Hacker News new | past | comments | ask | show | jobs | submit login

0. Put local config files outside of webroot or other publicly accessible directories, include programatically.

1. Disable swap/backup files in your editor (or write them to a different location)[1]

2. Git ignore or SVN ignore swap files and backup files

3. Configure your web server to not serve such files.

Some combination of these should keep you safe. :)

[1]: in vim: noswap nobackup nowritebackup or http://vim.wikia.com/wiki/Remove_swap_and_backup_files_from_...




Step 0 is the only way to do it. I'm constantly stunned to see how many PHP apps violate this rule.


You've obviously never had an amateur developer run smack-into open_basedir issues before. The application basically gets a 404 error when including dependencies, until they look for open_basedir configuration. A developer really needs to know when open_basedir has restricted an include, because the error is really vague.

And shared hosts don't generally allow files outside the webroot of a site. When they do, they might already have open_basedir set to only allow inclusion WITHIN the webroot.

Most packages like Wordpress are developed to run on the maximum number of servers. It isn't built to run on the best, or smartest configured ones—but the average, out-of-the-box Apache/PHP install.


The PHP ecosystem has some really awful defaults which is why it's developed such a bad name for itself. It may be that many of these are there to accommodate misconfigured web hosts, but this behavior has a way of self-perpetuating.

Example: PHP 5.5 will be running for the next billion years because when mysql_query is finally put to rest in newer versions all those applications that depend on it will fall over. Thus, a legacy version of PHP will be supported by hosts, bugs, security holes and all.

"You either die a hero, or live long enough to see yourself become the villain..."

PHP crossed the line from hero long ago.


Actually, it comes back to the user, not so much the coder. After I left a job a while back they hired some random as a replacement. The replacement had no Linux experience, so the next best thing for them was to tell the owner to move all software to a shared host (which they had had experience with before).

Everything was written below a public root, but the shared host didn't allow this, so the next thing you saw was: domain.com/publicroot/index.php^ when the new developer took over. The funniest thing was that they had internal subdomains which ended up public as well, one with full customer listings.

"Never attribute to malice that which is adequately explained by stupidity." - Hanlon's Razor

^ fake path


4. Don't make live edits on your production server.


5. FTP is not a deployment tool.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: