FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » self-modifying program
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
self-modifying program [message #174352] Wed, 08 June 2011 04:44 Go to next message
Jivanmukta is currently offline  Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
Junior Member
Hello,
I need your opinions about my solution.
I have written a website containg twenty .php pages. I don't use any
framework, but I use my libraries of functions and classes.
These .php pages need a number of global constants, for example MySQL
user and password or path to log file. I have these constants in
secure/constants.php file, where "secure" is a folder available
through SSL protocol (I mean it contains .htaccess file). Here's part
of my secure/constants.php:

<?php
define('MYSQL_SERVER', 'localhost');
define('MYSQL_DATABASE', 'ogloszenia');
define('MYSQL_USER', 'root');
define('MYSQL_PASSWORD', 'mysql');
define('LOG_PATH', 'C:\Documents and Settings\Robert\Moje dokumenty
\Informatyka\ogloszenia-nieruchomosci\log\log.txt');
....

I also have a page secure/configure.php contaning a form to assign
values to these constants, and proper file_put_contents call (to write
"define" commands to secure/constants.php file). As I said before,
"secure" folder is available through SSL only.

Q: What do you think of my solution? Do you have any better idea?
Thanks in advance.

newbie
Re: self-modifying program [message #174358 is a reply to message #174352] Wed, 08 June 2011 07:17 Go to previous messageGo to next message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
Senior Member
El 08/06/2011 6:44, Jivanmukta escribió/wrote:
> I need your opinions about my solution.
> I have written a website containg twenty .php pages. I don't use any
> framework, but I use my libraries of functions and classes.
> These .php pages need a number of global constants, for example MySQL
> user and password or path to log file. I have these constants in
> secure/constants.php file, where "secure" is a folder available
> through SSL protocol (I mean it contains .htaccess file). Here's part
> of my secure/constants.php:
>
> <?php
> define('MYSQL_SERVER', 'localhost');
> define('MYSQL_DATABASE', 'ogloszenia');
> define('MYSQL_USER', 'root');
> define('MYSQL_PASSWORD', 'mysql');
> define('LOG_PATH', 'C:\Documents and Settings\Robert\Moje dokumenty
> \Informatyka\ogloszenia-nieruchomosci\log\log.txt');
> ...
>
> I also have a page secure/configure.php contaning a form to assign
> values to these constants, and proper file_put_contents call (to write
> "define" commands to secure/constants.php file). As I said before,
> "secure" folder is available through SSL only.
>
> Q: What do you think of my solution? Do you have any better idea?
> Thanks in advance.

Why do you need that the file is reachable through the web browser? Are
you by chance doing stuff like this?

require_once('https://example.com/secure/constants.php');

If you do so, that would explain why it isn't working.


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
Re: self-modifying program [message #174359 is a reply to message #174358] Wed, 08 June 2011 08:59 Go to previous messageGo to next message
Jivanmukta is currently offline  Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
Junior Member
> Why do you need that the file is reachable through the web browser?

OK, I moved the file outside public_html.
Thanks.
Re: self-modifying program [message #174360 is a reply to message #174358] Wed, 08 June 2011 09:55 Go to previous messageGo to next message
Jivanmukta is currently offline  Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
Junior Member
> Why do you need that the file is reachable through the web browser?

BTW, my website contains also "include" folder (for class.X.php,
lib.X.php). Should it be placed inside public_html? How about
"public_html/images" (.gif, .png files)?
Re: self-modifying program [message #174361 is a reply to message #174360] Wed, 08 June 2011 11:44 Go to previous messageGo to next message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
Senior Member
El 08/06/2011 11:55, Jivanmukta escribió/wrote:
>> Why do you need that the file is reachable through the web browser?
>
> BTW, my website contains also "include" folder (for class.X.php,
> lib.X.php). Should it be placed inside public_html? How about
> "public_html/images" (.gif, .png files)?

The name says it all: *public*_html

If it needs to be public, it must be there. Otherwise, it's up to you.


--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
Re: self-modifying program [message #174362 is a reply to message #174360] Wed, 08 June 2011 11:50 Go to previous messageGo to next message
Michael Fesser is currently offline  Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
Senior Member
.oO(Jivanmukta)

>> Why do you need that the file is reachable through the web browser?
>
> BTW, my website contains also "include" folder (for class.X.php,
> lib.X.php). Should it be placed inside public_html?

No, such scripts and configuration files should be stored outside the
document root.

> How about
> "public_html/images" (.gif, .png files)?

These files have to be inside the public folder, because they need to be
reachable by a browser.

Another thing regarding your LOG_PATH constant. You shouldn't hard-wire
its value, but use relative paths based on $_SERVER['DOCUMENT_ROOT']
instead.

Micha
Re: self-modifying program [message #174363 is a reply to message #174362] Wed, 08 June 2011 12:17 Go to previous messageGo to next message
jeff is currently offline  jeff   
Messages: 8
Registered: May 2005
Location: Toronto
Karma: 0
Junior Member
On 6/8/2011 7:50 AM, Michael Fesser wrote:
> .oO(Jivanmukta)
>
>>> Why do you need that the file is reachable through the web browser?
>>
>> BTW, my website contains also "include" folder (for class.X.php,
>> lib.X.php). Should it be placed inside public_html?
>
> No, such scripts and configuration files should be stored outside the
> document root.

Why? The public sees nothing if they hit the script.

Not that I have a problem with putting such files outside public, but
it's not uncommon to FTP to a server and just have the html root
visible. I've never seen a server fail that exposed the php as plain
text. Portability leads toward the more accessible path.

Myself, I would be far more concerned about having the MySQL user as: root.

J
Re: self-modifying program [message #174364 is a reply to message #174363] Wed, 08 June 2011 13:07 Go to previous messageGo to next message
Michael Fesser is currently offline  Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
Senior Member
.oO(jeff)

> On 6/8/2011 7:50 AM, Michael Fesser wrote:
>> .oO(Jivanmukta)
>>
>>>> Why do you need that the file is reachable through the web browser?
>>>
>>> BTW, my website contains also "include" folder (for class.X.php,
>>> lib.X.php). Should it be placed inside public_html?
>>
>> No, such scripts and configuration files should be stored outside the
>> document root.
>
> Why?

Security.

> The public sees nothing if they hit the script.

If it's not intended to be reachable by a URL, then why put it there at
all? You not only have to trust the server to always parse such files,
usually you also have to protect that folder with an .htaccess file.

It's much easier, safer and more reliable to keep such files outside the
public folder.

> Not that I have a problem with putting such files outside public, but
> it's not uncommon to FTP to a server and just have the html root
> visible.

I would not choose such a host, because I definitely need a place
outside the document root. It's not only for my scripts, but for example
also for documents and images which require authorization - they are
stored outside the public folder and are served by a script. With just
the public folder I would have to rely on .htaccess files and HTTP
authentication, which would be much less flexible.

Micha
Re: self-modifying program [message #174366 is a reply to message #174363] Wed, 08 June 2011 14:44 Go to previous messageGo to next message
Jivanmukta is currently offline  Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
Junior Member
> Myself, I would be far more concerned about having the MySQL user as: root.

This is localhost setting only. On hosting server I created special
user for my application.
Re: self-modifying program [message #174368 is a reply to message #174352] Wed, 08 June 2011 21:41 Go to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 07 Jun 2011 21:44:17 -0700, Jivanmukta wrote:

> Hello,
> I need your opinions about my solution. I have written a website
> containg twenty .php pages. I don't use any framework, but I use my
> libraries of functions and classes. These .php pages need a number of
> global constants, for example MySQL user and password or path to log
> file. I have these constants in secure/constants.php file, where
> "secure" is a folder available through SSL protocol

nonono

Put your secure folder somewhere outside of your servers document root, eg
if your web server document root is /var/htdocs, then create /var/secure
and use

require_once "/var/secure/globals.php";

in your php code.

No-one can access globals.php with an http request, because the web
server only gives access to files below /var/htdocs

Rgds

Denis McMahon
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: We wholesale Amazon Kindle/ Monster Beats / Ipods / Apple products of all types
Next Topic: [newbie] datetime issues
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 11:51:14 GMT 2024

Total time taken to generate the page: 0.02560 seconds