source will be served.
Bottom line, you are probably safe using your .htaccess method, but if you can, just change the extension to .php and then you can skip the .htaccess for that completely. You can still include the connection.php just as you do the .inc.
Also, your MySQL user is probably only allowed to connect to the server from localhost. If that is the case, even if I knew your username and password, I couldn't connect because I am not coming from the right host. Additionally, it is possible that MySQL is not listening for connections on all addresses, and possibly only on localhost, but that depends on how it is set up.
Related
So, all I'm attempting to do with this .htaccess file is prevent anybody that isn't the server from being able to view the file e-mails.txt. The server needs access to it for a php script(using fopen). Everything I've read says this should work, but this is preventing any file in the directory, and subdirectories from what I can tell, from being accessible.
<Files e-mails.txt>
Order deny, allow
Deny from all
</Files>
Also, before when .htaccess was similar, it wasn't blocking the entire directory, but it was preventing the .php script to function properly, which is what caused me to delete it, which fixed the .php script but let e-mails.txt be visible to everyone. So then, when I re-created it and used the above code, the entire site/directory is spitting out a 500 error.
May be, you can write a rewrite condition for this file to 404 or 500 error page. This method render impossible access over http.
I'm adding some database usage to a public facing site, and I wanted input on what the most secure way to store mysql connection information might be. I've come up with a few options:
First I could store the config in another directory, and just set the PHP include path to look for that dir.
Second, I know there are some files that apache won't serve to browsers, I could use one of these types of files.
Third, I could store encrypted files on the server, and decrypt them with PHP.
Any help would be much appreciated.
Storing the config outside of apache's document root is a must
You can configure apache to disallow any files with htaccess.
in the config folder add a .htaccess with the following
order allow,deny
deny from all
If you don't want to use .htaccess as #johua k, mentions, instead add
<Directory /home/www/public/config>
order allow,deny
deny from all
</Directory>
to your apache config.
This will deny any files in that folder from being served to anyone, which is fine since php doesn't care about htaccess you can just
include('config/db.php')
If you properly config your php scripts, they should never appear in plain text.
so a file like
define('mysql_password', 'pass')
would never display that text.
If you are worried about a shared hosting environment and another use having access to read this file then you should evaluate the security of the linux installation and the host. Other users should have any browsing access to your file. From the web files marked php should never return source.
You can explicitly tell apache not to serve the files ever, so they would only be include() or require() able.
My university has multiple servers which have the same data mirrored across them, so I can access for instance
foo.uni.edu/file.php
bar.uni.edu/file.php
The thing is, not all servers have PHP installed, so anyone could possibly download my php files if they made the connection through a server which didn't have PHP installed.
Is there a way, possibly with .htaccess to avoid this? As in, only allow opening PHP files if PHP server is installed?
If it's possible to store files outside of the document root, you could work around the problem by storing all sensitive data outside the docroot. You would then have your publicly accessible scripts use include to access those files.
So, if you upload to /username/public_html, and public_html is your document root (eg, foo.uni.edu/file.php is /username/public_html/file.php), then you would upload to /username/file.php instead and place another script in /username/public_html which merely contains something like include('../file.php');
This is good practice in any case, in case a configuration error on the server ever stops PHP from being parsed.
You could also try using IfModule and FilesMatch to deny access to PHP files if mod_php isn't enabled:
<IfModule !mod_php.c>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from All
</FilesMatch>
</IfModule>
If this doesn't work, try !mod_php5.c instead.
I have all of my database credentials within an include file that I wanted to place outside of my webroot file.
However, my shared hosting plan does not allow me to place files outside of the webroot. Would I have to look at encrypting my file in some way to make sure my credentials are secure?
I had read a method to produce a kind of fake 404 page, but that doesnt sound very secure to me at all.
I've also taken the step of creating a read-only user account so that if my account is compromised then at least nothing can be overwritten or dropped, but I obviously want to be as secure as I can given the limitations.
You can't
Best what is possible is create php file which will be interpreted by hosting service.
<?php
$DB_USER = 'your_user';
$DB_PASS = 'your_pass';
$DB_INSTANCe= 'your_instance';
When someone will access your file from web browser he won't see anything. When you need your file just include it.
You could also add some .htaccess (probably) so no one using web browser will be able to access your file.
Someone who has read access to the same physical host as you will be sadly able to access this file, and there is no way to prevent that.
If the server is running apache and you are allowed to override the directives then this could be achieved using by creating a .htaccess file in the webroot with the following lines, be sure to replace <FILENAME> (including the <>) with the name of the file you would like to deny access to.
#Deny access to the .htaccess file
<Files ~ "^\.htaccess">
Order allow,deny
Deny from all
</Files>
#Deny the database file
<Files ~ "^\<FILENAME>$">
Order allow,deny
Deny from all
</Files>
Last night I made some admin changes to my webserver. I use php. The php processor failed after the update and if someone went to my homepage, the php page would simply download and show the proprietary code and password to anyone visiting. So I was wondering if there is a way to prevent any form of download for php files using .htaccess -- but still allow for normal viewing of the files.
A good pattern to follow during development is to use a minimal initialization file, which invokes the actual application which resides outside the webroot. That way only a minimal stub with no critical information is exposed in a case like this.
Simplified example:
/
/app
critical_code.php
/webroot
.htaccess <- rewrites all requests to index.php
index.php <- invokes ../app/critical_code.php (or other files as requested)
The trouble here is that either .htaccess is serving your files to the user or it's not. You can't tell it to deny access to the .php files, because then access will be denied during normal use, as well. There is no fallback behavior for the PHP processor simply not running correctly.
Maybe it's worth temporarily moving the web root to point to an "under maintenance" site when doing big things like that, to minimize risk as much as possible.
Assuming you're using Apache, your .htaccess file would look something like this.
<FilesMatch ".*\.php">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
<IfModule php5_module>
<FilesMatch ".*\.php">
Allow from all
Satisfy All
</FilesMatch>
</IfModule>
The first rule denies access to all .php files. By default, the user will see a 403 (Forbidden) error.
If the PHP5 module successfully loads, the second rule will take affect, which grants access.