O'Reilly logo

PHP in a Nutshell by Paul Hudson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 12. Security

The Internet is not a safe place, thanks to a small percentage of its users who feel the need to attack other users electronically. The reasons for the attacks vary— sometimes it is for monetary gain, where attackers find holes in your code that they can exploit to their advantage, and other times it is just for fun.

If your PHP scripts run on an Internet-facing server, they are accessible to hackers and you need to take extra care. Many PHP projects—particularly the larger ones, such as PostNuke—have had major exploits published that allow hackers to take control of a web server remotely. This chapter contains tips and advice to help you avoid falling victim to the next hacker that comes your way.

Security Tips

The easiest way for hackers to find holes in your web site is to scan for strings that give away a known vulnerability. This can be done with a client-side tool that simply hits IP addresses again and again until it finds something it recognizes, but many modern hackers utilize Google to search for data.

As a result, it has never been more important to keep a tight control over what files are on your web site and what information you give to visitors.

Put Key Files Outside Your Document Root

Your document root is the root directory of your web server. That is, if your site is example.com, the root directory would be the directory that http://www.example.com/ points to. For example, on Linux this is often /var/www/html, and on Windows this is often c:\inetpub\wwwroot ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required