I have a PHP / MySQL website on 000webhost (http://www.boisvert.me.uk, but it’s for review now) and I am worried about its security. What I'm trying to do will make any site vulnerable; it is the equivalent of PHP giving children sharp scrapers. I have various ideas to minimize website vulnerabilities, but more tips would be appreciated.
In particular, there are two scenarios:
Download script. Its purpose is to allow a registered site user to download certain XML files (tutorials). Obviously, for this, the folder on the site gives access to the record for visitors. I don’t like this, but I don’t see the way, I can add checks to the script (type, size) to ensure that the downloaded files are limited to XML and some images. Can I improve this with other points?
Script 2 - an interpreter for PHP - the user can enter PHP into the form and execute (without saving). I want users to be allowed to use database access, so a rough row replacement ensures that I do not need to pass MySQL access information. But an attacker can use this interpreter to gain access to the file area and download unwanted material. My solution would be to place the interpreter in a separate domain where files cannot be downloaded.
Any advice on how to improve this is welcome, the "don't do it" bar. I know this is dangerous. So it crosses the street. Thank you for your help.
The first point is covered in previous answers (and probably many times elsewhere on this site)
, , , . PHP, , (, , MySQL). php.ini, ( disable_functions config - . ). ( , ). chrooted , - system("chroot /path/to/secure/dir ./php tempfile.php");./path/to/secure/dir , PHP . PHP php.ini. , , script ( PHP php.ini) -. -.
system("chroot /path/to/secure/dir ./php tempfile.php");
, , , , .
, Script 2 . , Script, ( , ). . , , , , .
, , , , , - , :
(1) give me data from [table] (2) based on these critera (3) from startdate to enddate
, .. , , , PHP.
- , . , . - , (, PHP), . , , , , .., . XML, PHP Script , (file_get_contents) xml/image .
, , - XML , . .
, , , . PHP- , , - script - . , , - php, , . , ...
PHP
,
http://
mail
curl
, root- . , , , .
: , // - - , , (= , ), ?
PHP mySQL , . , .
, , , sysadmin, .
, : pastebin/remote.
phpfiddle. API MySQL , . test - , PHPFiddle . PHP, .
Of course, the safety notes in the previous answers still apply. PHP Fiddle implements something similar to native PHP compilation, including only the necessary modules.