I have created a file called config.php and it is as under
<?php
$dbUser="test";
$dbPassword="123456";
$dbName="testDatabase";
$dbHost="localhost";
$dbPort="3306";
$tablePrefix="test_";
?>
Now i have set permissions of this file to 744, so that i can make connection any time i need.
but what would happen if anyone else will try to read this file and make connection to my database server as a dbuser. this would be problematic for me.
So what should be done?? or what permissions should be given so that my web server will be able to read the file but anyone else who tries to read should not be able to read the file.
Thanks in advance.
If you have your own web-server, running under your own user, you can make it 600.
But usually you don't have to worry about it, because your shared hosting provider taking care of it, making different hosting users unable to access each other's files.
When you have a file like config.php you don't have to worry about other people who can access it. First of all people can't read the php code inside your document so you dont have to edit the permissions of the file.
Leave it as default.
Related
I have a php script on my webhost, GoDaddy, and I want to modify a text file. But it gets blocked, I think it's a problem of authorization but I don't know how to solve this.
<?php
$var= "test";
$fileopen = fopen("file.txt", w+);
fwrite($fileopen,$var);
fclose($fileopen);
?>
Apparently the issue is not with PHP but with the access control management on the server. You don't tell us the error you get, but I guess that you are denied write access to those files. Check the rights of the corresponding files and directory on your server and tweak them as needed to let the web server process access those files.
How to do it is very much dependent on the server's operating system, on the identity under which the web server process is running and on the kind of administrative rights you have yourself. Without further information, it is difficult to say more. Your provider must have some kind of documentation about how you can set up directory and file access rights.
So I created a couple of directories and files with FTP, thus the owner is the username I use to login to the server. Now I'd like to allow users of the website to upload images to those directories. Unfortunately for the website to store images, it should be owned by Apache. How can I fix this? I've been reading around on this but can't directly find an answer.
I don't have SSH, so I guess all command-line-things are not applicable for me.
Edit
I tried to then make the folders again using apache, but now ofcourse I can't write any files using ftp into those directories.
Provided that at least the one directory is writeable by the apache user (lets call this directory 'writeabledir', it may be your root dir '/'), you must delete the folders you created via ftp and create a php script to create the directories you need.
If for example you want a directory called users and inside it another directory called upload
Create file makedirs.php on your server.
<?php
$oldumask = umask(0);
mkdir("writeabledir/users/upload",0777,true); // or even 01777 so you get the sticky bit set
umask($oldumask);
?>
Now run your makedirs.php once, by calling your.serv.er/makedirs.php on your browser
EDIT:
If you don't want to delete and recreate your directories,you could always try to change file permissions from ftp.
For exampe with FileZilla, just right click on the desired folder and set permissions to 777. If your ftp user does not have permission to do this, then there is no other way, except from asking an administrator to do this for you.
EDIT2:
Added umask to ensure that folders created by apache are writeable by everyone. (taken from http://us3.php.net/manual/en/function.mkdir.php#1207 )
Friend looks I work in php, some versions change the way of solution, however the most common is already that you want to store it would be necessary to create a database and import it to esu code that also serves to some images you want to come place, plus the wisest thing to do and you create a database with the fields necessary for its realization, import, put in a file directory of your schedule, you also advise using aptana Studio 3 greatly facilitates the creation of codes among many things and low xampp it already comes with apache integrated in one place will help you a lot any questions on installation just look at youtube he will describe
I want to add new DNS on my server. I'm able to edit the file /etc/resolv.conf using vi editor.
But, when I try using PHP.. the file is not opening.
What could be the issue?
Please suggest / provide me with a solution to fix this.
Most likely your PHP is running on a different user then when you login to the server yourself. You will have read/write access to the file and PHP doesnt.
Now increasing the rights of the PHP users could cause a security issue, so I would advise against it. But you could grant the user access to that specific file only if realy needed. Check Granting Access Permission to a file to a specific user on how to do it.
You will probably need root access to modify /etc/hosts .
You can chmod 666 /etc/hosts, but this would be a security issue.
But so is running PHP under root,
and so is chowning the /etc/hosts.
So there you have 3 (insecure) solutions. With the last one being least evil.
You might also be facing a struggle with PHP accessing files if PHP is restricted to files inside a certain directory. ( http://www.php.net/manual/en/ini.core.php#ini.open-basedir )
GoDaddy does not a give FTP root access to my account, meaning I can only access the public_html folder and not the includes folder.
Is there any way I can include the config files in that public folder but somehow make it so only the server can access them in a secure way? How does Wordpress do it?
You could use a .htaccess file to restrict Website Access.
Take a look of this article.
just make sure they have a .php extension.
(and actually contain PHP code of course)
Wordpress keeps the config file in the main folder. Just make sure you have a .php extension and you dont echo anything from that. (I know you wont.)
People really cant get the details inside your php file unless you echo something, or the chmod of the file is set wrong so that people may be able to actually download the file.
As xdazz said, you can also restrict access to your config files, but I think its just for MORE protection, and you are still safe without that.
In a module I'm creating I have some sensitive information I need to store securely: A remote database host, username, and password.
It seems that the only storage available is in the Drupal database, which worries me since this means if Drupal is compromised so is this other database. The settings.php file in sites/all/default was my second option, but I'm having trouble writing to it. Various chmod commands in FTP and SSH to 777 and 666 won't open the file to writing. I'm also not sure if the variables I set there are available anywhere else.
Are there any other ways to store this information securely?
You're on the right track using settings.php. You can use the $conf variable in settings.php to set variables that you can access in modules using variable_get.
Hmmm... this seems like something you shouldn't do in general. Write an API that sits at the remote database that you can access.
If however you insist on direct database access. Hard code the host, username and password in a file, put the file outside your document root and include it from there. For example, if your document root (i.e. where Drupal's index.php file is) was /www/htdocs, put a file containing the info at something like /www/secure and include it where you need it. Then if php stops working for some reason, the file isn't in a readable location to the outside world but PHP can include it within the site as necessary.
Sure somebody might see that you were including the file but they wouldn't be able to see the file itself unless they hacked your server (rather than just Drupal) and in that situation, your pretty much screwed anyway.
Using a config file is ideal for this type of information. However doing a chmod 777 or 666 is a really bad idea. The problem is that both of these settings allow the file GLOBALLY read/write. So if you are on a shared host, then its possible for another user on the system to access your file. On install trying using php's chmod() function to do a chmod 500 on the file. (500 should work in most cases, the most important part is that the last number is zero).