Chris Chris - 3 months ago 16
PHP Question

Securing PHP files

Hello and thanks to everyone for reading my question.

I've been working on a PHP web program for a little while and was wondering what measures should I take to protect the source before putting it on a live server. The source isn't being distributed, it's being accessed through a website (users log into the website to use it).

First I'd like to protect the source php files from being found and downloaded. I'm not using any framework, just php and all files are in the home directory as index.php. I read around and it seems that robots.txt isn't really effective for hiding. I came across some posts of people recommending .htaccess, but I often thought it was for protecting files within a directory with a password, so not sure if there's a way to make it htaccess suitable for a web app.

Second, I'd like to protect the source files in the case someone gets access to them (either finds them and downloads them or a sys admin that has ready access to the server). I thought of source encryption with something like ioncube. My host also has GnuPG [which I'm not familiar with, any thoughts about it compared to ioncube?]

I'm not familiar with source protection, so any ideas would be nice, and of course thank you muchly :)

dbr dbr
Answer

Just make sure your web server is set up to handle .php files correctly, and that all files have the correct .php extension (not .php.inc or similar)

As long as your server executes the PHP, no one can download its source code (ignoring any security holes in your code, which is a different topic)

There was a time when it was common to name included files along the lines of mystuff.php.inc - this is a bad idea. Say your site is at "example.com", and you store your database configuration in config.php.inc - if someone guesses this URL, they can request http://example.com/config.php.inc and get your database login in plain text..

It is a good idea to store configuration and other libraries up one directory as bisko answered - so you have a directory structure like..

/var/example.com:
    include/
        config.php
        helper_blah.php
    webroot/
        index.php
        view.php

This way, even if your web-server config gets screwed up, and starts serving .php files as plain text, it'll be bad, but at least you wont be announcing your database details to the world..

As for encrypting the files, I don't think this is a good idea.. The files must be unencrypted to Apache (or whatever server you're using) can access them. If Apache can access it, your sysadmin can too..

I don't think encryption is the solution to an untrustworthy sysadmin..