how to secure access to public part of webserver?

ruud00000
ruud00000 used Ask the Experts™
on
I have a website consisting of php files and database access. I have protected access to rescticted pages using a php-loginscript and access to the database is password protected.

Is it possible in any way to list the files on that server and get access to the sourcecode (.php files) on the webserver without knowing my webserver user login details ? Anything more that I need to do to prevent that?

See http://www.computerhuys.nl/voetbaltoto_test
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Maybe having a custom error page as opposed to having the default one displaying the details of the error might be useful. Something that can just say, 'An error has occured', and simply logs the error in some log file in the background without giving details on the webpage.

Secondly, you might want to check all textboxes for their input to make sure that nobody can put a script through it. This might be helpful:

http://php.net/manual/en/security.database.sql-injection.php

Thanks.
Most Valuable Expert 2011
Top Expert 2016
Commented:
As a practical matter the answer is, "No."  Your web server will not reveal the PHP code - only the output of the PHP scripts.  As long as your web site is hosted by a professionally managed hosting company you'll be OK.
Application Consultant
Commented:
Normally the DB is stored in a part that you can't access from the web,
th php scripts that access the DB are stored in a php map on the web server, and the pages are stored in a submap of the map Public_Html.

There is no possibility to get from the Public_html map one level up to the level where php is stored, so the answer is NO, if you catch all your sql error's within php, the user can never see table names.
If you don't catch the errors, there is a chance that the user will see an error like
"no acces to table myusers" or column userId not found in table passwords

Author

Commented:
thanks!
Theo KouwenhovenApplication Consultant

Commented:
btw,

That is also the reason why you can't upload data directly to your DB, if you like to do that, you need do it indirectly:
e.g.
FTP data to a map on your "public" part of the server like .CSV etc
start a page (also on the public part) that will triger a php script in the PHP map on the server

So the server side can use PHP to access the public part and the non-public part.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial