Viewers: in countries Watching now:
Hackers target PHP web applications more often than other sites because most PHP code is written by developers with little security experience. Protecting web applications from these attacks has become an essential skill for all PHP developers. Creating Secure PHP Websites shows you how to meet the most important security challenges when developing websites with PHP. Instructor Kevin Skoglund covers the techniques and PHP code needed to develop sites that are more secure, and to avoid common mistakes. Learn how to configure PHP properly and filter input and escape output. Then check out step-by-step defenses against the most common forms of attack, and the best practices to use for encryption and user authentication.
phpinfo and phpMyAdmin are useful tools, but it's essential that you keep them secure. If I were a hacker, the first file I would want to see on a computer would be the database password file. But the second file I'd want to see would probably be the one that has phpinfo in it because it contains all sorts of useful server information. It tells me a lot about how the server's setup, what kinds of things are installed, and all the configurations that have been setup for PHP. A phpinfo file is simply a PHP file that contains the built in function phpinfo open parenthesis, close parenthesis, semicolon and all of that inside PHP tags.
We take that file and we bring it up inside a browser, we get all sorts of useful information about how things are set up and configured. When we're first setting up PHP and trying to get everything working on a system, this can be really useful, because we can make sure that things are what we actually expect they are. For example, it'll tell us where the php.ini file that it's loading is located. So we know which PHP file is actually being used. We can go right to that location and edit that file. What you don't want is for this file to stick around and for other people to have access to it besides you.
Along with phpinfo, you also need to be careful with phpMyAdmin. phpMyAdmin is a third party application that gives you good access to your MySQL database by using a browser, having a browser front-end. I mentioned having phpMyAdmin, even though it's a third-party application, because it's super-popular. In fact, a lot of PHP installations come with it built in. It should be obvious why you want to keep this hidden. It includes extremely powerful access to all of your data. Basically, anything in your database is available through a browser.
Unlike your web application, there is no intermediary step to prevent people from seeing some of the data. They can see everything all the time. Take a look at your web server access log some time. I can't tell you the number of phishing URLs that I see looking for these two items, and they even look for common attempts to hide them by renaming the files. Such as looking for a directory called pma instead of phpMyAdmin. Do not rely on renaming them in order to hide them. Instead, the best security is to use neither of them on your production server.
phpinfo is really only useful when you're troubleshooting. If you're not in the middle of troubleshooting something, it should not exist on the server at all. And while phpMyAdmin can offer some convenience, I think that it's better to reserve that convenience for your development environment and to use straight MySQL from the command line when you're working on your production environment. But, if you must have them on your system, then make sure that you require a password. That should be the minimum amount that should be required. If you're using Apache as your web server, then you can use .htaccess files in order to protect an entire directory.
And require that the web server will require a password before it will give access to that directory. phpMyAdmin also offers an HTTP authentication mode which does the same thing. It requires an HTTP authentication username and password before you can get access to phpMyAdmin. The phpMyAdmin documentation also includes some helpful tips about securing your phpMyAdmin installation. The first of these is to remove the setup directory after initial setup. Then, choose the authentication method that you want to use and it gives you information about each of those authentication methods, and some guidelines for why you might choose one over another.
You can also set up MySQL allow and deny rules to keep people from having access to the entire MySQL database and you can configure it to use an authentication proxy which is like the htaccess files that we were just discussing. And last of all, you can enable Captcha if you want to prevent automated requests and require that only requests from humans can be used. Again, the most secure approach is to leave both of these off of your production server, so that the public can't access them at all, but if you absolutely must have them, then take the extra time to make sure that you secure them properly.
There are currently no FAQs about Creating Secure PHP Websites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.