LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-13-2020, 03:08 PM   #1
Pedroski
Senior Member
 
Registered: Jan 2002
Location: Nanjing, China
Distribution: Ubuntu 18.04
Posts: 1,789

Rep: Reputation: 67
Help make my webpage safe


I have a little webpage. I use it to give homework to my students and now, because of this virus in China, also to run online classes until school starts again.

I've been reading a book: PHP & MySQL: Novice to Ninja by Kevin Yank. The book is great for beginners.

As I see it, I have 2 problems that need addressing.

1. A folder called admin which, at the moment, is in the webpage root www.mywebpage.com

admin contains 2 files: createtable.html and insertcsv.html which do just what they say from the webbrowser, create a mysql table and populate it with a .csv file.

I am mysql user peter. I only have access to allstudentsdb. Within that db I have all privileges.

2. A folder called includes which, at the moment, is also in the webpage root www.mywebpage.com

includes contains a few PHP helpers and login.html for students to login to class.

includes also contains studentdb.inc.php This has my db name and password. It logs me in to mysql when I run createtable.html or insertcsv.html

Code:
<?php
try
{
$pdo = new PDO('mysql:host=localhost;dbname=allstudentsdb', 'peter', 'mypassword', array(PDO::MYSQL_ATTR_LOCAL_INFILE => true,));
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->exec('SET NAMES "utf8"');
}
catch (PDOException $e)
{
$error = 'Unable to connect to the database server' . $e ;
include 'error.html.php';
exit();
}
?>
includes and admin both have permissions 755 at the moment. If I change that, I think they will not be accessible for visitors to my page, so students could not log in, or I could not add a mysql table from Firefox.

All this php and mysql is very new to me and confusing. My little brain is about at its limit.

How should I deal with includes and admin? Neither of them contain an index.html or index.php

Last edited by Pedroski; 02-13-2020 at 03:10 PM.
 
Old 02-13-2020, 08:51 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,900
Blog Entries: 27

Rep: Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675Reputation: 4675
A web search for how to secure a webpage will provide a number of references and tutorials.

It might be an idea to take a look at some of them and then come back with specific questions.
 
Old 02-26-2020, 02:49 PM   #3
jdrosales
LQ Newbie
 
Registered: Feb 2020
Location: Virginia, USA
Distribution: Ubuntu
Posts: 9

Rep: Reputation: 1
Quote:
Originally Posted by Pedroski View Post
I have a little webpage. I use it to give homework to my students and now, because of this virus in China, also to run online classes until school starts again.

I've been reading a book: PHP & MySQL: Novice to Ninja by Kevin Yank. The book is great for beginners.

As I see it, I have 2 problems that need addressing.

1. A folder called admin which, at the moment, is in the webpage root www.mywebpage.com

admin contains 2 files: createtable.html and insertcsv.html which do just what they say from the webbrowser, create a mysql table and populate it with a .csv file.

I am mysql user peter. I only have access to allstudentsdb. Within that db I have all privileges.

2. A folder called includes which, at the moment, is also in the webpage root www.mywebpage.com

includes contains a few PHP helpers and login.html for students to login to class.

includes also contains studentdb.inc.php This has my db name and password. It logs me in to mysql when I run createtable.html or insertcsv.html

Code:
<?php
try
{
$pdo = new PDO('mysql:host=localhost;dbname=allstudentsdb', 'peter', 'mypassword', array(PDO::MYSQL_ATTR_LOCAL_INFILE => true,));
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->exec('SET NAMES "utf8"');
}
catch (PDOException $e)
{
$error = 'Unable to connect to the database server' . $e ;
include 'error.html.php';
exit();
}
?>
includes and admin both have permissions 755 at the moment. If I change that, I think they will not be accessible for visitors to my page, so students could not log in, or I could not add a mysql table from Firefox.

All this php and mysql is very new to me and confusing. My little brain is about at its limit.

How should I deal with includes and admin? Neither of them contain an index.html or index.php
This is very basic, since you are not an expert, but you can develop other techniques:

First create and index.php in each of those directories with just one command:

Code:
<?php 
headers("../") 
?>
so whoever wants to take a peek at your folder will be redirected to your root directory.

In the login.php file, (if that's what you use) add a variable you can call any name and any value.

Code:
 #for login.php
<?php

$variable = 'mysecurityvariable';
include "pwd.php"; #or whatever other name you want to call the file containing your credentials.
....
.... your other php code

?>
Create a separate file let's say pwd.php with you database credentials, and a condition:

Code:
 #for pwd.php
<?php 

if(!isset($variable) || $variable !== "mysecurityvariable"){
  die("Illegal access");
}
$user='username';
$pwd='password';

?>
There are quite a number of ways you can do this, including cookies, local storage, cryptokeys, etc. But as a starting point for your learning it should be a good example.

Good luck buddy!

Last edited by jdrosales; 02-26-2020 at 02:51 PM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
webpage in webpage? kalleanka Programming 6 06-07-2009 05:13 PM
noob: creating script to make webpage/img Xeratul Programming 2 05-26-2007 07:06 AM
Trying to make my server program serve a webpage to Firefox calorie712 Programming 6 03-16-2006 12:41 PM
how do i make subdomains on my webpage matt_w_lambert Linux - General 2 10-30-2003 12:51 AM
Howto make own webpage js72 Linux - Software 4 02-12-2003 03:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration