Protecting the php code

Asked

Viewed 160 times

0

I’m creating a system that encrypts some data and saves it in the database. Suppose this encryption is md5 and happens in the directory meusite.com.br/controller.php. How do I prevent someone malicious from accessing my files and finding out the type of encryption used and other information in my code? And what should be the security measures to prevent the code and the database to be accessed by those who should not, whether through sql Injection or any other means. (I am layman on the subject). Thanks in advance.

php security-guard
  • 1

    Start with the manual: http://us2.php.net/manual/en/security.php

  • 1

    If the encryption is done correctly, it is no problem to look at your code. But if people have access to the server, they can trade their code for anything. If this is your problem, PHP is not the proper working language.

2 answers

1

Well I tried to comment on your comment but I don’t have enough points, but as well as said you want to hide your third-party code...

Currently there are 2 methods to do this:

Code obfuscation: Which consists of shuffling the variables, names and etc. within your code so that the reading is not simple, there are various software and services by web only search in Google, I put 2 links of services so as an example:

It is well worth noting that this method of obfuscation is not 100% safe or indecipherable, it will only make reading more difficult and will MAYBE scare away potential curious.

Compilation: Which is roughly the transformation of one language into another semantically equal but applied and executed in OS, in the case of PHP there are some compilers that do this.

The most famous for PHP is the ionCube which is a PAID tool, where you pass your codes through it and it does this compile service, however your server needs to have a module installed in order to get those compiled files back.

Remember that in these two methods you need to have the original code if you want to make modifications, and apply the obfuscation or compilation again before publishing.

But so at first, when PHP is running inside the server the person does not have access to the source only the final output, if only you have access to the codes has no problem, not to mention that compiling or obfuscating someone will still have access to the folders, files and etc. because the structure is maintained only the content is unreadable.

  • But I don’t know at least for me it’s clear that "obfuscating" the code is just a palliative way of hiding the code, the word itself says that tornar(-se) turvo, confuso, or is not something definitive. But I will arrange my text according to your observation.

  • It may sound like an exaggeration, but I think the simple warning you’ve added has improved a lot. Thus, if a reader who does not know the subject bumps into the answer, he will at least be warned that it is not such a safe solution (not everyone has the perception we have about the term "obfuscate"). Then I delete this comment.

0

Against SQL Injection you must process the information received by GET and POST before interacting with the Database...using functions that remove special characters such as ='/"; that are common in SQL Injection, as for your files, only if the guy breaks into the server or if you leave a loophole like those sites that allow you to download by the file name in the url, type site.com.br/download.php? file=file.jpg... that way if you don’t do a function treatment the guy can replace the.jpg file with the controller.php and take your file with your information.

  • 1

    Your answer is on the right track. I think if you give a better format, and detail things a little, increases the chance to attract votes.

Browser other questions tagged php security-guard

You are not signed in. Login or sign up in order to post.