NYCPHP Meetup

NYPHP.org

[nycphp-talk] Htaccess and php user account

Tim Lieberman tim_lists at o2group.com
Mon Dec 1 23:19:44 EST 2008 

Following up on my previous, more general post.

If you're just using PHP to control access to html content, and you're  
worried that your shared host is going to bork your apache  
configuration (which clearly is what happened in your case, assuming  
apache), you basically do the following:

1) Do a typical PHP auth setup of whatever design.  User accounts in  
mysql, with md5'd passwords.
2) Keep anything sensitive out of the web root.

So, very simplified, you've got something like this:

/some/dir/webroot -- webroot
/some/dir/secure -- not accessible by apache
/some/dir/lib/db.php - php script that contains any sensitive database  
connection information (note: your database shouldn't be accepting  
connections from just anyone, either.  That's why there's a "host"  
field in mysql.user.
/some/dir/webroot/page.php might look like:

<?PHP
// make sure the user has authenticated.
if (! auth() ){
	header("Location: login.php");
	exit();
}

//include the protected content
include "../lib/page.html";
?>

So even if your apache config goes south and spits out PHP code, all  
anyone sees is the content of page.php, above.

Exercise: Find the vulnerability in page.php that anyone can exploit.   
It must be useful.  The fact that there's a "lib" directory above the  
webroot is not really something that needs to be a secret.

Many PHP frameworks out there (cake and zend come to mind) use exactly  
this approach.

-Tim


/some/dir/webroot/page.php
On Dec 1, 2008, at 8:14 PM, Michele Waldman wrote:

> I’m trying to set up a user account with htaccess and mysql.
>
> But the shared hosting account doesn’t have mod_auth_mysql htaccess  
> module installed on the machines and I can’t get root access.
>
> How else are folks implementing accounts?
>
> In php?
>
> If so, what’s the best general way to implement that.  Do you use  
> session variables for that?
>
> My primary concern about implementing accounts in php is that php  
> can stop running on the server.  If that happens, the security  
> becomes non-existent.  Plus, the php code can be dumped right to the  
> browser.
>
> I’d much rather server level security than in processes that can stop.
>
> Thoughts on account security approaches, please.
>
> Michele
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php

More information about the talk mailing list