Re: [PHP] The secrecy of PHP code
Of course the absolute safest way besides encryting
your PHP is to just store your state secrets in files
outside the web server's document tree.
i.e.
if your web server's document root is /var/www
?php
require(/var/super-secret/super-functions.php);
if ($theanswer == 42)
{
echo (findthequestion($theanwer));
}
?
then even if you screw up the web server config
and .php files are sent back unrendered all you
expose is what's in the file above but not what was
included/required statements.
This is an excellent way to protect sensitive info
like database passwords too.
Actually... On a shared server, this *STILL* leaves all those files
readable by nobody, IE anybody else who can write PHP (or Perl, or JSP, or
shell script) on the server.
So while this is a good answer, and the stock answer, there *ARE* safer
alternatives, depending on what you can afford in time/resources.
#1. Compile PHP with the same settings *EXCEPT* not --with-apxs
(nor --with-apache) and add another, different AddType with another,
different mime-type and extension, along with an Alias and Action directive
to httpd.conf, along with suExec for Apache (http://apache.org) to wrap
around PHP. Whew. You can then create files ending in your new extension
which will run AS YOU. Yes, *YOU*, the *REAL* user will be running PHP and
have all the power and flexibility you have when you login.
THIS HAS INHERENT SEVERE RISK IF YOU DO IT WRONG!!!
You need to be damn sure that these directives *ONLY* apply in *YOUR*
Directory directive in httpd.conf. Otherwise, *ANY* other user of Apache
could make a new file with your nifty new extension and do *ANYTHING* to
your account.
You'll also want to test this setup under load as you need the PHP CGI to
run fast enough
#2. Buy the Zend encoder. http://www.zend.com This will make your PHP as
readable as word.exe Of course, anybody with enough time and intelligence
will be able to reverse-engineer *ANYTHING*... But they'd probably be able
to reverse-engineer your web-site just by looking at its behaviour faster
than dis-assembling Zend Encoded files.
#3. Convert the *REALLY* sensitive bits of your PHP into C code to be
compiled directly into PHP itself. Or maybe as PHP modules you can load in
with that new-fangled stuff Rasmus has been presenting lately...
http://conf.php.net
#4. If it's just database username/password, you can set vars in httpd.conf
or something... Never did it, never saw it done, it's just a rumor I heard.
You're on your own for this one, kid :-)
There are undoubtably *other* options beyond my ken, but there's a few.
NOTE: Don't over-estimate the value of the intellectual property of your
source code. There just isn't that much most of us are doing that is all
that. Your primary concern should probably be that somebody find your
database passwords within your source, nor snag your whole site's PHP code
and totally rip you off.
--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] The secrecy of PHP code
The only real way to see the php code is if you don't have the webserver set to parse the code...then it will just be displayed on the page (or downloaded). If you're really paranoid, you can get a tool to encrypt your php code. There's some free ones, but here's a costly one that I know of: www.zend.com Tyler Longren Captain Jack Communications [EMAIL PROTECTED] www.captainjack.com On Mon, 13 Aug 2001 07:43:17 -0700 James Shaker [EMAIL PROTECTED] wrote: Greetings, How safe is the code written in PHP? For instance, if I have an equation or some algorithm with some constants for calculations and I code them in PHP for use on a website are they safe from being viewed or taken? Thanks James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] The secrecy of PHP code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 they are kinda safe if the webserver is the only way that your files can be viewed if people can log into the machine, they could just view the plaintext of your PHP script. hint: security thru obscurity is not secure. -Original Message- From: James Shaker [mailto:[EMAIL PROTECTED]] Subject: [PHP] The secrecy of PHP code Greetings, How safe is the code written in PHP? For instance, if I have an equation or some algorithm with some constants for calculations and I code them in PHP for use on a website are they safe from being viewed or taken? Thanks James -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBO3fmwMaXTGgZdrSUEQLANQCg5dnsmDdp9rouyXmk1Wuy7/NHd3YAoIBs A2zlBYvpjbk/K35h54V97r/x =+Sy4 -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] The secrecy of PHP code
On Mon, 13 Aug 2001 09:43:56 -0500 impersonator of [EMAIL PROTECTED] (Tyler Longren) planted I saw in php.general: The only real way to see the php code is if you don't have the webserver set to parse the code...then it will just be displayed on the page (or downloaded). If you're really paranoid, you can get a tool to encrypt your php code. There's some free ones, but Puting aside paranoid part, do you mean decrypting script by another script, everytime it needs running? What free ones you are talking about, beside not-free zend compiler? There are en(de)crypting functions in php itself, i believe. -- ReGards, i leonid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] The secrecy of PHP code
Of course the absolute safest way besides encryting
your PHP is to just store your state secrets in files
outside the web server's document tree.
i.e.
if your web server's document root is /var/www
?php
require(/var/super-secret/super-functions.php);
if ($theanswer == 42)
{
echo (findthequestion($theanwer));
}
?
then even if you screw up the web server config
and .php files are sent back unrendered all you
expose is what's in the file above but not what was
included/required statements.
This is an excellent way to protect sensitive info
like database passwords too.
-Ironstorm
Northern.CA ===--
http://www.northern.ca
Canada's Search Engine
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
