[KLUG Members] PHP/MySQL security help needed

bill members@kalamazoolinux.org
Sat, 07 Dec 2002 09:48:06 -0500 

Hi Paul,

The methods you mention are very similar in security.  I like PHP/MySQL
solutions, but it's possible that either could be down for an instant while
Apache is still dishing out your pages.  On the other hand, .htaccess is part of
Apache so if Apache is down, .htaccess won't work, of course, but no pages will
be dished up anyway.  I think .htaccess is most common.  You can even write a
program in PHP to handle the password changes for you (you do change them, don't
you?).  You can get started with .htaccess and move on from there.

Assuming that the page you mention is a web page: Probably the most common
recommendation is to use .htaccess to protect a separate directory. I'd
reccommend also: Put .htpasswd (a counterpart to .htaccess) outside the web
root.  Put the admin page and any others you want in the protected directory.
Don't make the directory browseable.    Use PHP to check user credentials on the
each page in the directory.  Have it notify you if there are any "oddities."
Nobody should even know it is there, so anything out of the ordinary should
raise an alarm.

This is -not- a bullet-proof solution, but provides a standard level of security
for normal situations as you describe (via http).  Remember, anybody who can
access the machine other than http (telnet, ssh, etc.) will probably be able to
access the page regardless of .htaccess.

kind regards,

bill

Paul VandenBosch wrote:

> I've written my first php/mysql web application and would like to display
> it to the public on my website.  It is on a webhost running Apache.
>
> However, I would like to block all access to the admin page except for
> myself.
>
> In reading about the subject, I've found the HTTP-AUTH and .htaccess
> method, and there is also the password authentication method using
> php/mysql.
>
> Are there any other methods? Which method is recommended and what are the
> security considerations to keep in mind?
>
> --
> Paul VandenBosch
> Guide to Sailing and Cruising Stories
> http://cruisenews.net
>
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>