Permissions for PHP scripts - Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more

ghotion · 04-10-2010, 03:49 PM

I'm confused about setting permissions for the PHP scripts on my website (linux/apache). Is it possible for someone to read a file from my site if the permissions are set to 644? For example, I have a php script (set to php) that will decrypt some info using a key. The key is stored in a .inc file in the same directory as my html pages and php scripts - all are set to 644.

I don't want someone to be able to read my script or the include file. Will the 644 be enough? If not, what program could they use to get those files? What can I chmod them to so that they can be run by anybody but not read by anybody except me (the owner)?

Surprisingly, I've had real trouble finding an answer to this - most people don't seem concerned about READING the php script, just changing it.

Thanks,
Tom

itbuzz · 04-10-2010, 07:13 PM

The folder which is critical in PHP script is installation folder so remove it after installing script.

ghotion · 04-11-2010, 08:01 AM

Thanks for the response, but I do not have an installation package. Maybe I'm using the wrong terminology.

I wrote a php program that serves up a web page. I copied the php program to my web site, with permissions 644 (it also includes another file on my web site "xxx.inc" which also has permissions 644. Can someone copy or see my php program or the include file? What is the most restrictive permissions I can give a php file that serves up a web page to the world?

Thanks for any advice you can give.

alstonwillman · 06-25-2010, 07:06 AM

Hello, I have written some scripts that generate simple webpages. I would like to prevent web vistors from viewing the source of these scripts , but it is fine for them to run them. What permissons should I set (Linux). I currently have the folder they are contained in set to 711 and the scripts within the file as 744. Is this correct? Thanks!

gullsinn · 06-26-2010, 12:52 AM

Best practice is that
name your files and folders different then normal for example
folder name probably is images where we store images name this folder some thing else and also make sure that directory browsing is disabled by PHP.INI

secondly put a small code that confirms if your website is being visited by a script if so just return a 404 error

the one who do not want to show source code you may need to use Classes in PHP as much as possible and design with CSS use css as much as possible