#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    4
    Rep Power
    0
    I'm a web developer and I need to justify the use of PHP to a number of clients. Their main worry seems to be security. I need to be able to explain to them WHY it is safe, and that it is not easy for hackers to crack.
    I'm having to compare it to an ASP based solution.

    I must make it clear that I'm NOT trying to find out how to hack, so DO NOT reply with suggestions of how to get into sites. I just need to know why PHP is safer than ASP etc.

    I also need to know about MySQL security too.

    So some questions:

    Is it possible for people to browse and see the raw PHP code behind a page? If not why not.

    Is it possible for people to make any kind of wierd call to a PHP script which will do strange things (I heard that ASP can suffer from this)?

    When hosting a PHP/MySQL website, what should we be look out for in terms of making it more secure i.e. DOs and DONTs.

    Does anyone know of any good ASP flames which I could use i.e. ASP is bad because.... or PHP is better than ASP because.....

    PS The base OS will more than likelly be LINUX.

    Thank you in advance for any help.

    Paul
  2. #2
  3. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    PHP, ASP, etc. are tools. As with any tool it can be dangerous or safe. It depends on the person weilding it.

    The server software is more prone to attack (and the potential damage is greater) than a scripting language such as PHP. PHP can also be dangerous but only so far as that it can be used to send commands directly to the server. As long as your code doesn't include any exec(), virtual(), etc system calls (and or the information in the calls is not created dynamically based on user input) you won't have any problems.

    As long as the webserver is working and configured correctly there is no way someone can see the PHP source thru a web browser.

    Access methods other than HTTP are not a PHP issue as far as security is concerned.

    In summary, asking this question is kinda lame (no offense). The tools used to create a website offer power and risk. Risk is measured in how easy it is for something to go wrong, and how damaging it can be if something does.

    Your OS and server software have the greatest potential for damage, and usually are the easiest places for something to go wrong due to the complexity. (comparable to an airplane).

    PHP/ASP are more likened to bicycles in this respect. Simple, easily learned precautions will prevent problems, and usually, damage is far less if something does go wrong.

    I guess what I'm trying to say here is that the tool isn't the security problem. It's the skill and knowledge of the person that's using the tool that creates problems.

  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    31
    Rep Power
    15
    Well first of all I newer found source code of ASP interpreter.. I might not have tried hard enough.

    Some answers (and opinions

    1) I haven't been dealing with PHP too long so I might not really know if there had been such thing as some buffer overflow exploiting apache/php engine to see the source of PHP files.. I have been whitnessing the overflow to abuse IIS to see the source of ASP's.

    If such overflow did exist in apache/php engine it would be matter of days (or more like hours) that someone would create a patch for it. (You can do it yourself if you know enough about programming..)

    2) I do this daily with many languages and mostly early in the morning.

    Seriously, PHP has so called safe-mode switch and when turned on you can't run (nor write) files owned by someone else. So it's pretty hard running "bad" commands..

    If you ment a long query string (http://server/script.php3?A=AAAAAA...) or something then the answer depends on how you have done your scripting..

    You have to screw up bad to make "PHP do strange things by weird calls" anyway.

    3)
    -Make sure you MySQL ports are not accessible to the internet.
    -Create user for read access only and read&write access for every service you make.
    -Try to hack to your own server. Often and in as many ways as you can figure out.
    -Learn PHP well. (You can screw up more easily with ASP, but you sure can screw up with PHP as well.)
    -Expect the worst.
    -Expect that you can't imagine the worst.

    -Don't forget to check user input validity.
    -
    -Don't do drugs.

    4) "PHP4 is better that crappy visual basic code" works pretty well usually. If not.. Try "This is better", which works just as well.

    ---

    I hope I answered some of those questions as you would liked them to be answered. I'll be glad to answer if you would like to know more.

    PS. I might write some day (when I know enough) an article about PHP and security.. I'll announce here when I have. :-)

    PPS. Feel free to check anything I said. The whole post is written as "IMHO".


    ------------------
    ---
    Dist - dist@clan-station.org - Founding member of Clan Station
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    4
    Rep Power
    0
    Thanks for the reply.

    Here's where I'm coming from :

    Assume that in a PHP/MySQL app we code in a way that the PHP script connects to the MySQL database using a hard coded user/pwd. That user/pwd has enough priv on the DB to be able to Select. Fair enough I think.

    I know that in some ASP installations it is possible to add a certain char to ANY asp URL and hey presto the entire ASP source code appears on the client browser. Including the string conatining the User/pwd and host name for the MySQL access.

    So now the hacker can gain access to the MySQL database and pull off whatever info they require i.e. our customer records... ho ho ho, SPAM attack here we come.

    So how do you guard against this situation:

    1. PHP does not let this happen because it will NEVER dump source code on a browser (unlike ASP) ????

    2. Code in another manner which does not need me to hard code the user/pwd info in the script ?????

    I'm certainly convinced that PHP is secure, i just need some good backing.

    I also agree that PHP/ASP etc are tools and as such are as good as the person using them.

    However, I'm also amazed / frightened at the ways in which hackers gain access to private servers and data. I'd just like to try and keep one step ahead, and be aware of any known or possible problem areas in PHP/MySQL.

    Thanks again for the help, and please post any more info if you can,

    Paul
  8. #5
  9. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    61
    There is a really simple way to keep someone from seeing a username/password combination EVEN IF they manage to dump the source code of a PHP script to the browser (impossible unless Apache configuration file is changed):

    That method is to use an include file located in a directory not accessible by web, and have the username/password only in that directory and only readable by the PHP userID itself
  10. #6
  11. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    61
    Also, MySQL is accessible by port 3306, to allow network access, but that is not necessary for a web-based app located on one server, so you might want to block that port with a firewall
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Location
    In nederland
    Posts
    41
    Rep Power
    15
    >1. PHP does not let this happen because it will NEVER dump source code on a browser (unlike ASP) ????

    Ok , I don't know about that. The only remark I want to place is that if you use only the cgi-php you can easily see the php code.(at least on my server) That is why I don't use it.
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    8
    Rep Power
    0
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by Padge:
    Thanks for the reply.

    Here's where I'm coming from :
    ...

    I know that in some ASP installations it is possible to add a certain char to ANY asp URL and hey presto the entire ASP source code appears on the client browser. Including the string conatining the User/pwd and host name for the MySQL access.
    [/quote]

    Right.. well the easiest way around this (and a nice way to save yourself some effort if multiple pages use the same username/password/db) is this:

    Have a file like this:
    <?php
    $db = mysql_connect("host", "username", "password");
    ?>

    And put it outside the web-accessible folders. Put it in /etc for all it matters, as long as it's readable by the web server's UID. Then use PHP's require statement to include it:

    <?php
    require("../db_connect.php");
    ?>

    Lo and behold, even if someone manages (through server mis-configuration or whatever) to get ahold of your PHP source, they won't get the password file.

    I actually use this method for another reason - many of my projects get developed on a different platform with a different database server (still mySQL, just on another network). Using this method we can develop in one place and implement in another just by changing that one db_connect.php file.

    (Note that if you're using PHP safe-mode your choice of location for db_connect.php will be severely limited, but I'm not sure of the specifics. Check out www.php.net for the official take on this).

    Hope this helps,

    Matt

    ------------------
    --
    Does anyone else find it kinda perverse that we're using a Perl BBS to discuss PHP? ;-)

    [This message has been edited by Shade (edited April 25, 2000).]
  16. #9
  17. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    4
    Rep Power
    0
    Cheers everyone. I do use the include/require functionality to hold the data connect in another file so that I can develop on one server and then make the code live and I only have to change the one connect include file... but being a complete idiot I had always put the connect file in the web dir... duh! Thanks for the tips and I will now do it the better way.
    We are looking at a 3rd party company hosting solution for the server and so we don't have a lot of scope for changing the PHP installation, but we do have controll over file permissions on our virtual server, so the methof you have described will be a big help and very secure, thanks.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Posts
    36
    Rep Power
    15
    You can get any server side code on any server it seems with hotdog pro's supertoolz. Try out the website downloader. But the code is downloaded to the client system. It can be viewed, but unchanged in some aspect. I haven't used it in a while, but I do remember that from my novice days.

    -Gabe
    "Save trees, eat beaver."
  20. #11
  21. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    61
    Please explain to me _how_ any outside agent can grab server-side code from a web server, unless it somehow cracks in by ftp or telnet.

    I strongly doubt it. On some webservers it has been possible to get CGI code but that was mainly due to bad server configuration, or certain specific vulnerabilities. ASP used to have a method to show server side code if you appended certain characters after the file request in a browser, but that was a "feature, not a bug". PHP has no such "feature".

Similar Threads

  1. Replies: 2
    Last Post: August 18th, 2004, 10:45 PM
  2. php safe Mode
    By pouyan6 in forum PHP Development
    Replies: 0
    Last Post: January 26th, 2004, 03:14 PM
  3. PHP with UnixODBC
    By coder4hire in forum PHP Development
    Replies: 2
    Last Post: January 20th, 2004, 01:14 PM
  4. Passing string from PHP to Javascript
    By ka8oad in forum JavaScript Development
    Replies: 4
    Last Post: January 17th, 2004, 03:12 PM
  5. UnixODBC + PHP + Apache + Empress
    By coder4hire in forum Database Management
    Replies: 0
    Last Post: January 15th, 2004, 01:41 PM

IMN logo majestic logo threadwatch logo seochat tools logo