Creating Secure PHP Websites
Illustration by Don Barnett

Creating Secure PHP Websites

with Kevin Skoglund

Video: phpinfo and phpMyAdmin

phpinfo and phpMyAdmin are useful tools, but

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now
please wait ...
Watch the Online Video Course Creating Secure PHP Websites
4h 16m Intermediate Jun 30, 2014

Viewers: in countries Watching now:

Hackers target PHP web applications more often than other sites because most PHP code is written by developers with little security experience. Protecting web applications from these attacks has become an essential skill for all PHP developers. Creating Secure PHP Websites shows you how to meet the most important security challenges when developing websites with PHP. Instructor Kevin Skoglund covers the techniques and PHP code needed to develop sites that are more secure, and to avoid common mistakes. Learn how to configure PHP properly and filter input and escape output. Then check out step-by-step defenses against the most common forms of attack, and the best practices to use for encryption and user authentication.

Topics include:
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Encrypting and signing cookies
  • Session hijacking and fixation
  • Securing uploaded files
  • User authentication
  • Throttling brute-force attacks
  • Blacklisting IPs
  • Implementing password reset tokens
Subject:
Developer
Software:
PHP
Author:
Kevin Skoglund

phpinfo and phpMyAdmin

phpinfo and phpMyAdmin are useful tools, but it's essential that you keep them secure. If I were a hacker, the first file I would want to see on a computer would be the database password file. But the second file I'd want to see would probably be the one that has phpinfo in it because it contains all sorts of useful server information. It tells me a lot about how the server's setup, what kinds of things are installed, and all the configurations that have been setup for PHP. A phpinfo file is simply a PHP file that contains the built in function phpinfo open parenthesis, close parenthesis, semicolon and all of that inside PHP tags.

We take that file and we bring it up inside a browser, we get all sorts of useful information about how things are set up and configured. When we're first setting up PHP and trying to get everything working on a system, this can be really useful, because we can make sure that things are what we actually expect they are. For example, it'll tell us where the php.ini file that it's loading is located. So we know which PHP file is actually being used. We can go right to that location and edit that file. What you don't want is for this file to stick around and for other people to have access to it besides you.

Along with phpinfo, you also need to be careful with phpMyAdmin. phpMyAdmin is a third party application that gives you good access to your MySQL database by using a browser, having a browser front-end. I mentioned having phpMyAdmin, even though it's a third-party application, because it's super-popular. In fact, a lot of PHP installations come with it built in. It should be obvious why you want to keep this hidden. It includes extremely powerful access to all of your data. Basically, anything in your database is available through a browser.

Unlike your web application, there is no intermediary step to prevent people from seeing some of the data. They can see everything all the time. Take a look at your web server access log some time. I can't tell you the number of phishing URLs that I see looking for these two items, and they even look for common attempts to hide them by renaming the files. Such as looking for a directory called pma instead of phpMyAdmin. Do not rely on renaming them in order to hide them. Instead, the best security is to use neither of them on your production server.

phpinfo is really only useful when you're troubleshooting. If you're not in the middle of troubleshooting something, it should not exist on the server at all. And while phpMyAdmin can offer some convenience, I think that it's better to reserve that convenience for your development environment and to use straight MySQL from the command line when you're working on your production environment. But, if you must have them on your system, then make sure that you require a password. That should be the minimum amount that should be required. If you're using Apache as your web server, then you can use .htaccess files in order to protect an entire directory.

And require that the web server will require a password before it will give access to that directory. phpMyAdmin also offers an HTTP authentication mode which does the same thing. It requires an HTTP authentication username and password before you can get access to phpMyAdmin. The phpMyAdmin documentation also includes some helpful tips about securing your phpMyAdmin installation. The first of these is to remove the setup directory after initial setup. Then, choose the authentication method that you want to use and it gives you information about each of those authentication methods, and some guidelines for why you might choose one over another.

You can also set up MySQL allow and deny rules to keep people from having access to the entire MySQL database and you can configure it to use an authentication proxy which is like the htaccess files that we were just discussing. And last of all, you can enable Captcha if you want to prevent automated requests and require that only requests from humans can be used. Again, the most secure approach is to leave both of these off of your production server, so that the public can't access them at all, but if you absolutely must have them, then take the extra time to make sure that you secure them properly.

There are currently no FAQs about Creating Secure PHP Websites.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Creating Secure PHP Websites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.