Need help securing my PHP code.

Spork_Schivago · June 21, 2015, 6:50pm

Hello. I hope this is the right section to post in. If it’s not, I apologize. I know C but haven’t programmed in it in a long time. PHP is sorta like C in a lot of ways so I know a little bit of PHP but I still consider myself to be a beginning PHP programmer. My question is simple.

I have a website and I also have Apache2 setup on my local machine to test stuff before I upload it to my domain. Right now, I don’t have much but I do have PHP treating HTML files as if they where all PHP files and I have some PHP code in one of my HTML pages. It connects to a MySQL database with a username and a password. When I load the page, it works fine. If I go to view source, I don’t see the PHP code (which I don’t expect to see, so we’re good there). I want to know though, is this good enough for security? Is there anyway for a hacker to download the PHP code and recover my MySQL password?

I was thinking of ways to make it so PHP files where in a subdirectory and the webpages could access them but users couldn’t. Perhaps using the .htaccess files. This wouldn’t be the greatest solution for me though because I find it easier putting the PHP code inside the HTML files rather than having seperate PHP files.

I’d also like to have some files that start with the word admin that only a select few IP addresses could access. I’ve been using something like what follows down below to do this. I want it so if someone tries to grab the admin files, they can’t tell they’re there. And right now, my rewrite rules don’t work like that. You can tell that my website redirected you. If you try going to a real page that isn’t there, it doesn’t look like you was referred by the website. I can explain that more in detail if it sounds confusing. Any suggestions are greatly welcomed!

# This is my only_allow_certain_IPs_access_to_admin_pages
<FilesMatch "^(admin.*|Admin.*)">
        Satisfy all
        Order deny,allow
        Deny from all
        Allow from 192.168.2.2 192.168.2.3

        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /srv/www/.htpasswd
        AuthGroupFile /srv/www/.htgroup
        Require group allowed
</FilesMatch>

# This is my rewrite rules.  I tried switching to the rewrite so the user wouldn't get
# an access denied message.  If I could figure out how to redirect without them knowing they
# been redirected, this would be the way I'd want to go.   I'd just have it setup for admin files.
# I could even keep PHP code in .php files that are in a subdirectory and then keep the admin
# stuff in an admin subdirectory to make things easier.  
RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^192\.168\.2\.2
RewriteCond %{REMOTE_ADDR} !^192\.168\.2\.3

RewriteRule ^.*$ http://192.168.2.2 [R=404,L]

Thank you.

Spork_Schivago · June 22, 2015, 2:25am

I recently found out too that for the MySQL stuff, because I’m going to be allowing uploads and downloads, I should be parsing the file names to make sure no one is trying anything tricky I guess? I can upload my source code if anyone is willing to take a look and make suggestions. I would really appreciate any and all help that I could get but I do understand that people’s time is scarce and if you don’t have the time to look, it’s okay.

astonecipher · June 22, 2015, 4:14pm

Your htaccess file is currently only checking on internal IP Addresses, is that intentional?

Files on a server are accessible by each other. Where as public files sit in the www, public_html, ect ( depends on the OS) directories. If you are concerned about who can access it, you could also place the sensitive files behind the public directory.

For you admin stuff, you could password protect the directory itself, with a strong password. Use session control. Technically, as long as it is either set on the server or an index file exists in a directory, users cannot see anything else in that directory. I would advise against naming the directory “admin” it is something that people tend to look for. Make sure you also create and properly set a robots.txt file. It doesn’t work for all, but you don’t want google, yahoo, or other search engines indexing your privileged files.

Spork_Schivago · June 22, 2015, 6:52pm

Yes. Currently, I run everything on my isolated LAN. Once I’m convinced that the code is secure and no one can access the passwords in the PHP code, I will upload it to my domain and change the IP addresses accordingly. I should of said something about this before, whoops.

I’m having GoDaddy do the hosting with a Linux virtual shared server. I have a symbolic link, www, that points to public_html. public_html is where I will be storing my files. Are you saying if I have a setup like this:

/home/sporkschivago/

/home/sporkschivago/admin_files/
/home/sporkschivago/admin_files/admin_login.php

/home/sporkshivago/public_html/
/home/sporkschivago/public_html/admin_login.html
/home/sporkschivago/public_html/login.html

that the files in the public_html directory can see and access the files in the …/admin_files directory?

Ohh! Good call on the robots.txt file. I never thought of putting it in another directory besides the servers root directory. For password protecting the directory itself, I plan on doing that. But I want my code to redirect us based on IP first and then if we have the right ip, ask for the password. Is this wrong? I mean is it okay for other users to see the admin login screens if they can find the webpage address? Is that how normal websites work? For example, lets say I have a http://JetBBS.com/secret/admin_login.html and an http://JetBBS.com/login.html The secret directory is password protected. Is it normal to allow any user who can find the secret directory access to it if they know the password? Or do most websites block access to the secret directory based on IP and then if they have the right IP, then ask for the password?

Thanks for taking the time to answer all my questions. I really appreciate the help. It’s nice knowing there are people out there who are willing to help for free with this kind of stuff. I won’t forget this and I’ll try to pass along the good karma and everything. Thank you!

Spork_Schivago · June 22, 2015, 7:12pm

With you suggesting that I implement session control and with me having no idea what it is, I searched for it and started reading something on this W3 schools web site. It says a session is NOT a cookie (it’s not stored on the user’s computer). It allows me to keep track of variables across different web pages I believe. So, let me see if I understand this correctly.

Put all the admin files in a directory below the public_html directory. Have an .htaccess file check the IP address and if it matches the list of admin IPs, redirect them to the login.html page and create a session variable that says they’re an admin IP, otherwise, redirect them to the login.html page without the session variable.

in the login.html page, check the session variable, if it’s an admin_IP, have it access a PHP function that is stored in a file outside the public_html directory that connects to the MySQL server, with a MySQL username and a MySQL password and checks the db_admins database to see if the username and password they entered in the login page matches any known admin usernames and passwords. If it does, create a session variable that says they’re an admin and pass it to any of the pages they go to. If the session variable doesn’t show them as an admin, access a PHP function that is stored in a file outside the public_html directory that connects to the MySQL server with a MySQL username and a MySQL password but this time, check just the db_users database to see if they’re a valid user.

Maybe I can also set it up so any file they try to access that doesn’t exist gets them redirected to the login page instead of a 404. That way if I do need to hide files in the public_html dir, they won’t be able to tell if they’re being redirected because they don’t have access or if they’re being redirected because the file doesn’t exist…