PHP Development and security
When you have a website, you should be concerned about security. You need to know a little about what settings are default enabled for development environments that must be switched off for live production environments.
PHP has several settings, and one off them is display_errors = off. If you still have it on, and an error occures, your visitors will get to see all your internals. And you don't want that !
http://www.phpfreaks.com is a site for php developers by php developers, but one thing the missed: display_errors = on resulting in a nice dump of error messages, SQL statements and queries. Luckily the dump didn't contain clear text passwords, otherwise you could imagine how harmful this all could be.
Just a few lines of the dump:
Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in /home/www.phpfreaks.com/public_html/includes/DatabaseObject.inc on line 69
Warning: mysql_query() [function.mysql-query]: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /home/www.phpfreaks.com/public_html/includes/DatabaseObject.inc on line 70
Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/www.phpfreaks.com/public_html/includes/DatabaseObject.inc on line 70
MySQL Error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) MySQL Query: INSERT INTO `user_track` set `user_track_id`="", `session_id`="70d2aa2e89ed6aa32c15009630bbbc08", `last_activity`="1188475288", `last_page`="", `member`="0", `ip_address`="195.177.247.201", `refurl`="", `user_agent`="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070730 SUSE/2.0.0.6-2.1 Firefox/2.0.0.6" +===========================================================+ MySQL Query: INSERT INTO `user_track` set `user_track_id`="", `session_id`="70d2aa2e89ed6aa32c15009630bbbc08", `last_activity`="1188475288", `last_page`="", `member`="0", `ip_address`="195.177.247.201", `refurl`="", `user_agent`="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070730 SUSE/2.0.0.6-2.1 Firefox/2.0.0.6"
So security is something to keep in mind, even basic settings can make the difference.
PHP has several settings, and one off them is display_errors = off. If you still have it on, and an error occures, your visitors will get to see all your internals. And you don't want that !
http://www.phpfreaks.com is a site for php developers by php developers, but one thing the missed: display_errors = on resulting in a nice dump of error messages, SQL statements and queries. Luckily the dump didn't contain clear text passwords, otherwise you could imagine how harmful this all could be.
Just a few lines of the dump:Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in /home/www.phpfreaks.com/public_html/includes/DatabaseObject.inc on line 69
Warning: mysql_query() [function.mysql-query]: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /home/www.phpfreaks.com/public_html/includes/DatabaseObject.inc on line 70
Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/www.phpfreaks.com/public_html/includes/DatabaseObject.inc on line 70
MySQL Error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) MySQL Query: INSERT INTO `user_track` set `user_track_id`="", `session_id`="70d2aa2e89ed6aa32c15009630bbbc08", `last_activity`="1188475288", `last_page`="", `member`="0", `ip_address`="195.177.247.201", `refurl`="", `user_agent`="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070730 SUSE/2.0.0.6-2.1 Firefox/2.0.0.6" +===========================================================+ MySQL Query: INSERT INTO `user_track` set `user_track_id`="", `session_id`="70d2aa2e89ed6aa32c15009630bbbc08", `last_activity`="1188475288", `last_page`="", `member`="0", `ip_address`="195.177.247.201", `refurl`="", `user_agent`="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070730 SUSE/2.0.0.6-2.1 Firefox/2.0.0.6"
So security is something to keep in mind, even basic settings can make the difference.
Comments
Post a Comment