Basic Web Site Security

I am just moving into the world of creating a web site based on HTML, CSS, PHP and a bit of Javascript to handle events.
At the moment I am developing on a host site that I have used for several years to display photos etc.. Therefore I have limited control over the facilities on the site.
I would like my included php scripts to not be readable through the browser to help keep the site a bit more secure. Can anyone give me some clues of where to start looking for the tools I need.
I prefer not to have to start reading a 2000 page book on web security telling me to use all sorts of expensive tools I cannot yet afford!
PS I am a very experienced IT professional in the old world of process control and manufacturing control systems so I can figure out techie stuff with some clues.
Cheers for any help

You're in luck! It's all server side so no information about what the PHP is doing goes to a browser. It just sends the results along.

Try it yourself by making this file and trying to access it via a browser:

Code: Select all

<?php
$super_secret_password = "asdfdasdf";
?>

Hi there! Great to have you here at the Forumz!

As to your problem - there would be no way for a user to read your php code from their browser, as far as I am aware they'd have to get into the file store on your server. Or are you referring to something else?

PHP is a server side language which means that it is processed on the server and the browser is sent the resulting HTML/javascript code. All the user can ever get access to, in the normal course of things, is what that PHP has generated.

Hope this helps!
And I hope you like it here
Snow

Additional: Grr, ryan beat me to it! Welcome anyway kthompso!

Ryan, thanks for responding so quickly.

What you said is correct but that's not the problem. To test out using evemts in JS a created an HTML link with a URL of a blank string "". When I clicked on it an index of my files appeared! If I click on them I can see the PHP code!

So all my PHP scripts are there for the world to attack me through!

I guess this is a server permissions thing but I tried tying down the directories world permissions and then the pages failed with a server error.

This must be a common problem.

regards,
Ken

Heh, try creating a site index.html or default.html...

Just to note this won't solve the problem entirely as it sounds like a user would be able to type in "www.you.com/your.php" and get access to the code... but they won't have a nice directory to show them where it is at least, and once they can't view the name - it'll be almost impossible to guess...

Is that what you were after?

Perhaps your server is misconfigured or you have an error in your code. Under no circumstances should a server send over PHP in text form. Even JavaScript can't access it. Could you provide us with a link?

You can download the php files in text form from the index directory, no?

Nope. PHP is parsed on the server. There's no way to even force download a PHP file.

I don't understand why not?

Create a directory on your webspace without an index/default.htm file but a nice little php document sitting there - you should be able to right-click save when you go to that directory, no?

http://ryanfait.com/test/

test1.php:

Code: Select all

<?php
echo "Test";
?>

test2.php:

Code: Select all

<?php
$variable = "this and that";
$password = "whatever";
?>

Try it

hmm, curious, is that standard with php or is it how your web server is configured?

PHP is a language handled by the server, and only the server. No part of it ever reaches the user. Either you have PHP installed and everything is parsed correctly, or you don't and the browser treats it as a text file.

This is not a PHP problem. Its a problem Server problem. If I put in a URL that points to a directory, any dircetory within my site(that does not have an index.html file) I get the list files. I can then double click and they pop up in notepad in full.
I will research a bit more and feed back.
This is really quite important to any relative "newbie", like myself, building a site and wanting to keep their PHP code "confidential".

Cheers for all the responses.

Ah, that makes more sense. Servers are basically computers. Just like if you open up a folder on your computer, if you open up a directory on a server, it will show you everything in that folder. The easiest way to avoid this is by setting up 404 pages.

Doh
I have seen them but I don't know what you mean by setting them up. I will research them but if you want to give me the quick start, great!!

No worries
We all start at the exact same place.

Solved!!
I found a really useful link
http://www.ecs.soton.ac.uk/~jjf103/i...dex.php?page=4
That led me to the .htaccess file.
Very carefully I altered this to have the line:

IndexIgnore *

Now no files are shown in the index through the browser. My FTP access that I use to maintain the site is still fully working. I may need to do some further tuning but for now I am happy.
I remember using this file before to maintain group access to web sites. I think it is a key resource to such controls on Apache servers.

Thanks for all the rapid support. Very encouraging.

No problem! Just remember that having a directory's contents displayed is useful sometimes