I've read through the many posts about securing your files and have followed all of the procedures. But I noticed that the process.php has the user name and password for the MySQL database in it. So I can I secure this file or information?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The process.php file is not something that anyone should be able to read unless the foirm folder is unprotected. Even with the protection I have chosen to make this a separate file and put another include statement in the process.php file similar to this one right at the top
include("global.inc.php");
This way I can put the username and password file in a more secure location separate from the form location.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I had to remove the last post by geeky_girl to this thread, she had posted her mysql access information, including the password. For a person trying to secure the mysql info, it is rather ironic that she would post it on a public forum.
As for your concern regarding the process.php file, you need not worry about that like tnt mentioned. The only way the mysql info inside a PHP file can be viewed by a remote user is if the webserver doesn't process it as PHP code and just sends the source as plain text. However, if your webserver is properly executing .php files, then rest assured it won't expose your database info.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I do agree but also know that the form folder does not include an index file and therefore most users (depending on default hosting security measures) leave this folder wide open for curious hackers to browse with very little effort. So just including an index file is a good step. I do however chose to move this info anyway to a separate file in the admin folder which has an index file. Granted I use many other security measures but even the simple methods help prevent the majority of casual hackers from seeing anything.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for deleting that information. I copied the wrong data when I posted but since you can't edit or delete a message, I didn't know what to do other than changing the username and password on my database. I had a mock up of the data that I was supposed to paste instead!
I have put an index file into any folder that didn't have one as a security measure throughout my entire web site. Now I'm just trying to secure other sensitive data. I wish there was a guide that went over the basic security measures for a website instead of trying to figure it out on my own or searching through forums for each program that is installed.
I'm still getting errors wehn I move the data into it's own file so I'm not sure what I'm doing wrong. I've been troubleshooting other issues as well so I haven't been able to focus on just this issue to get it to work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I must have missed something or part of this thread.
What is this about securing a file by putting an index file in it?
Does it need to be an index.php file or an index.htm file?
What needs to be in the file???
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here is what I know on the subject (which isn't much but I'm learning)...
Any folder that is not secure and is on your host needs to have an index.html file in it. The reason is that if you don't have an index.html file and someone would type in the url to that folder, then the folder structure shows instead of a webpage. You may have seen this when you have tried to go to a website. By exposing the directory structure, it opens the door to your web.
I just copied my home page index.html to the folders. That way it redirects the person to my website and my files aren't exposed.
Hope this helps.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Be careful of just putting any page in as an index.html file. If links are relative instaed of explicit, the relative links are broken. Here is a sample warning page I use. http://www.thetntsite.com/images/
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I may be a little late on this thread but there may be another user like me reading through to get questions answered... I had my hosting company turn off indexing and this eliminated the problem of a directory not having an index page if soemone types in the path to a directory with no index they just get a 404 error - is there any reason I shouldn't have it set like this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If this is done at your root directory then anyone using a browser would have to type in your URL plus the index file name to see your site. Otherwise without a file name they would get "file not found". http://www.yoururl.com/index.html
If you have sub domains you would experience the same issue for any folder other than the root folder.
I'm not 100% sure but I don't think that this alone is what prevents anyone from seeing files on your site.
This is a non-standard setup and unless you remember that this change is in place it may cause problems for you when you try to expand your site.
Just my opinion!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Interesting, I will have to call the guys at the data center and ask them what they did - I don't have any of those problems. I have a dedicated server where I host multiple domains - I use WHM/CPanel - I assume that all of the user domains would = sub domains in a sense? There are many things I do that I have no clue how I do them :-). In any case, as long as a directory has an index.html or default.html file there is no problem. No one needs to type the full url to get to a site - for example sitebuildernow.net reaches sitebuildernow.net/index.html with no trouble. If my index page wasn't there then the default.html would kick in. If there is no default or index.html in a directory at any level then a full path is required to reach anything in that directory of course. I really appreciate any feedback - the more I learn the less I know.
Harmony
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You should be safe with this setup, its actually common practice that most hosting providers do to safeguard against accidental exposure of web directories by users. In any case, it is always a good idea to do things more explicitly.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've read through the many posts about securing your files and have followed all of the procedures. But I noticed that the process.php has the user name and password for the MySQL database in it. So I can I secure this file or information?
The process.php file is not something that anyone should be able to read unless the foirm folder is unprotected. Even with the protection I have chosen to make this a separate file and put another include statement in the process.php file similar to this one right at the top
include("global.inc.php");
This way I can put the username and password file in a more secure location separate from the form location.
I had to remove the last post by geeky_girl to this thread, she had posted her mysql access information, including the password. For a person trying to secure the mysql info, it is rather ironic that she would post it on a public forum.
As for your concern regarding the process.php file, you need not worry about that like tnt mentioned. The only way the mysql info inside a PHP file can be viewed by a remote user is if the webserver doesn't process it as PHP code and just sends the source as plain text. However, if your webserver is properly executing .php files, then rest assured it won't expose your database info.
I do agree but also know that the form folder does not include an index file and therefore most users (depending on default hosting security measures) leave this folder wide open for curious hackers to browse with very little effort. So just including an index file is a good step. I do however chose to move this info anyway to a separate file in the admin folder which has an index file. Granted I use many other security measures but even the simple methods help prevent the majority of casual hackers from seeing anything.
Thanks for deleting that information. I copied the wrong data when I posted but since you can't edit or delete a message, I didn't know what to do other than changing the username and password on my database. I had a mock up of the data that I was supposed to paste instead!
I have put an index file into any folder that didn't have one as a security measure throughout my entire web site. Now I'm just trying to secure other sensitive data. I wish there was a guide that went over the basic security measures for a website instead of trying to figure it out on my own or searching through forums for each program that is installed.
I'm still getting errors wehn I move the data into it's own file so I'm not sure what I'm doing wrong. I've been troubleshooting other issues as well so I haven't been able to focus on just this issue to get it to work.
I must have missed something or part of this thread.
What is this about securing a file by putting an index file in it?
Does it need to be an index.php file or an index.htm file?
What needs to be in the file???
Here is what I know on the subject (which isn't much but I'm learning)...
Any folder that is not secure and is on your host needs to have an index.html file in it. The reason is that if you don't have an index.html file and someone would type in the url to that folder, then the folder structure shows instead of a webpage. You may have seen this when you have tried to go to a website. By exposing the directory structure, it opens the door to your web.
I just copied my home page index.html to the folders. That way it redirects the person to my website and my files aren't exposed.
Hope this helps.
Be careful of just putting any page in as an index.html file. If links are relative instaed of explicit, the relative links are broken. Here is a sample warning page I use.
http://www.thetntsite.com/images/
Thanks!
That was very helpful. You just saved me a ton of work.
Any other tips?
I may be a little late on this thread but there may be another user like me reading through to get questions answered... I had my hosting company turn off indexing and this eliminated the problem of a directory not having an index page if soemone types in the path to a directory with no index they just get a 404 error - is there any reason I shouldn't have it set like this?
If this is done at your root directory then anyone using a browser would have to type in your URL plus the index file name to see your site. Otherwise without a file name they would get "file not found".
http://www.yoururl.com/index.html
If you have sub domains you would experience the same issue for any folder other than the root folder.
I'm not 100% sure but I don't think that this alone is what prevents anyone from seeing files on your site.
This is a non-standard setup and unless you remember that this change is in place it may cause problems for you when you try to expand your site.
Just my opinion!
Interesting, I will have to call the guys at the data center and ask them what they did - I don't have any of those problems. I have a dedicated server where I host multiple domains - I use WHM/CPanel - I assume that all of the user domains would = sub domains in a sense? There are many things I do that I have no clue how I do them :-). In any case, as long as a directory has an index.html or default.html file there is no problem. No one needs to type the full url to get to a site - for example sitebuildernow.net reaches sitebuildernow.net/index.html with no trouble. If my index page wasn't there then the default.html would kick in. If there is no default or index.html in a directory at any level then a full path is required to reach anything in that directory of course. I really appreciate any feedback - the more I learn the less I know.
Harmony
You should be safe with this setup, its actually common practice that most hosting providers do to safeguard against accidental exposure of web directories by users. In any case, it is always a good idea to do things more explicitly.