12.1. Security Tips
The easiest way for hackers to find holes in your web site is to scan for strings that give away a known vulnerability. This can be done with a client-side tool that simply hits IP addresses again and again until it finds something it recognizes, but many modern hackers utilize Google to search for data.
As a result, it has never been more important to keep a tight control over what files are on your web site and what information you give to visitors.
12.1.1. Put Key Files Outside Your Document Root
Your document root is the root directory of your web server. That is, if your site is example.com, the root directory would be the directory that http://www.example.com/ points to. For example, on Linux this is often /var/www/html, and on Windows this is often c:\inetpub\wwwroot.
As long as you have the permissions set up correctly, PHP can read from any file you want inside scripts. However, unless you configure Apache to do otherwise, users will not be able to load files from outside of the document root directly through their web browsers. That is, if you place your files in /var/www, and the "highest" directory your visitors can get to is /var/www/html, then the files are safe.
12.1.2. Remember That Most Files Are Public
When you have files in your public HTML directory, people can get at themit is that simple. There was a silly craze a while ago to use the file extension .inc for PHP include filesscripts that only served to be included into other scripts. While this might make sense, and allows you to see how a script works simply by looking at its name, it is actually a major security hole.
For example, if you save your database connection info in a file and then include( ) that file into every script you write, that file would probably be called something like dbconnect.inc. Now, what happens if someone were to type www.example.com/dbconnect.inc directly into his web browser? Your web server would load the .inc file, and send it as plain text because it does not end in a PHP-handled file extension, which means that someone accessing the .inc file directly would see your source code.
A much better solution, if you particularly want to mark your files as include files, is to use the extension .inc.phpthis way, they will be parsed by PHP before being sent to people directly, and therefore will not reveal your source code.
12.1.3. Hide Your Identity
Most web servers, by default, send out information about themselves with each request served. For example, a default installation of Mandrake Linux 9.1 returns the following information with each file served:
Server: Apache/2.0.48 (Win32) PHP/5.0.2-dev
From that, we can ascertain that the machine is running Apache 2.0.48 on Windows, a CVS version of PHP 5.0.2.
Now, all an attacker has to do is check for known bugs in Apache 2.0.49, PHP 5.0.2 or, worse, Windows, and exploit themwe have, in effect, given him a head start.
Editing your httpd.conf file, look for the two directives ServerSignature and ServerTokensboth of these control what information Apache gives out about itself. ServerSignature is used to define what Apache prints at the bottom of server-generated pages, such as 404 error pages. Similarly, with ServerTokens set to full (the default), the same information is sent along with every request. To change this, set ServerSignature to Off and ServerTokens to Prodthis will stop it printing anything out for error messages, and restrict the information sent with each request to just Apache. A big step forwardat least now your site will not appear if people are scanning for certain Apache versions.
Here is how that same Windows Apache server describes itself with these changes in place:
Server: Apache
Much better!
12.1.4. Hiding PHP
By default, PHP is set to announce its presence whenever anyone asksthis is usually through the web server. You can turn this functionality off by editing your php.ini file and changing expose_php to Off.
If you do this, as well as using a different file extension, your use of PHP is mostly hidden. However, if your code generates any error messages, your use of PHP will become immediately obvious. To get around this, and thereby truly hide PHP, you should force PHP not to display error messagesedit your php.ini file and set display_errors to Off.
This will make debugging a little harder, but be sure to set log_errors to Onthis will make sure that whenever your script generates an error, it will be stored away in the error log file so that you can analyze the problem.
As an alternative to changing the file extension, why not just drop it altogether? Tim Berners-Lee wrote a famous article called "Cool URIs Don't Change" (available from http://www.w3.org/Provider/Style/URI.html) that says, among other things, that you should consider stripping off file extensions just in case you decide to change technology latergood advice.
| 