Forum Moderators: coopster
Any help is greatly appreciated.
When setting file permissions for web-based applications in general, you need to make sure that:
Another oft-reccomended strategy for increasing security of a PHP script is to put the files you are referencing with include(), require(), and friends in a directory that Apache will not serve. They still need to be readable by Apache, but this way they will only get used when a PHP script calls them, never on their own. IE, if your home directory on the server is /home/me/ and you put your web site files in /home/me/public_html/, you can put included files that don't get served directly in /home/me/includes/.
That gives you two kinds of protection. The first is that since people often name their include files with an extention of '.inc' rather than '.php', the web server doesn't know to treat them as PHP if they are requested on their own. That means that your source code will get delivered to the user instead. That's probably not what you want, and will likely confuse a user who gets a bunch of PHP source code.
The second is that such include files are very likely to contain assumptions about things that will have been done before they are used. This works out just fine when you call them from your own scripts and those assumtions ar correct, but if someone requested one on its own and the server interpretted it as PHP you might get an error message or some partial completion of a larger process that could gum up the works for a long while.
Hope that helps.
PHP Security [webmasterworld.com]
