PHP Security Tip #15

Cal Evans (Editor-in-Chief) | 5 comments | March 23rd, 2007

p. As developers, most of us are very messy. I’ve worked on countless projects and at each either run across or left a trail of diagnostic files laying around. (info.php, test.php, doMe.php, etc.) These tiles, if found by someone with nefarious intent, can leak valuable information about your system.

Today’s Security tip is:

Don’t forget to purge temporary system diagnostic files.

p. It would be a shame to spend all that time securing your application only to leave info.php or worse yet, a “quick piece of code” in test.php that could potentially leak dangerous information about your system. Don’t help the ad guys any more than you have to.

p. =C=

p. p.s. Got a security tip? Post it! If it’s good enough we’ll share it with everybody else. Just log-in and click the contribute link in the upper right corner.

Buffer

Published: March 23rd, 2007 at 11:59
Categories: Uncategorized
Tags: Security Tips

← PHP Security Tip #14

Zend Framework Beta 0.9.1 Released →

5 comments to “PHP Security Tip #15”

andriesseutens
March 23rd, 2007 at 3:05 pm

i’d like to add that it’s very important that if you are working with *.ini files, or similar, it is very important to either not store them in your DocumentRoot, but rather a level below it. If this is not possible due to your server setup, you can easily change this behaviour by adding a .htaccess file to the folder where you are storing the sensitive file.

A simple line like this would do: "Deny from all"

pmuellr
March 23rd, 2007 at 5:04 pm

You definitely need to watch out for the ad guys. They are even more treacherous than the bad guys.

admin
March 24th, 2007 at 2:02 am

Andrie:

Good point. Thanks for posting.

pmuellr:

Being an ad guy myself these days, my only comment is to say that it may have been a typo but it’s still valid advice. Thanks for posting.

=C=

shahar
March 25th, 2007 at 4:34 pm

A quick Google search will show you how acute the phpinfo() problem is:

http://www.google.com/search?q=phpinfo

stephan_hohmann
August 20th, 2007 at 12:23 pm

I found another way of securing my .ini-files: I store them as .ini.php and let them start with ";<?php /*" and end them with ";*/ ?>". If anyone should happen to find them, all they get displayed is a single ";".

That’s a very simple solution and it bears the danger that, should php parsing fail for any reason, all the content will be displayed.