Filemaker PHP 5.1.2 security

[fful]

Hi all. I just installed FMSA9, and the included PHP 5.1.2. Are there any security issues that should be dealt with after installation, especially regarding the php.ini file?

I know there are whole books on PHP security, wondering if there is a simple checklist of what to change, if anything...or if there are any web sites that go over the basics. Yes, I have Googled "PHP security" and there are many sites. For a non-programmer, does anyone have simple ones to recommend?

I also obviously will have to learn some PHP to implement web publishing, right now my main concerns are security issues with its installation.

Edited October 17, 2007 by Guest

[Genx]

Security issues relating to what specifically? If there are any security issues relating to someone hacking your server, which I assume is what you're worried about, they will more likely relate to the way you set up Apache and your folder permissions than PHP.

PHP Security deals more with letting users log into a website to perform certain functions, setting up accounts and creating login schema's etc. (the books probably also deal with preventing SQL injection which isn't really a concern here).

[fful]

Your are right Genx, I am worried about the hacking aspects. I have ordered a couple of books, 'php|architect's Guide to PHP Security'. and 'Essential PHP Security' to help me understand the issues, and hopefully deal with them.

Also ordered 'FileMaker Web Publishing: A Complete Guide to Using the API for PHP' and 'Web Publishing with PHP and FileMaker 9'. Now I just have to find the time to read enough to get something done and stay out of trouble.

I know there are default settings for PHP installations though, and was also wondering if any should be immediately changed in FMPS9's install php.ini, such as Safe Mode OFF to ON. etc.

Appreciate the reply.

[Genx]

Well, I'm not sure about the PHP installation that comes with FMS, but with the normal PHP install, there are two .ini files. The first is the development file, and the second is the recommended config for production environments.

Having PHP on your server doesn't really expose you to risks in itself, and it's fairly hard to expose the server itself with PHP unless you do something like allow exe's to be uploaded to the server, and then allow exe's to be executed with the permissions.

Let's just say its hard to actually hack into a server through php and the main security concern people have is that php code that they have written will somehow be exploited.

E.g. if you were to write a php page to delete a record, and someone worked out how to use it and deleted every record in your database, you might be in trouble. Or if your script revealed information about the location of files etc. that may also cause problems. With SQL, you can delete whole databases via one line of code, but it's not actually possible to sql inject in this case.

You've done the right thing in buying the books by the way. I can't say much about the second one ( i haven't read it... but then again it is by Johnathan Stark ) but the first one's pretty good. If you run into trouble with the API - after you've read the book... or while you're reading it, hop over to www.fmwebschool.com/frm.

Edited October 20, 2007 by Guest

[fful]

Having PHP on your server doesn't really expose you to risks in itself, and it's fairly hard to expose the server itself with PHP unless you do something like allow exe's to be uploaded to the server, and then allow exe's to be executed with the permissions.

Let's just say its hard to actually hack into a server through php and the main security concern people have is that php code that they have written will somehow be exploited.

There was only one php.ini file, so I assume it's the "recommended config for production environments". Thanks for advice again. When I start writing code, that's when I'll be real careful to follow security guidelines. Edited October 20, 2007 by Guest