 |  |  |  |  |  |  |  |
PHP Security
Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases
 |
Hello Guys,
I have bult a php site, and going live soon some questions first of all from what i read i need to have a .htaccess file in which it has turn of register_global and disable errors do i need to put anything further? I also have a admin section which is password protected from my hosting company, is that safe? after reading i am getting loads of different information can someone please help me with what i need to follow (tutorial)
thank you
I have bult a php site, and going live soon some questions first of all from what i read i need to have a .htaccess file in which it has turn of register_global and disable errors do i need to put anything further? I also have a admin section which is password protected from my hosting company, is that safe? after reading i am getting loads of different information can someone please help me with what i need to follow (tutorial)
thank you
•
•
Join Date: Sep 2007
Posts: 1,505
Reputation: 
Solved Threads: 136
•
•
•
•
I have bult a php site, and going live soon some questions first of all from what i read i need to have a .htaccess file in which it has turn of register_global and disable errors do i need to put anything further?
•
•
•
•
I also have a admin section which is password protected from my hosting company, is that safe?
•
•
•
•
after reading i am getting loads of different information can someone please help me with what i need to follow (tutorial)
Try not to bump 10 year old threads as it can be really annoying.
http://syntax.cwarn23.net/
My favourite PC. - MacGyver Fan
http://syntax.cwarn23.net/
Smilies: ^_* +_+ v_v -_- *~*` My favourite PC. - MacGyver Fan
•
•
Join Date: Jun 2007
Posts: 1,227
Reputation:
Solved Threads: 167
If you have any classes, functions, ect. you need to move them behind the document root (same folder as public_html on most hosts). Then you just included them.
You need to add a php.ini file and protect it with .htaccess. This means you put your php configurations in the php.ini and disable people from viewing in their browser via .htaccess.
In your .htaccess file:
Also disable the directory listing so people cannot see what you have on the server.
Here is a good php.ini example:
php.ini usually only works on a per directory basis so if you have multiple folders that need the same configuration, you need copy the same php.ini into each directory. (Spent hours finding this one out)
If you do not have uploads on the site, make sure you turn file uploads to 'off'. Also, if you don't need to access remote urls then turn off allow_url_fopen.
Make sure you leave the error logging part of the ini file. This will make it so all errors are logged to a central location and not in the directory of the file which had the error. The reason for this is so hackers cannot see the errors of the site, which might help them hack it.
If you use sessions, make sure you change the location of where they are stored. If another account is compromised on the server, a hacker could get into the tmp directory where your sessions are and steal info/hijack a session.
Here is a link on changing it: http://us3.php.net/manual/en/functio...-save-path.php
You can also do it through php.ini.
Make sure the directory where you are storing the sessions is not accessible to the public.
I wouldn't use http authentication with a .htpasswd file. At least use a database to store the login info. A login system with php (like cwarn23 said) would be best in my opinion. I posted a good example at: http://www.daniweb.com/forums/thread212083.html
You need to add a php.ini file and protect it with .htaccess. This means you put your php configurations in the php.ini and disable people from viewing in their browser via .htaccess.
In your .htaccess file:
PHP Syntax (Toggle Plain Text)
Also disable the directory listing so people cannot see what you have on the server.
PHP Syntax (Toggle Plain Text)
Here is a good php.ini example:
PHP Syntax (Toggle Plain Text)
php.ini usually only works on a per directory basis so if you have multiple folders that need the same configuration, you need copy the same php.ini into each directory. (Spent hours finding this one out)
If you do not have uploads on the site, make sure you turn file uploads to 'off'. Also, if you don't need to access remote urls then turn off allow_url_fopen.
Make sure you leave the error logging part of the ini file. This will make it so all errors are logged to a central location and not in the directory of the file which had the error. The reason for this is so hackers cannot see the errors of the site, which might help them hack it.
If you use sessions, make sure you change the location of where they are stored. If another account is compromised on the server, a hacker could get into the tmp directory where your sessions are and steal info/hijack a session.
Here is a link on changing it: http://us3.php.net/manual/en/functio...-save-path.php
You can also do it through php.ini.
Make sure the directory where you are storing the sessions is not accessible to the public.
I wouldn't use http authentication with a .htpasswd file. At least use a database to store the login info. A login system with php (like cwarn23 said) would be best in my opinion. I posted a good example at: http://www.daniweb.com/forums/thread212083.html
Last edited by kkeith29; Aug 17th, 2009 at 2:45 pm.
Google is your friend.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
•
•
•
•
and disable people from viewing in their browser via .htaccess.
PHP Syntax (Toggle Plain Text)
I understand it will save it in logs folder, but what does file extention does it need to be?
What i dont understand is, cant i just disable it rather than saving it? I mean lets say my website is done and i will never update it (which isnt the case lol) can i not just disable it, can you please tell me why i need it and if so can i not save error to mysql database?
Thank you for your information, it has been printed and sace
, I think its now time to learn PHP correctly rather than doing shortcuts. •
•
Join Date: Jun 2007
Posts: 1,227
Reputation:
Solved Threads: 167
It doesn't need one. You can make one up if you want to.
Error logs can tell you a lot. Errors shouldn't be shown to your users, so I something goes wrong you need to be able to find the error somewhere. Always have the error log on.
Error logs can tell you a lot. Errors shouldn't be shown to your users, so I something goes wrong you need to be able to find the error somewhere. Always have the error log on.
Google is your friend.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
Use [code] tags.
If you have found a solution to your problem, please mark the thread as SOLVED.
You can also use
rather than use .htaccess or if you can't amend the php.ini file
php Syntax (Toggle Plain Text)
rather than use .htaccess or if you can't amend the php.ini file
If my post is useful please add to my reputation.
Thanks.
Ajtrichards Web Solutions | http://www.ajtrichards.co.uk
Retenovate | http://www.retenovate.com
Thanks.
Ajtrichards Web Solutions | http://www.ajtrichards.co.uk
Retenovate | http://www.retenovate.com
Hello,
I would like to ask, if i will be able to save all errors to mysql rather than a log file.
also is it possible for me to be able to save any errors which end users make for example, a user enters user name and enters wrong password, can i save that error?
I would like to ask, if i will be able to save all errors to mysql rather than a log file.
also is it possible for me to be able to save any errors which end users make for example, a user enters user name and enters wrong password, can i save that error?
•
•
Join Date: Sep 2007
Posts: 1,505
Reputation:
Solved Threads: 136
•
•
•
•
Originally Posted by NoID 
Hello,
I would like to ask, if i will be able to save all errors to mysql rather than a log file.
also is it possible for me to be able to save any errors which end users make for example, a user enters user name and enters wrong password, can i save that error?
Try not to bump 10 year old threads as it can be really annoying.
http://syntax.cwarn23.net/
My favourite PC. - MacGyver Fan
http://syntax.cwarn23.net/
Smilies: ^_* +_+ v_v -_- *~*` My favourite PC. - MacGyver Fan
|
Similar Threads
- PHP & Apache Server Security Questions (PHP)
- PHP security: user with same IP as the server (PHP)
- Check this out - Free PHP Security Videos (PHP)
- Am I using include and hidden directories correctly? (PHP Security) (PHP)
- Site security tester - help needed (PHP)
- php email help? (PHP)
Other Threads in the PHP Forum
- Previous Thread: my code are wrong and I don't no why? I'm desesperated!!!! Please help me!!!
- Next Thread: Smarty Help
| Thread Tools | Search this Thread |
Latest PHP Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for PHP
# .htaccess 5.2.10 access ajax apache api array beginner binary broken cakephp checkbox class clean clients cms code cron curl database date directory display dissertation download dynamic echo email error file files folder form forms function functions google href htaccess html image images include insert integration ip java javascript joomla ldap legislation limit link login loop mail menu mlm mod_rewrite multiple mysql mysqlquery oop open paypal pdf persist php problem query radio random recursion regex remote script search server sessions sms soap sockets source space sql syntax system table tutorial update upload url validation validator variable video web xml youtube
