Some questions of importance...
View Single Post
12-23-2007, 08:23 AM
Join Date: Dec 2007
Location: Bucharest, Romania
1. Perhaps the best way to secure stuff is to make sure everything stays where it should (filter ANY user input, make sure only the needed directories/files are 777, and such). Also, always include your files using the absolute path, rather than relative. Regarding the php.ini, some hosts give you the possibility of overwriting settings in the server config by putting your own php.ini file with custom config values into the root of your website.
2. Let's say you have a CMS. From the admin, you can add pictures to pages. First you need to upload the pictures. So, you need to chmod the directory in which you'd like to upload the files to 777 (read+write+execute for everybody - owner, group, world). Otherwise, uploading would fail. Another case: you need to programatically change a file from your webroot (let's say a config file). If the file wouldn't be chmoded to 777, you wouldn't be able to write to it.
NOTE: 777 might not be the wisest way to gain write access to certain files, but I couldn't write to disk or to an existent file when they were 666 for example.
3. Zend Guard or such.
for security, and PHP 5 Objects, Patterns and Practice by Matt Zandstra sounds interesting, and it's well rated, but I couldn't find it. You could also try PHP 5 Unleashed by John Coggeshall.
5. Apache's mod rewrite extension lets you do that easily. You can learn how to do it from here:
mod rewrite forums
7. can't help you there, sorry
8. Perhaps the safest way would be to keep your includes somewhere outside the web root. chmod is not needed, but to respond to your question, 644 is enough for a read-only file (read+write for owner & read for everybody else). The files are automatically chmodded to 644 when created (on *nix systems, on windows they might be 666).
9. I don't think that is a bad practice, it's a practical way, I'd say. I've seen alot of beginner programmers who don't use functions at all (all of their code is linear and extremely hard to read / or the other category, which scatters all of the functions through the linear code). What ever fits you, but always think of the easiest and most portable way and the possible other web devs which have to deal with your code later.
10. Generally, no. The including is done server-side, so the file included is not like downloaded every time, and it's not included in the output. Slowing your pages could be possible if the included functions generate an enormous output. Security risks? Yes. If you name your functions file php_ref.php.inc (or simply php_ref.inc), and the .inc extension is not marked as 'php parseable' - in httpd.conf, that is, anyone who knows the path to your file could actually see it in the browser. So always use .php as the file extension for PHP scripts when creating a system. But this is not all. Input filtering (not done correctly or not done at all), chmodding to 777 and other problems are possible ways of breaking your system. Check phpsec.org and read there what you should and what you shouldn't do.
Wish ya the best of luck and happy studying :)
I have optimistic thoughts, even though sometimes (if not always) life's a bitch.
The Following User Says Thank You to xenon For This Useful Post:
View Public Profile
Send a private message to xenon
Visit xenon's homepage!
Find More Posts by xenon