Why to use PHP

**Erwin Moller** · Oct 25 '06, 07:05 AM

Re: Why to use PHP

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).
>
The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..
>
Any ideas as to what I can tell him?

Tell him to learn what file permissions and users are.
A PHP script runs as a certain user (often apache or www-data or nobody),
and thus PHP has the rights of that user.
So running PHP is no different from having more users on the same system.
If you store a file in your private home directory, and you decide to give
the world read/write permissions on that file, anybody can read/change it.

This is a matter of good usermanagement, and educated users. PHP has nothing
to do with that.

Tel him that.

Also, what OS are we talking about? Some *nix or W$? If the latter, don't
mind talking about security, the number of patches (to patch rootaccess)
for W$ released indicated that W$ will never be anywhere near secure in the
near future.

If he doesn't listen, ask him for detailed arguments, and post them here. I
am sure somebody will help you to make your case for the sake of PHP.
:-)

Regards,
Erwin Moller

**TheTeapot** · Oct 25 '06, 07:15 AM

Re: Why to use PHP

Sorry, I meant to include a few extra things in that last email that I
thought of after sending. (as I generally always do)

#1: It's a Mac OS X system.
#2: I'll be installing the PHP build "Entropy" by Marc Liyanage.
#3: I generally get on quite well with him, I just need to convince him
that PHP when running as (www) user can't do anything dangerous.

Is there some obvious document which says all of this (which us
developers know automatically)?

Those who can't do something, teach it!

Erwin Moller wrote:

TheTeapot wrote:
>

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).

The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..

Any ideas as to what I can tell him?

>
Tell him to learn what file permissions and users are.
A PHP script runs as a certain user (often apache or www-data or nobody),
and thus PHP has the rights of that user.
So running PHP is no different from having more users on the same system.
If you store a file in your private home directory, and you decide to give
the world read/write permissions on that file, anybody can read/change it.
>
This is a matter of good usermanagement, and educated users. PHP has nothing
to do with that.
>
Tel him that.
>
Also, what OS are we talking about? Some *nix or W$? If the latter, don't
mind talking about security, the number of patches (to patch rootaccess)
for W$ released indicated that W$ will never be anywhere near secure in the
near future.
>
If he doesn't listen, ask him for detailed arguments, and post them here. I
am sure somebody will help you to make your case for the sake of PHP.
:-)
>
Regards,
Erwin Moller

**Jerry Stuckle** · Oct 25 '06, 10:35 AM

Re: Why to use PHP

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).
>
The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..
>
Any ideas as to what I can tell him?
>

If the other students can upload to the server, sure they can, unless
your teacher knows how to set permissions properly (which it sounds like
he doesn't). But in that case there probably are other programming
languages on the system the person could use.

And if others don't have upload capability, there's no problem as long
as you design the site properly.

The bottom line is - without a programming language you'll be stuck with
static pages. And if you want/need dynamic pages, you need *some*
programming language. And in many cases PHP is a good solution.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**R K** · Oct 25 '06, 02:05 PM

Re: Why to use PHP

If uploading enabled, file permissions can't stop a user from
uploading a file, say "hole.php", then executing that file with the
URL http://host/uploaddir/hole.php. All PHP files just have rw or just
r permissions and they are still executed by the server. Seems like a
PHP issue. Are we leaving this up to developers to take care not to
create this hole?

BTW, how do I fix this in an administrative way?

Thx
-R

**R K** · Oct 25 '06, 02:35 PM

Re: Why to use PHP

BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

HTH,
-R

**Chung Leong** · Oct 25 '06, 02:55 PM

Re: Why to use PHP

TheTeapot wrote:

I have been using PHP for several years now, but I have been given a
project at my High School which has recently set up a web server, which
I would love to use PHP with (and Smarty, but that's a different
matter).
>
The only problem is that I need to convince the Head Teacher of
Computing that it's a good idea to install PHP. His main concern is
that a student will be able to download a script off the Internet and
use it to look at other user's documents, steal passwords, etc..
>
Any ideas as to what I can tell him?

If you have no ideas why you'd want to use PHP then maybe it's not a
good idea.

**Rik** · Oct 25 '06, 04:35 PM

Re: Why to use PHP

R K wrote:

>BTW, how do I fix this in an administrative way?

>
Nevermind. Put this in the .htaccess file in the upload directory:
>
php_value engine off

Upload/tmp directories shouldn't even be accessable by http....

/dir/
/uploadtmp/
/wwwroot/
--
Rik Wasmus

**R K** · Oct 25 '06, 04:45 PM

Re: Why to use PHP

Rik wrote:

R K wrote:

BTW, how do I fix this in an administrative way?

Nevermind. Put this in the .htaccess file in the upload directory:

php_value engine off

>
Upload/tmp directories shouldn't even be accessable by http....
>
/dir/
/uploadtmp/
/wwwroot/

Yeah, but suppose you wanted an upload to be web accessible after it's
moved from the tempdir?

That final directory needs the .htaccess, doesn't it?
-R

**Rik** · Oct 25 '06, 04:45 PM

Re: Why to use PHP

R K wrote:

Rik wrote:

>R K wrote:

>>>BTW, how do I fix this in an administrative way?
>>>
>>Nevermind. Put this in the .htaccess file in the upload directory:
>>>
>> php_value engine off

>>
>Upload/tmp directories shouldn't even be accessable by http....
>>
>/dir/
> /uploadtmp/
> /wwwroot/

>
Yeah, but suppose you wanted an upload to be web accessible after
it's moved from the tempdir?
>
That final directory needs the .htaccess, doesn't it?

Well, I'm very curious.
You want PHP to be available, but disabled?
When do you want PHP to run?
And it's far better to put these kinds of settings in httpd.conf then
..htaccess, and forbidding to use .htaccess to change these values. If they
have access to the directory, what stops them from deleting or altering the
..htaccess file, thus enabling PHP? I assume that when a user uploads a
file, he is allowed the either edit or delete it..
--
Rik Wasmus

**R K** · Oct 25 '06, 06:25 PM

Re: Why to use PHP

Rik wrote:

R K wrote:

Rik wrote:

R K wrote:
>>BTW, how do I fix this in an administrative way?
>>
>Nevermind. Put this in the .htaccess file in the upload directory:
>>
> php_value engine off
>
Upload/tmp directories shouldn't even be accessable by http....
>
/dir/
/uploadtmp/
/wwwroot/

Yeah, but suppose you wanted an upload to be web accessible after
it's moved from the tempdir?

That final directory needs the .htaccess, doesn't it?

>
And it's far better to put these kinds of settings in httpd.conf then
.htaccess, and forbidding to use .htaccess to change these values. If they

Then I'd have to reboot the server for every change, not interested in
that. Already short on time and this is not my real job.

have access to the directory, what stops them from deleting or altering the
.htaccess file, thus enabling PHP? I assume that when a user uploads a
file, he is allowed the either edit or delete it..

Wouldn't permissions on .htaccess prevent overwrite if the server is
not running as root? guess there's one way to find out...

-R

**Rik** · Oct 25 '06, 06:25 PM

Re: Why to use PHP

R K wrote:

Then I'd have to reboot the server for every change, not interested
in that. Already short on time and this is not my real job.

Well, there's security and there's the illusion of security. Good luck.
--
Rik Wasmus

**R K** · Oct 25 '06, 06:35 PM

Re: Why to use PHP

Rik wrote:

R K wrote:

Then I'd have to reboot the server for every change, not interested
in that. Already short on time and this is not my real job.

>
Well, there's security and there's the illusion of security. Good luck.

It's worked for me so far. Gold plating every damn thing hasn't. Back
at ya.

-R

**Rik** · Oct 26 '06, 03:55 AM

Re: Why to use PHP

R K wrote:

Rik wrote:

>R K wrote:

>>Then I'd have to reboot the server for every change, not interested
>>in that. Already short on time and this is not my real job.

>>
>Well, there's security and there's the illusion of security. Good
>luck.

>
It's worked for me so far. Gold plating every damn thing hasn't.
Back at ya.

Hmmmf.
Last piece of advice:
if you have different users, different user-dirs, but want to apply
unoveridable settings to every dir:

mod_userdir - Apache HTTP Server

http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

Per-user web directories - Apache HTTP Server

http://httpd.apache.org/docs/2.0/howto/public_html.html

And check AllowOverride

For more information alt.apache.conf iguration
--
Rik Wasmus

**TheTeapot** · Oct 26 '06, 05:25 AM

Re: Why to use PHP

Rather than an upload directory, it has been set up to use the user's
"Sites/" folder.

I think that the end solution will be to point out that few students
will know how to code and use the PHP on the system, and none of the
students I know can actually use PHP to hack a server.

The other thing is that it isn't part of the Internet, only the
school's Intranet.

Thanks everyone, I'll see how I go tomorrow.

Rik wrote:

R K wrote:

Rik wrote:

R K wrote:
>Then I'd have to reboot the server for every change, not interested
>in that. Already short on time and this is not my real job.
>
Well, there's security and there's the illusion of security. Good
luck.

It's worked for me so far. Gold plating every damn thing hasn't.
Back at ya.

>
Hmmmf.
Last piece of advice:
if you have different users, different user-dirs, but want to apply
unoveridable settings to every dir:

mod_userdir - Apache HTTP Server

http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

Per-user web directories - Apache HTTP Server

http://httpd.apache.org/docs/2.0/howto/public_html.html

>
And check AllowOverride
>
For more information alt.apache.conf iguration
--
Rik Wasmus

Why to use PHP

Why to use PHP

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment