You are here:   Home > Support > FAQ > Web Resources > Securing PHP Applications

Please Note: Under our current web cluster configuration users no longer need to use cgiwrap to improve their hosted applications security. If you are currently using cgiwrap you should be remove it without adversely affecting your site's security. This document has been left in place as a reference only.

Securing PHP applications at Sonic.net

Note: PHP programming is an advanced application of Sonic.net services, which we cannot provide telephone support for. If you have problems or questions about the methods in this document, please post them to the sonic.help.cgi newsgroup.

The problem:

Your web application contains some information that must not be accessible to the public. For example, if you use MySQL, you must include the MySQL database, user id, and password in a configuration file. Without special configuration, all of your web page files can be read by the web server, which means they can be read by anyone with a web account at Sonic.net. You obviously want passwords to be read by your web application, but not read by anyone else.

1. A simple non-PHP way to secure your files
2. PHP solution for small applications
3. PHP solution for larger applications
   1. Create the shell script
   2. Set .htaccess directive in a special directory
      • Test
   3. Install a PHP Application
4. Variations
   1. Multiple Domains on One User Account
   2. Not Domain Name Hosted
   3. Installing Applications Under Web Root
   4. PHP5
5. Some useful links

The third solution explains how to set up a single directory in your domain-hosted web site under which you can install PHP applications, each in its own subdirectory.

1. The non-PHP solution:

   If your application is written as a cgi, for example in perl, you can secure access to sensitive information by using CGIWrap. Your CGIWrapped application runs with your user identity. It can read and write files that are not accessible to anyone else.

2. The easy but less useful PHP solution:

   Sonic.net has two installations of PHP on the web servers. One is mod_php, which is embedded in the Apache web server and runs with the user identity of the web server. When you place a file named with an extension of .php in your web directory and reference it with a URL, the web server processes it using mod_php. The other installation of PHP can be run from the shell command line or as a CGI. This easy solution uses the CGI version of PHP.

   To use the CGI version of PHP you put your php file in your cgi-bin directory and give it a header line that says

   #!/opt/php/bin/php

   As with the non-PHP solution, you can use CGIWrap to secure your files.

   What makes this less practical for large PHP applications is that the header line is not valid HTML or PHP. It can therefore only appear in a PHP file that is in your cgi-bin directory and invoked with a URL. Any PHP files with this header line that are loaded using the PHP include statement would produce incorrect results. You would have to place the header line in every PHP file that is referenced as a URL and not place the header line in any PHP file that is referenced in a PHP include statement. You could not install without altering any application that has PHP files that are referenced sometimes via URL and sometimes using PHP include.

3. The more general PHP solution

   If you want to be able to install and update PHP applications without adding header lines to some of the source files and putting them in the cgi-bin directory, you can use the following method. It is more complex to set up the first time, but makes installing and upgrading PHP applications relatively easy. With this solution, all your PHP files are run by the CGI version of PHP, under your username. They can access files that are only accessible to your username. In theory, running PHP as a CGI is slower and uses more computer resources due to the overhead of loading the PHP interpreter on each URL access. In practice, the difference is in fractions of a second per web page, too small for an end-user of a web application to notice.

   Setting up a directory for secure PHP installations

   The following steps will walk you through installing a subdirectory of your website called php under which you can install applications, each in it's own subdirectory. We'll use example as your Sonic.net username, www.example.com as your web site host name,  /home/WWW_pages/example/example.com as the root directory of your web site, /home/WWW_pages/example/example.com/php as the name of the directory you create to hold all php applications, and /home/WWW_pages/example/example.com/php/myapplication as the directory in which you install your application.

   Here is an overview of the steps that are then described in detail.

   1. Create a shell script CGI that can be used to run PHP in cgi mode with no special header line needed in the PHP file.
   2. Place directives in a .htaccess file that will cause URLs of PHP files in a certain directory to be rewritten to use the CGI in CGIWrap mode.
   3. Install your PHP applications under that directory with the proper ownership and access permissions to maintain the desired security.

   1. Create the shell script

      Create a text file named, for example, phpcall.cgi, in your cgi-bin directory /usr/local/lib/httpd/cgi-bin/YOURUSERNAME/ with the following contents. You can use your favorite editor in the shell or the web tools file manager editor or create it on your computer and ftp it to the right place. The only place you need to customize the contents of the file has been marked in red, where you substitute the name of your web root directory, such as /home/WWW_pages/example/example.com.
      
      

      #!/bin/sh
      
      # phpcall.cgi - a shim for transparently invoking PHP as a cgi
      # HOW TO INSTALL
      # Edit the line following these instructions to set
      # HOME_WEB_SITE_ROOT to the root directory of your web site
      # PHP_OPTIONS set to any PHP command line options you want
      # or empty for no options. Use the -c option to specify your
      # own php.ini settings file in your web directory space.
      # Place this file in your cgi-bin directory
      # Set the permissions of this file to 601 for use with cgiwrap
      # Modify .htaccess according to the installation instructions
      HOME_WEB_SITE_ROOT=/home/WWW_pages/YOURUSERNAME/YOURWEBROOT
      PHP_OPTIONS="-c /home/WWW_pages/YOURUSERNAME/OPTIONALDIRECTORY/php.ini"
      
      # the rest of this file should not have to be altered
      OPT_PATH_TO_PHP="/opt/php/bin/php $PHP_OPTIONS"
      
      PHPPATH_INFO="${REDIRECT_URL#*.php}"
      PHPSCRIPT_NAME="${REDIRECT_URL%.php*}.php"
      PHPSCRIPT_PATH="${HOME_WEB_SITE_ROOT}${PHPSCRIPT_NAME}"
      if [ -f $PHPSCRIPT_FILENAME ]; then
        REDIRECT_STATUS=200 \
        PATH_INFO="$PHPPATH_INFO" \
        SCRIPT_NAME="$PHPSCRIPT_NAME" \
        PATH_TRANSLATED="$PHPSCRIPT_PATH" \
        SCRIPT_FILENAME="$PHPSCRIPT_PATH" \
        exec $OPT_PATH_TO_PHP
      else
      # Output HTML for file not found notice
      # We should never get here since .htaccess
      # should have checked if file exists
      echo "Status: 404 - PHP File Not Found
      Content-Type: text/html
      
      <html>
      <head>
      <title>404 - PHP File Not Found</title>
      </head>
      <body>
      <h1>404 - PHP File Not Found</h1>
      <pre>
      Referer URL: ${HTTP_REFERER}
      Requested URL: ${REQUEST_URI}
      </pre>
      </body>
      </html>
      "
      fi
      

      Set the permissions of the file to 701, which is rwx-----x

   2. Set .htaccess directives in a special directory

      Create a directory, called in these examples php, in your web root. All secured PHP applications will be installed under it, each in their own subdirectory.
      
      Set the directory permissions to 705, which is rwx---r-x
      
      Create a text file named .htaccess  in your new php directory containing the following
      

      AddHandler php-cgi .php
      Action php-cgi /cgi-bin/cgiwrap/YOURUSERNAME/phpcall.cgi
      

      Set its permissions to 604, which is rw----r--

      • Test the installation so far

        Create a file named index.php in the php directory containing
        
<?php
  echo "Directory listing denied"
?>

        Set its permission to 600, which is rw-------
        
        Verify that http://www.example.com/php/index.php and http://www.example.com/php/ display the "directory listing denied" page.
        
        You are now all ready to install a secured PHP applications.

   3. Install a PHP Application

      Installing a PHP application usually has two steps. The first is to place the files in your web site directory. The next steps usually involve editing configuration files, then going to a setup page and following some setup procedure.

      Do the first step, placing the application files in a subdirectory of the php directory you set up.

      Before continuing with the installation, set the permissions of all directories and files in the application as follows. The shell command chmod and its -R option may come in handy for this if you are comfortable using it. There is a free, open source GUI ftp client for Windows called FileZilla that lets you change permissions easily.

      The permissions listed here are the most restrictive (most secure) ones that work. If there are files that you do not mind other people being able to read, the default permissions for those files should be fine.
      
      Set directories to 705 or 505, which is rwx---r-x or r-x---r-x
      Set *.php files and all data files that are read or written by php code to 400 or 600, which is r-------- or rw-------
      Set *.html, *.jpg, *.gif, *.png, *.htm and any others that are referenced via URL to 604 or 404, which is rw----r-- or r-----r--
      Set all other files to 400 or 600, which is r-------- or rw-------

      Here are example shell commands to set file permissions in a directory. The lines beginning with "#" are explanations for you. The "$" represents the prompt character that is typed by the shell, and the rest of the line is the command that you type.

      #!/bin/sh
      # Script to set file permissions for secure PHP application
      # as described in
      # http://www.sonic.net/support/faq/advanced/phpwrap/
      #
      # Execute this in the top level directory of a php application
      # being installed secure. Remember to also put in a .htaccess file
      # either in that directory or a parent directory
      
      # Use the chmod o+r command in a similar way on any
      # other non-php files that your application references using a URL
      # or, like .htaccess, are read directly by the web server
      
      if [ -z "$1" ] || [ ! -d "$1" ] ; then echo "No such directory: '$1'" ;
      exit ; fi
      cd "$1"
      
      # start by removing all permissions for group (g) and others (o)
      # on all files and directories
      
      chmod -R go-rwx .
      
      # add r and x permission for others on just the directories
      find . -type d -exec chmod o+rx {} \;
      
      # add read permission on files that the web server will access via URLs
      # each command changes files with a certain extension in the name
      find . -name .htaccess -exec chmod o+r {} \;
      find . -name robots.txt -exec chmod o+r {} \;
      find . -iname \*.html -exec chmod o+r {} \;
      find . -iname \*.htm -exec chmod o+r {} \;
      find . -iname \*.shtml -exec chmod o+r {} \;
      find . -iname \*.js -exec chmod o+r {} \;
      find . -iname \*.css -exec chmod o+r {} \;
      find . -iname \*.xml -exec chmod o+r {} \;
      find . -iname \*.xml.gz -exec chmod o+r {} \;
      # add extensions for any other media files served by web server
      find . -iname \*.jpg -exec chmod o+r {} \;
      find . -iname \*.jpeg -exec chmod o+r {} \;
      find . -iname \*.gif -exec chmod o+r {} \;
      find . -iname \*.png -exec chmod o+r {} \;
      find . -iname \*.ico -exec chmod o+r {} \;
      find . -iname \*.pdf -exec chmod o+r {} \;
      find . -iname \*.swf -exec chmod o+r {} \;
      find . -iname \*.mp3 -exec chmod o+r {} \;
      find . -iname \*.mov -exec chmod o+r {} \;
      find . -iname \*.mpg -exec chmod o+r {} \;
      
      cd -
      echo "Remember to chmod +r any other non-PHP files that the web server"
      echo "reads from a URL or from an shtml include directive"

      Double-check that you have set all the permissions correctly. If you accidentally leave too much access to a sensitive file, such as allowing world read of the file containing your MySQL user name and password, the application will still work while being not secured.
      
      Now that the permissions are all set properly, continue with the remaining configuration and setup steps of the installation of the application.

      Note that some PHP applications may instruct you to give some directory or file world read or write permissions. Don't give g or o any more access than is listed above. Doing so can introduce insecurities and will never be necessary when installing the application using this method.

4. Variations

   1. Multiple Domains on One User Account

      If you have more than one web site, each with their own web root directory, on a single Sonic.net user account, create a separate cgi script file, e.g., phpcall1.cgi, phpcall2.cgi in your cgi-bin directory. Each one should specify the correct web root directory for its site. Each .htaccess file you create should refer to the correct cgi script file for its web site.

   2. Not Domain Name Hosted

      A standard Sonic.net account has a home web site that can be accessed using http://YOURUSERNAME.home.sonic.net/, http://YOURUSERNAME.home.sonic.net/, http://www.sonic.net/YOURUSERNAME/ and http://www.sonic.net/~YOURUSERNAME/. To allow all those to work with this solution insert two lines in the phpcall.cgi shell script, after the HOME_WEB_SITE_ROOT= line. Substitute your actual Sonic.net username for YOURUSERNAME. You do not have to include these lines in the scripts for your domain name hosted web sites.
      
      REDIRECT_URL=${REDIRECT_URL/#\/~//}
REDIRECT_URL=${REDIRECT_URL/#\/YOURUSERNAME\///}
      
      Note that you even though you can usually access a domain name hosted web site using a URL such as http://www.sonic.net/YOURUSERNAME/example.com/ as well as http://www.example.com/, you will not be able to access the same secured PHP applications using both your domain name and the equivalent www.sonic.net URL. That is because the .htaccess file refers to a specific CGI shell script file which contains the web root directory for the site. The two URLs reference sites with two different root directories, which will not work with one .htaccess file.

   3. Installing Applications Under Web Root

      What if you don't want URLs like  http://www.example.com/php/myapplication/, instead preferring  http://www.example.com/myapplication1/ and http://www.example.com/myapplication2/? You have two choices. If you intend for all PHP files in your web site to run in secured CGI mode, place the .htaccess file in the web root directory instead of in a subdirectory named php. The other choice is to place identical copies of the .htaccess file in the top level directory of each application. That allows you to install applications in any directory on the web site. For example, you could put the files for myapplication in /home/WWW_pages/example/example.com/myapplication, create the file /home/WWW_pages/example/example.com/myapplication/.htaccess, set the file and directory permissions, then complete the setup and installation of the application.

   4. PHP5

      To secure a PHP5 application, replace the line "OPT_PATH_TO_PHP=/opt/php/bin/php" with "OPT_PATH_TO_PHP=/opt/php5/bin/php" in the shell script.

5. Some useful links

   PHP Manual,  Section IV: Security

   Sonic.net FAQ: File permission modes

   Sonic.net FAQ: .htaccess

   Sonic.net FAQ: CGIWrap

Special thanks to Sidney Markowitz for writing this up.