Jump to content
Larry Ullman's Book Forums

Various Website Security Questions


Recommended Posts

I have various questions, inspired by the book “Effortless E-Commerce With PHP and MySQL”, regarding website security.

 

 

Question #1

 

On page 34, it discusses using the open_basedir setting.

How is this achieved exactly?

... I am assuming this is something you write into a php.ini file, but there was not a php.ini file in the downloadable example scripts. What would the code in the php.ini file look like exactly?

 

 

Question #2

 

On page 35, it discusses changing a setting to disable register_globals.

How is this achieved exactly?

 

 

Question #3

 

On page 36, it discusses changing the sessions directory.

First, is this referring to this kind of session? :

 

$_SESSION['myName'] = “Johnny”;

 

Second, how is this done? Do I get this directory changed by talking to the tech support peeps at my hosting company?

 

 

Question #4

 

On page 36, it discusses changing MySQL so that it is only accessible from localhost or 127.0.0.1. Afterward, being able to change options –skip-name-resolve and – skip-networking.

How is this done? Is all of this done via the hosting company's c-panel or working with the hosting company's tech support?

 

 

Thank you for getting me pushed in the right direction.

Link to comment
Share on other sites

The first three questions is done via php.ini or using the set_ini() function.

 

1. open_basedir - http://www.php.net/manual/en/ini.core.php#ini.open-basedir

Normally null. If this is set to a directory, PHP will refuse to open files outside this directory tree using fopen() or similar functions. This can increase security, as a hacker might try to open a password file on your server or include a bad file he has managed to upload on his own.

 

2. Register_globals - http://www.php.net/manual/en/ini.core.php#ini.register-globals

This is depricated and removed in newer versions of PHP. (<= PHP 5.3.0) If this is on, you need to change it in your php.ini. Considering almost everyone is at least on PHP 5.3.0, this is most likely not a problem anymore.@

 

3. Sessions directory

Sessions are server-side cookies. (Not changeable for a user) However, if you are on shared hosting, like most of us, the session directory is normally shared in something like the folder "tmp". Changing it to a folder only reachable for your user account will theoretically improve security. Listen to what the book says.

 

4. MySQL access

You can normally change this in cPanel, and I think the standard is localhost only. If you develop locally on your computer, adding your IP address will allow you to connect to your DB from local scripts. Assigning "*" will allow you to connect from anywhere. The security is increased when no-one can connect to your DB unless they are on your server, but listen to what the book says. I do allow all connections during development myself.

Link to comment
Share on other sites

Thank you Antonio,

 

I appreciate the basic explanation of each question, but I still don't know how to write the code in a php.ini file.  I'm unfamiliar with how to write code in a php.ini file.  Is there an example php.ini file to download which does the first 3 things I've asked about?

 

Thank you

Link to comment
Share on other sites

Contact your host, and they will most likely give one to you. If you have a shared host, some of the cheaper providers might not give you the option, though. You don't really "write code" for a php.ini. You do it occasionally as you need things to work, but then you ignore it for long periods of time. I've changed a php.ini file about five times over the last three years myself.

 

If you need something to change, I would just email my hosting provider and let them take care of it.

Link to comment
Share on other sites

I've contacted my hosting company, but their technical support says code-writing/scripting is outside the scope of their support.  I do have a general php.ini file to start with though.

 

Anyway, I've done some research and have come a little further.

 

In the php.ini file if I change this line:

 

session.save_path = "/tmp"

 

to:

 

session.save_path = "/private"

 

Surfing the website still ends up saving the sessions in the original "/tmp" folder.  However; when I add these two lines of code on every php file that uses sessions:

 

session_save_path('../private');
ini_set('session.gc_probability', 1);

 

It works.

 

So, why wouldn't the php.ini alteration change the directory that the session is saved in?  This alteration would have been a much easier fix than the second method (since I have to add the code to many many files).
 

Link to comment
Share on other sites

I'm using WAMP server, so I restarted the server by rebooting my computer.  The session data is still being stored in the old /tmp folder.

 

Also, I'm using this line in the php.ini file:

 

disable_functions = system,exec,register_globals,phpinfo

 

but when I test it by calling phpinfo() on one of my test pages, it still echos out the php info.

 

It's as if any changes I'm making to the php.ini file are being ignored...

 

Any idea what I have to do to have my changes I make to the php.ini file actually make a difference?

Link to comment
Share on other sites

If you're using WAMP server, you can't edit the php.ini directly. WAMP manages the php.ini within the application (which is how it allows you to change certain things from within WAMP). I forget how you do this in WAMP, but look online or within the application for how you make php.ini changes.

Link to comment
Share on other sites

Thanks guys,  I've figured out all of my issues except for my 4th question regarding:

 

Changing MySQL so that it is only accessible from localhost or 127.0.0.1. Afterward, being able to change options –skip-name-resolve and – skip-networking.

 

I've contacted my host's technical support, but they seemed clueless as to what I was talking about...

 

Do I change this setting simply by using the sql.safe_mode in my php.ini file?... or is this something different?  Also, I'm assuming that my hosting company's default setting would be the safer setting, but I'd still like to make sure.

Link to comment
Share on other sites

 Share

×
×
  • Create New...