Security Advice needed

**lethbrp** · 04-01-2010, 15:59

I will be posting up my site soon which will utilise PHP/MySQL. As is standard with most examples I've seen on the Web, the database connection parms (i.e. user and password) are held in include files usually located in a sub directory (e.g. 'includes').

As a newbie, could someone give me advice on how to secure this directory so that the included PHP file the db parms, cannot be access directory by the public?

Or is there a better way to deal with this issue?

Thanks

Peter

**Rock** · 04-01-2010, 23:50

Hi Peter,

to Eukhost community forums

Here are few instructions on securing the includes folder & tightening the PHP config:

1) Disable/Deny 'Directory Listing' &/or password protect the directory using .htaccess or through httpd.conf.
2) Ensure that the 'Includes' folder is outside your web root, and not named something obvious/common.
3) Rename all *.inc files to *.inc.php such that the file is processed by the PHP engine (meaning that anything like a username & password is not sent to the user).
4) Ensure you add a blank file named "index.html" to all folders like include(s) or image folders - even if you deny directory listing yourself, you may one day change hosts, or someone else may alter your server configuration - if directory listing is allowed, then your index.html file will make sure the user always receives a blank page rather than the directory listing.
5) Use "disable_functions" found here in your php configuration : http://www.eukhost.com/forums/f42/di...unctions-6020/
6) Enable safe_mode in php.ini
7) Disable "error_reporting" in php.ini ( error_reporting = 0 ).

I hope you find these tips helpful

**lethbrp** · 05-01-2010, 08:15

Rock,

Many thanks. I presume I can do all this through CPanel? I'm on the Bronze hosted service.

Best Regards

Peter

**Rock** · 05-01-2010, 20:55

Originally Posted by lethbrp

Rock,

Many thanks. I presume I can do all this through CPanel? I'm on the Bronze hosted service.

Best Regards

Peter

Hi Peter,

You're most welcome

Yes, you can have the aforementioned security measures implemented on your hosting package/website, either by creating a support ticket or by approaching our 24x7 Live Chat support.. We'd be more than happy to do that for you.. Have a nice one

**tokmik** · 26-01-2010, 15:41

I'm not sure about this but you can try use Nltest.exe. It is documented on support.microsoft.com

**Rock** · 26-01-2010, 19:34

Originally Posted by tokmik

I'm not sure about this but you can try use Nltest.exe. It is documented on support.microsoft.com

Nltest.exe is a very powerful command-line utility that can be used to test trust relationships & the state of domain controller replication in a Windows NT domain. It has nothing to do here in this case

Thread: Security Advice needed

Thread Tools

Display

Security Advice needed

Thanks

Thread Information

Users Browsing this Thread

Posting Permissions