Securing PHP files

Question

Hello and thanks to everyone for reading my question.

I've been working on a PHP web program for a little while and was wondering what measures should I take to protect the source before putting it on a live server. The source isn't being distributed, it's being accessed through a website (users log into the website to use it).

First I'd like to protect the source php files from being found and downloaded. I'm not using any framework, just php and all files are in the home directory as index.php. I read around and it seems that robots.txt isn't really effective for hiding. I came across some posts of people recommending .htaccess, but I often thought it was for protecting files within a directory with a password, so not sure if there's a way to make it htaccess suitable for a web app.

Second, I'd like to protect the source files in the case someone gets access to them (either finds them and downloads them or a sys admin that has ready access to the server). I thought of source encryption with something like ioncube. My host also has GnuPG [which I'm not familiar with, any thoughts about it compared to ioncube?]

I'm not familiar with source protection, so any ideas would be nice, and of course thank you muchly :)

Answer 1

Well for your first point, that's web server security, which you should look for help on serverfault. Basically you would use a secure/locked directory for this, or access the files in a virtual directory via a web service.

For you second point, you would use an obfuscator for this, which will protect your source, but remember that if they get the file, you can only do so much to protect it. If they are really interested, they'll get what they want.

Answer 2

The first step you should take is take out all unnecessary files out of the website root and put them in some other place and leave only the files, being called from the web.

For example if you have this setup:

 /var/htdocs/mysexydomain.com/root/config.php
 /var/htdocs/mysexydomain.com/root/db.class.php
 /var/htdocs/mysexydomain.com/root/index.php
 /var/htdocs/mysexydomain.com/root/samplepage1.php

Take all the files one level above so you get

 /var/htdocs/mysexydomain.com/includes/config.php
 /var/htdocs/mysexydomain.com/includes/db.class.php #see the includes dir? :)
 /var/htdocs/mysexydomain.com/root/index.php
 /var/htdocs/mysexydomain.com/root/samplepage1.php

Answer 3

Just make sure your web server is set up to handle .php files correctly, and that all files have the correct .php extension (not .php.inc or similar)

As long as your server executes the PHP, no one can download its source code (ignoring any security holes in your code, which is a different topic)

There was a time when it was common to name included files along the lines of mystuff.php.inc - this is a bad idea. Say your site is at "example.com", and you store your database configuration in config.php.inc - if someone guesses this URL, they can request http://example.com/config.php.inc and get your database login in plain text..

It is a good idea to store configuration and other libraries up one directory as bisko answered - so you have a directory structure like..

/var/example.com:
    include/
        config.php
        helper_blah.php
    webroot/
        index.php
        view.php

This way, even if your web-server config gets screwed up, and starts serving .php files as plain text, it'll be bad, but at least you wont be announcing your database details to the world..

As for encrypting the files, I don't think this is a good idea.. The files must be unencrypted to Apache (or whatever server you're using) can access them. If Apache can access it, your sysadmin can too..

I don't think encryption is the solution to an untrustworthy sysadmin..