NYCPHP Meetup

NYPHP.org

[nycphp-talk] Htaccess and php user account

Michele Waldman mmwaldman at nyc.rr.com
Mon Dec 1 22:20:23 EST 2008 

Justin,

 

I wouldn't stop using php.  It's still a useful language, but it runs as a
process on the server.  It's not build into server behavior.  I just
wouldn't use if to account security, personally.

 

I was on a virtual dedicated linux account with godaddy.  I know they have a
bad rep, but I'm under the impression they know how of configure a server
properly.

 

Also, here's the situation.  It was down for a short time before I
discovered it.  The likelihood of a hacker being on the site or sniffing the
site at that exact moment was fairly slim.  However, if it goes down and you
don't discover it, it would be a problem.

 

It's just something to keep in mind.  I would store data in a databasesand
passwords in a separate directory where http access has been revoked
entirely.  I do not put password in php, just in case.

 

Perhaps, there's a better way to configure the server, but the servers I use
have all been configured by the hosting provider.  Godaddy's not the only
one I've worked with, but you have very little way of knowing how different
providers have configured the shared accounts.

 

Michele

 

 

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Justin Dearing
Sent: Monday, December 01, 2008 10:08 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Htaccess and php user account

 

Michele,

 

I think your ISP lied to you. Assuming its apache and mod_php I'm pretty
sure that the only explanation was they reconfigured apache wrong, restarted
apache, you saw the issue, reported it, and they fixed it.

 

If your server is a windows server (unlikely in a shared hosting senario) or
this is something like lighthttpd or php running on apache through some
configuration I'm not totatly familiar with like CGI, then maybe this can
happen. 

If what you experienced is a common occurrence with mod_php, I hope others
on this list will chime in. If it is I'm going to cease using apache and
mod_php in production environments. 

 

 

 

On Mon, Dec 1, 2008 at 9:51 PM, Michele Waldman <mmwaldman at nyc.rr.com>
wrote:

I'm not sure which process died, but I was programming one night and all of
the sudden all of my php code was being dumped to my browser.

 

I called my hosting provider and they said the underlying process had died
for some reason.

 

I can't remember if we did a reboot or if the process was started back up
independently.

 

Ever since then, I've taking into consideration that php is not necessarily
that secure.  One hiccup from the server and security could be compromised.
I keep sensitive data out of those files.

 

I was more curious about how it might be implemented in case my client
didn't upgrade the server, but my client will upgrade for more than just
this reason.

 

I know Zencart and other apps doesn't rely on htaccess, but rather php, but,
if I'm going to develop an app for which I am liable, I really think server
level is the only way to go.

 

Michele

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Justin Dearing
Sent: Monday, December 01, 2008 9:40 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Htaccess and php user account

 

Can you describe a senario where php stops working and as a result php would
stop?

Yes, theoretically apache could be reconfigured so its thinks that .php
files are just a text files, but if mod_php were to "crash", which generally
brings down the worker thread and fixes itself.

 

Session variables and a name and crypted password string in the database are
the way to go generally. I could reccomend more sofisticated approaches,
such as having php authenticate against LDAP, or the mysql database users
(assuming you restrict database access on a per user level), but if your
doing shared hosting (no root access), this is probably the best way.

 

Most php web apps work this way. 

 

On Mon, Dec 1, 2008 at 8:14 PM, Michele Waldman <mmwaldman at nyc.rr.com>
wrote:

I'm trying to set up a user account with htaccess and mysql.

 

But the shared hosting account doesn't have mod_auth_mysql htaccess module
installed on the machines and I can't get root access.

 

How else are folks implementing accounts?

 

In php?

 

If so, what's the best general way to implement that.  Do you use session
variables for that?

 

My primary concern about implementing accounts in php is that php can stop
running on the server.  If that happens, the security becomes non-existent.
Plus, the php code can be dumped right to the browser.

 

I'd much rather server level security than in processes that can stop.

 

Thoughts on account security approaches, please.

 

Michele


_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org/show_participation.php

 


_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org/show_participation.php

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20081201/f765d59d/attachment.html>

More information about the talk mailing list