CakeFest 2025 Madrid: The Official CakePHP Conference

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 11 notes

    up
    20
    dangan at blackjaguargaming dot net
    18 years ago
    I'd recommend a 404 over a 403 considering a 403 proves there is something worth hacking into.

    index.php:
    define('isdoc',1);
    include(    'includes/include.sqlfunctions.php');
    // Rest of code for index.php
    ?>

    include.sqlfunctions.php (or other include file):
    if(isdoc !== 1) // Not identical to 1
    {
    header('HTTP/1.1 404 Not Found');
    echo     "\n\n404 Not Found\n";
    echo     "\n

    Not Found

    \n

    The requested URL ".$_SERVER['REQUEST_URI']." was not found on this server.

    \n"    ;
    echo     "
    \n"    .$_SERVER['SERVER_SIGNATURE']."\n\n";
    // Echo output similar to Apache's default 404 (if thats what you're using)
    exit;
    }
    // Rest of code for this include
    ?>
    up
    18
    djjokla AT gmail dot com
    19 years ago
    If a single file has to be included than I use the following

    index.php ( where the file is gonna be included )
    ___________
    define('thefooter', TRUE);
    include(    'folder/footer.inc.php');
    ?>

    and the footer file (for example) looks this way then

    footer.inc.php ( the file to be inluded )
    ___________
    defined('thefooter') or die('Not with me my friend');
    echo(    'Copyright to me in the year 2000');
    ?>

    So when someone tries to access the footer.php file directly he/she/it will get the "Not with me my friend" messages written on the screen. An alternative option is to redirect the person who wants to access the file directly to a different location, so instead of the above code you would have to write the following in the footer.inc.php file.

    defined('thefooter') or header('Location: http://www.location.com');
    echo(    'Copyright to me in the year 2000');
    ?>

    In normal case a redirection to an external site would be annoying to the visitor, but since this visitor is more interested in hacking the site than in reading the content, I think it's only fair to create such an redirection. We dont' realy want someome like this on our sites.

    For the file protection I use .htaccess in which I say to protect the file itself and every .inc file


    Order allow,deny
    Deny from all
    Satisfy All


    The .htaccess file should result an Error 403 if someone tries to access the files directly. If for some reason this shouldn't work, then the "Not with me my friend" text apears or a redirection (depending what is used)

    In my eyes this looks o.k. and safe.
    up
    12
    ocrow at simplexity dot net
    21 years ago
    If your PHP pages include() or require() files that live within the web server document root, for example library files in the same directory as the PHP pages, you must account for the possibility that attackers may call those library files directly.

    Any program level code in the library files (ie code not part of function definitions) will be directly executable by the caller outside of the scope of the intended calling sequence. An attacker may be able to leverage this ability to cause unintended effects.

    The most robust way to guard against this possibility is to prevent your webserver from calling the library scripts directly, either by moving them out of the document root, or by putting them in a folder configured to refuse web server access. With Apache for example, create a .htaccess file in the library script folder with these directives:

    Order Allow,Deny
    Deny from any
    up
    11
    k
    18 years ago
    How about not putting the php code in the web-root at all...?

    You can create a public directory with the css, html, etc and index.php there. Then use the include_path setting to point to the actual php code, eg...

    webstuff
    phpcode
    public
    images
    css
    index.php

    then set the include path to "../phpcode" and, as php is executed from the directory of the script, all should be well.

    I'd also call the main index "main.page", or something else, instead of "index.php" and change the web server default index page. That way you cant get hit by things trawlling the web for index pages.
    up
    10
    Thomas "Balu" Walter
    19 years ago
    Since many users can not modify apache configurations or use htaccess files, the best way to avoid unwanted access to include files would be a line at the beginning of the include-file:

    if (!defined('APPLICATION')) exit; ?>

    And in all files that are allowed to be called externally:

    ('APPLICATION', true); ?>

    Balu
    up
    7
    steffen at morkland dot com
    18 years ago
    In Reply to djjokla and others

    Consider placing all incude files as mentioned before in a seperate folder containing a .htaccess containing a Order Deny,Allow

    the create a index file, which is intended to handle ALL request made to you php application, then call it with index.php?view=index

    the index file could look a bit like this:

    switch($_GET['view']){
    case     'index':
    include(    'libs/index.php');
    break;
    default:
    include(    'libs/404.php');
    break;
    }
    ?>

    this could be an array or something even more creative. it actually does'nt matter how you do it... running all pages through one central script has one big advantage.... CONTROL.
    at any givin time, you can easily implement access control to functions without forgetting crucial files.
    up
    3
    Ray.Paseur sometimes uses Gmail
    8 years ago
    Password hashing should be linked here:
    http://php.net/manual/en/faq.passwords.php
    up
    2
    inland14 at live dot com
    6 years ago
    Good Dharma tokens which are basically in the feed somewhere that allow users that are not reprogramming and injecting to get into the site.

    Change this POST AJAX call URL every couple minutes to exclude users who didn't follow your portal. You can combine this with where they came from. Just in the case of advertised click-thrus.

    You can make a perfectly good token from time() and some measure away from it every ~5th minute(?). Balance the load by free token grasping at login, or even if they just got to the site. And don't let them into the feed past the designated 5th minute, or algorithmic sum for your timed change of the guard, without knowledge of the token. This can be caught up by passing variables across pages. Directly injecting the POST token with a curl to your own site. And combining that like a session ID.
    up
    1
    Anonymous
    9 years ago
    chroot is NOT a security feature. Don't use it as one. Please read the man pages of chroot to understand what its really used for
    up
    0
    annonymous at domain dot com
    21 years ago
    best bet is to build php as cgi, run under suexec, with chroot jailed users. Not the best, but fairly unobtrusive, provides several levels of checkpoints, and has only the detriment of being, well, kinda slow. 8)
    up
    0
    ManifoldNick at columbus dot rr dot com
    22 years ago
    Remember that security risks often don't involve months of prep work or backdoors or whatever else you saw on Swordfish ;) In fact one of the bigges newbie mistakes is not removing "<" from user input (especially when using message boards) so in theory a user could secerely mess up a page or even have your server run php scripts which would allow them to wreak havoc on your site.
    add a note
    To Top