How do I make my script which writes to a directory on my site more secure. I was thinking about using .htaccess but I don't know how. Could someone explain?
Hmmm... if you write PHP code it is very hard to make it secure. My advices: Use .htaccess(your ideea, is good, if you don't use the scripts inside it directly(included via PHP)). But also use .htpassword to require an username and a password(or use a basic login system), and only the administrators could write into that files, because if the files are included(htaccess will not help you in this case because the code is included in files that can be accessed), PHP code could be easily injected and executed through the files which includes the php files written by you in htaccessed folder. For .txt files: Can use the same method.
So are you saying that PHP include() command is easy to hack? If so I could delete all my PHP includes and just put the code directly on the pages... Are you also saying that I should make a username/password system on the .htpassword file so only administrators can write files? If so I have a problem. The text files are supposed to be accessable by anyone. I use them to store some html data for a few days and then output the data. Is this a bad idea? Also if a hacker injected some malitious code into one of my folders does that mean that after that they can easily hack the rest of my site? Thanks.
You misunderstood me. I didn't told you that the include() command is easy to hack. What I meant was that to be careful with the files in which you write and include them. Do not delete your includes. I can take a look in your code if you want, I am a PHP security addict. I wrote some tutorials about web vulnerabilities and how to secure them, if you are interested in, I will give you the link. And about the txt files, if they are not included in a PHP file, you can leave them accessible and writeable by anyone (if you want). If someone injected malicious code into your folders/files he can take over your web application, this depends of a lot of factors.
Okay thanks! Here is the include code that appears on all my pages to inlcude a few repeating assets: <body> <div class="BG_Color" id="main"> <?PHP include("../Assets/Site_Wide_Divs/headerdiv.php"); ?> <?PHP include("../Assets/Site_Wide_Divs/navdiv.php"); ?> <?PHP include("../Assets/Site_Wide_Divs/banner_ad_div.php"); ?> <div id="content"> Code (markup): These includes() do not include multilevel includes(). The other place that I use includes is for including a path to my database passwords. I do it exactly the same way. And the final few are in an AJAX requests for the same reason as above. The writing of codes are generally in AJAX requests like: $textdata = $_POST['chattext']; $textdata = strip_tags($textdata); $textdata = stripslashes($textdata); $fw = fopen($filename, "a+b"); $fl = flock($fw, LOCK_SH); $data = fread($fw, filesize($filename)); $newtext = $data . $textdata; $numbytes = fwrite($fw, $newtext); flock($fw, LOCK_UN); Code (markup): Also I was reading some of apaches .htaccess page and they are condemning .htaccess and saying I should use <directory> instead? Is this true? Thanks! ~imozeb ps could you post the link to the PHP security info page you made. I would love to read it!
.htaccess files are helpful to set the behavior of your site over the Internet. you can protect your data from frauds means these files are used for the security purpose.
Hello. I read your code. It is ok. If ONLY the administrator have access to file writting then it is ok, don't worry. So, this is the main problem, the file writting should be accessible only by you(or administrators, if is the case). Keep this in mind. About .htaccess, depends what code do you write into. If you write "deny from all" the folder will not be accessible via HTTP, by nobody. If you want to disable directory listing via htaccess, to hide the files(but if someone knows the filename , it can be accessed by HTTP) you could use a simple index.php or index.html to do this. About my tutorial, check it here: http://sirgod.net/index.php?page=tutorials Code (markup): See "Finding vulnerabilities in PHP scripts FULL ( with examples )" tutorial. It is a little bit long, but I think it will be a good read for you.
So what you are saying is that file writing should only be used by administrators? Can I allow users to write to one folder that is only for them (for something like a message board) or will that compramise the security of my entire site?
Yes, the file writing should be accessible only by administrators. It is a little dangerous to let the users to write into files(if the files in which you write are php or they are normal files but included in another php file). Better use a MySQL database.
So if they are just .txt files and they are read via AJAX through a PHP file for outputing it is dangerous? The output is always within a couple <div> tag if that matters. i.e. when the input from the user is saved to the .txt file PHP puts <div></div> tags around the code. and when it is outputed the .txt data goes into another <div> via .innerHTML. I don't use the data in the .txt file for a filename or something. I feel like it's kind of stupid to use a database for a message board. If you write back again and say that I should use a Mysql database I will. Thanks!
Another question. If I let anyone upload data to my .txt file but I get the filename through the url and append it like so ../../myfolder/my_file_$url.txt is it safe? The text file is already created so the user cannot write to a file that doesn't exist. Does this make it more safe or could people still easily inject malitious code? Thanks.
If you include it via PHP is dangerous. It is stupid for a message board to use a database? It doesn't dude, everybody use a database for a message board. Almost everybody. And if the url variable is set to "/etc/passwd%00"? Your script will output the file etc/passwd (there are a lot of conditions to work or to fail, I am not going to write them all). Ex: "../../myfolder/my_file_/../../../etc/passwd%00.txt". Think about this. Better when you are done send me the source code or give me the address of the website and I'll do a security audit over it. Preferably, it will be better if I take a look over the source code, because I can identify more problems.
Okay thanks. I'll change my code from .txt file storage to database storage and then pm you the code so you can check it. Thanks again!