Tag Archives: php
Security – Keeping it Off the Web (Page 1 of 2)
The topic of website security is seldom brought up among non-programmers and those who may not be technically inclined, yet if you operate a website, it is an issue of substantial concern to you.
Addressed in this article is a nearly universal problem, it affects almost every single PHP or CGI script I’ve ever seen. We won’t delve into the technical issues too far, this is intended for the web site owner, someone who might install the occasional PHP file or CGI script. I will assume you are not a software developer.
A general rule I like to follow when installing php scripts or web applications is this: If it doesn’t need to be on the web, it shouldn’t be there. This is obvious, but it has implications that are not always clear.
What we are mainly referring to is configuration and to a lesser extent, program libraries and source code. It may also apply to files and other resources that are controlled through a script interface. An example of this would be scripts that charge money for downloading files or set up newsletters. Lets start with an example, we’ll call it program.php. In our example, program.php is a database application using mysql to store information.
For our script to do it’s job, it will need access to your mysql password and user-name. It may also need access to many other program files and so-forth.
During installation, a control panel probably asked for your mysql credentials, it may even have asked you to change the file permissions on a configuration file of some sort. You’ve probably been through this type of install process at one time or another.
What it will do next, is write your database password and other private information to a configuration file. This usually happens without your knowledge, it is also where our problems begin.
Most people don’t catch this right away, if the configuration file is in the same directory (or sub-directory) it is web accessible. Quite often it is a php file, usually with write permissions turned on.
The extension .php does afford some degree of protection, under normal circumstances these files aren’t sent to a visitors browser but it is still unsafe.
If someone makes a slight mistake in the configuration or .htaccess file, it will dump the actual contents of “conf.php” to the users web browser, complete with your database password and other private information.
As anyone who has been around web servers very long can tell you, this is a common occurrence. I’ve personally seen it happen on several occasions.
Furthermore, many other web editing tools need to create backup files, resulting in something like config.php.BAK or perhaps config.php.tmp.
We now have a file ripe for hackers and other would-be intruders to gain access to your mysql database passwords as well as any other private information kept there.
What is most alarming is that almost every single off the shelf web based program exhibits this very problem in some form or another.
Security – Keeping it Off the Web (Page 1 of 2)
The topic of website security is seldom brought up among non-programmers and those who may not be technically inclined, yet if you operate a website, it is an issue of substantial concern to you.
Addressed in this article is a nearly universal problem, it affects almost every single PHP or CGI script I’ve ever seen. We won’t delve into the technical issues too far, this is intended for the web site owner, someone who might install the occasional PHP file or CGI script. I will assume you are not a software developer.
A general rule I like to follow when installing php scripts or web applications is this: If it doesn’t need to be on the web, it shouldn’t be there. This is obvious, but it has implications that are not always clear.
What we are mainly referring to is configuration and to a lesser extent, program libraries and source code. It may also apply to files and other resources that are controlled through a script interface. An example of this would be scripts that charge money for downloading files or set up newsletters. Lets start with an example, we’ll call it program.php. In our example, program.php is a database application using mysql to store information.
For our script to do it’s job, it will need access to your mysql password and user-name. It may also need access to many other program files and so-forth.
During installation, a control panel probably asked for your mysql credentials, it may even have asked you to change the file permissions on a configuration file of some sort. You’ve probably been through this type of install process at one time or another.
What it will do next, is write your database password and other private information to a configuration file. This usually happens without your knowledge, it is also where our problems begin.
Most people don’t catch this right away, if the configuration file is in the same directory (or sub-directory) it is web accessible. Quite often it is a php file, usually with write permissions turned on.
The extension .php does afford some degree of protection, under normal circumstances these files aren’t sent to a visitors browser but it is still unsafe.
If someone makes a slight mistake in the configuration or .htaccess file, it will dump the actual contents of “conf.php” to the users web browser, complete with your database password and other private information.
As anyone who has been around web servers very long can tell you, this is a common occurrence. I’ve personally seen it happen on several occasions.
Furthermore, many other web editing tools need to create backup files, resulting in something like config.php.BAK or perhaps config.php.tmp.
We now have a file ripe for hackers and other would-be intruders to gain access to your mysql database passwords as well as any other private information kept there.
What is most alarming is that almost every single off the shelf web based program exhibits this very problem in some form or another.
Why Outsourcing PHP Development Tasks is More Beneficial?
Business process outsourcing was a common phenomenon but today it has become a common process in all the industrial sectors. It is the IT field where people outsource their needs and requirements to other offshore development companies. Currently the PHP projects are being outsourced in large numbers chiefly because most of the companies want their own customized website. But the question in concern is whether outsourcing development tasks is beneficial for the companies or not. With the availability of resources most of the companies are bend upon having their own development sector. But is it good enough to set up your own development sector? Let’s figure this out.
First of all think of the situations in which one outsources business processes. There are some clear points which illustrates this. It is certainly the cost factor which strikes your mind. For example if you have a big reputed company and want to make your web presence more prominent then certainly you’ll need a customized website. Now the next thing which lightens up is the need of good PHP developers, systems and other required resources. The whole set up would require lump sum amount. On the other hand if you outsource the same task to a development company then definitely your overhead costs are reduced.
There are several other factors that work in favor of outsourcing PHP development tasks. When you hand over your project to an offshore development company then you get the desired features in your application because the company focuses on the core activities. Most of the development companies have staffing flexibility and your project also have operational control over the development process. Each module is being rechecked and the companies make sure that you receive applications that can be operated without any hassle. Cost savings and efficiency are other factors which make outsourcing more beneficial.
The offshore development companies also provide you with facilities to hire the services of a dedicated PHP developer. Wi th an expert PHP coder you would be able to get your application with exact specifications. With so many obvious advantages, it is hard to over look the obvious reason to outsource your PHP project. But your outsourcing experience can turn out to be sour if you don’t find the right company. So do surf the internet and find a good offshore PHP development company for your project. Get dedicated PHP developers for your task so that you can get websites which are user-friendly and can be easily navigated and managed.