PHP Security

This is more a rant than an actual How-To guide. I recently tried to upgrade my version of phpBB on one of my websites and ran into a 500 error. Not a big deal since I could upgrade manually but while searching their forums I ran across another user with the same problem. What irked me was that some well-meaning posters (including at least one who is registered as a “Support Team Member”) were telling the original poster that he should completely delete the .htaccess files on his bulletin board without warning him of the security issues this would introduce and the changes he would need to make with chmod (file-level security).

This brings to light a very important point that any web application developer should be aware of. Relying on PHP (or ASP or any other web technology for that matter) for security is only valid so long as that service is running (and running correctly)! In other words, it is entirely possible that PHP could fail to load but Apache (or IIS) still runs. This results in all users with access to your website being able to view your code!!! For example, in this case, we were discussing a file in phpBB that contains the database information for a bulletin board, including username and password. The file has the “.php” extension which means it will get parsed by PHP so long as it is running and the file contents are not visible to any user. However, if PHP is not running the file contents are easily visible in any web browser, exposing critical security information to anyone on the Internet with Internet Explorer/Firefox/Opera/etc.!!!!! See how serious this is? Proper use of file permissions and/or .htaccess is critical to prevent what could be a catastrophic security hole in your company’s web-based application. (Of course, IIS users should note that .htaccess files are useless to them…)

This is not to say that permissions and access control are all you need, but they are an important step. Ideally any file containing such critical information should not be within your webroot at all. It should be in a private directory outside the root and simply include() it from another script. Unfortunately some shared hosts make this difficult or even impossible which is where .htaccess comes in very handy.

Leave a Reply