Welcome to WebmasterWorld Guest from 52.91.39.106

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

How Do I Protect a Sub-Directory config.php File

     
2:11 pm on Oct 11, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 15, 2008
posts: 47
votes: 0


I am not a very technical person and config.php files are new to me. I was looking for a photo gallery script and found one that I liked. The installation set up asked for my server and database passwords and usernames. This made me a little nervous so I contacted the provider and they said the info would be placed in the gallery directory of my site on a config.php file.

I am sure if I want to use this program safely I am going to have to figure out a way to protect the info on the config.php from at least amateur hackers. Is there a way to do this so I can still have my gallery?

Thank you, all help is always appreciated.

2:29 pm on Oct 11, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 24, 2005
posts:697
votes: 0


i don't think putting info in config.php is insecure, unless offcourse there is a chance of echo.

even if hackers access it directly, it wont show anything to them

2:33 pm on Oct 11, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 15, 2008
posts:47
votes: 0


I wasn't sure if it was as easy to open as a say .css file.

If they do get a look at it, is what they see encrypted?

Thank you.

3:33 pm on Oct 11, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 24, 2005
posts:697
votes: 0


lets say our config.inc.php was

<?
$thisPassword="*****";
$thatPassword="*****";
$thisSetting="*****";
$thatSetting="*****";

?>

and no matter what else, unless you are not doing an echo for those variables it wont show if someone loaded the file in browser, all they will see is a plain blank page.

3:24 am on Oct 12, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:June 6, 2005
posts:109
votes: 0


The security issue with config files is usually to do with the file being included elsewhere, not the contents being displayed. eg. A page on my site that can get your password details.

This script will do that:

<?php
include('http://www.yoursite.com/config.php');
$vars = get_defined_vars();
print_r($vars);
?>

A simple way to provide some protection against this is to define a variable in your pages and check whether this is set in the config file.

index.php:

<?php
define('TRXASDFA','aljsjkas'); // These are just two random strings... Make them unguessable.
include('config.php');
?>

config.php:

<?php
if(!defined('TRXASDFA') TRXASDFA != 'aljsjkas')
die();

$thisPassword="*****";
$thatPassword="*****";
$thisSetting="*****";
$thatSetting="*****";
?>

To answer your intital question cooldogs, it does create somewhat of a security issue, but using config files is a very common thing and most scripts use them.

5:17 am on Oct 12, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 24, 2005
posts:697
votes: 0



<?php
include('http://www.yoursite.com/config.php');
$vars = get_defined_vars();
print_r($vars);
?>

MattAU, i am sorry but i totally disagree. For all what i have learnt i think it is Impossible to do that, you can not get my server's any config like that. if you include any file using "http" then there is no concept of any PHP code being sent to you if my server is running fine. try that for your own page, include your own config.php via http:// and lets see if you can get those variables. It has to be a code file include like

include "config.inc.php"

that will do what you 've mentioned.

I am willing to bet 100$ on that ;)

and i can StickyMail you my config file's url for a test

[edited by: Anyango at 5:19 am (utc) on Oct. 12, 2008]

6:13 am on Oct 12, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:June 6, 2005
posts:109
votes: 0


Yeah, you're right Anyango. That was one of the stupiest things I've posted :) It's only a problem in reverse, when you're including files from other possible unreliable sites.

No more posting on Sunday mornings after big Saturday nights!

6:17 am on Oct 12, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 24, 2005
posts:697
votes: 0


:)

Even so it was helpful for topic and the Member who asked it, i am sure it clearified his concept further.

3:14 pm on Oct 12, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 15, 2008
posts: 47
votes: 0



Thank you so much guys for all your help.

But now I'm a little confused about something ... is the below true?

[quote]A page on my site that can get your password details.[/[quote]

Also, I was wondering what you thought of the idea of using an .htaccess file in the same sub-directory where the config.php file was, does that render it inoperable in any way? Below is the code I found that is supposed to go in the .htaccess file ... the whole thing is for a photo gallery, so the php script sent to me to do so including for back end management would still have to be able to function.

<Files ~ "^\config.php">
Order allow,deny
Deny from all
</Files>

6:56 pm on Oct 12, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 30, 2003
posts:3719
votes: 0


Why not simply pop the config file outside the web root?

dc

7:30 pm on Oct 12, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 24, 2005
posts:697
votes: 0



But now I'm a little confused about something ... is the below true?

Nopes, that is not true, it will not happen and you are secure.

But to "feel" more secure go ahead with dreamcatcher's suggestion, its simple and solid.

12:23 am on Oct 13, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 15, 2008
posts: 47
votes: 0


Why not simply pop the config file outside the web root?

I love an easy solutions that works :)

I will definitely look into that, only thing is I'm a little technically challenged and the config.php is part of a php script setup that I bought to be able to have a photo gallery, I'll have to delve into it and see if I can make that adjustment on my own with my limited abilities.

I can do an .htaccess file and I do currently have one of those, if the above .htaccess solution is good enough, I know I can do that. What <i>did<i> you'all think of the .htaccess idea.

Thanks

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members