Re: [PHP-DB] Code Security
Hi Ethan, If the user is to neither write nor use the code then why do they have access in the first place? Just wondering. F On Feb 5, 2015, at 8:24 PM, Ethan Rosenberg erosenb...@hygeiabiomedical.com wrote: On 02/05/2015 11:04 AM, Bastien Koert wrote: I'm with the two Richard's on this, those users shouldn't have telnet access to the host server at all. Users should be using the browser to access your site. Other than that, the most important thing you can do is to regularly back up your code and database to another location so that if something happens to the working box (and likely all tech products, its not IF its WHEN) you can restore the code and database with minimal data loss Bastien On Thu Feb 05 2015 at 9:39:43 AM Omar Muhsin mrfroa...@gmail.com wrote: You forgot this one keep the box OFFLINE ... best security :-D On 05-02-15 14:10, Richard Quadling wrote: 1 - Don't allow terminal access to your box. 2 - Use a PHP byte code encoder (IonCube, Zend Guard) - not perfect as they can be reversed to access the code in a form. 3 - Don't use PHP. Thanks to all. I apologize, but I did not properly define the problem I am addressing. I have written code for a POS [Point Of Sale] system to be used in a store. I don't expect the store owner to play with the code. His friends [or enemies] might try. There are two logins to the computer, ethan [me] and worker. Worker has to be able to access the code to use it. He has to be blocked from reading, writing or copying the code. How?? TIA Ethan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Code Security
On 02/05/2015 11:04 AM, Bastien Koert wrote: I'm with the two Richard's on this, those users shouldn't have telnet access to the host server at all. Users should be using the browser to access your site. Other than that, the most important thing you can do is to regularly back up your code and database to another location so that if something happens to the working box (and likely all tech products, its not IF its WHEN) you can restore the code and database with minimal data loss Bastien On Thu Feb 05 2015 at 9:39:43 AM Omar Muhsin mrfroa...@gmail.com wrote: You forgot this one keep the box OFFLINE ... best security :-D On 05-02-15 14:10, Richard Quadling wrote: 1 - Don't allow terminal access to your box. 2 - Use a PHP byte code encoder (IonCube, Zend Guard) - not perfect as they can be reversed to access the code in a form. 3 - Don't use PHP. Thanks to all. I apologize, but I did not properly define the problem I am addressing. I have written code for a POS [Point Of Sale] system to be used in a store. I don't expect the store owner to play with the code. His friends [or enemies] might try. There are two logins to the computer, ethan [me] and worker. Worker has to be able to access the code to use it. He has to be blocked from reading, writing or copying the code. How?? TIA Ethan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Code Security
On 5 February 2015 at 05:52, Ethan Rosenberg erosenb...@hygeiabiomedical.com wrote: How do I prevent someone from opening a terminal window, going to /var/www and stealing all my code? 1 - Don't allow terminal access to your box. 2 - Use a PHP byte code encoder (IonCube, Zend Guard) - not perfect as they can be reversed to access the code in a form. 3 - Don't use PHP. -- Richard Quadling
Re: [PHP-DB] Code Security
Original Message Date: Thursday, February 05, 2015 13:10:51 + From: Richard Quadling rquadl...@gmail.com To: E Rosenberg erosenb...@hygeiabiomedical.com Cc: PHP Database List php-db@lists.php.net Subject: Re: [PHP-DB] Code Security On 5 February 2015 at 05:52, Ethan Rosenberg erosenb...@hygeiabiomedical.com wrote: How do I prevent someone from opening a terminal window, going to /var/www and stealing all my code? 1 - Don't allow terminal access to your box. 2 - Use a PHP byte code encoder (IonCube, Zend Guard) - not perfect as they can be reversed to access the code in a form. 3 - Don't use PHP. -- Richard Quadling As Richard [Q...] implies, the only people who are going to be able to open[ing] a terminal window to your site are those you've given that level of access to. A user only has access to the server-parsed php files (whether they are using a browser or telnetting directly to port 80). They don't have filesystem access. Now, if you have open/poorly secured ftp/sftp/scp/telnet/ssh ... access, someone who can utilize that route will have fairly unconstrained access to your site and its contents. However, that's basic access control security and not a php-specific issue. If it's contractors/co-workers who have filesystem access to the site, in order to manage content, then you have a trust issue. If your concern is with others on the site (e.g., a shared hosting environment) then you have a basic hosting security issue, and problems well beyond the control/scope of anything php. - Richard -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Code Security
I'm with the two Richard's on this, those users shouldn't have telnet access to the host server at all. Users should be using the browser to access your site. Other than that, the most important thing you can do is to regularly back up your code and database to another location so that if something happens to the working box (and likely all tech products, its not IF its WHEN) you can restore the code and database with minimal data loss Bastien On Thu Feb 05 2015 at 9:39:43 AM Omar Muhsin mrfroa...@gmail.com wrote: You forgot this one keep the box OFFLINE ... best security :-D On 05-02-15 14:10, Richard Quadling wrote: 1 - Don't allow terminal access to your box. 2 - Use a PHP byte code encoder (IonCube, Zend Guard) - not perfect as they can be reversed to access the code in a form. 3 - Don't use PHP. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Code Security
You forgot this one keep the box OFFLINE ... best security :-D On 05-02-15 14:10, Richard Quadling wrote: 1 - Don't allow terminal access to your box. 2 - Use a PHP byte code encoder (IonCube, Zend Guard) - not perfect as they can be reversed to access the code in a form. 3 - Don't use PHP. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php