

Ask HN: How secure is my PHP script? - hennerw
https://github.com/DieTapete/restricted-area

======
Udo
I didn't go through the whole thing in detail, so please correct me if I got
anything wrong, but I think I understand enough of the structure.

There are some acute problems that could be solved in code, for example the
use of str_replace() in download.php should be replaced by urldecode(), and
you should be aware that the following couple of lines after that do exactly
nothing to prevent access to arbitrary files on your server. I don't mean this
in a rude way, but it looks like you still have a ton of reading to do on how
webservers work until you can tackle any of these problems with confidence. So
no, it's not remotely secure, and maybe something that focuses on security is
not the best project to get started in the first place.

Besides the security aspects, the problem I see is that the script doesn't
fulfill its own core promise: to regulate file access. You can just circumvent
it by taking the filename sent as an argument to download.php and use that to
access the thing in the files/ folder directly if indeed .htaccess isn't used
(which would automatically apply to, say, any NginX server and which is indeed
a scenario you explicitly advertise). If you want to prevent that, you have to
either store the files in a place that isn't browser-addressable, or at least
store them in a way so their names can't be guessed.

The problem with PHP is that it's deceptively easy to make something that
looks like it works, but in reality doesn't. It's an environment that makes it
very effortless to shoot yourself in the foot. Personally, I love working with
it (as opposed to many other programmers), but it _requires_ that you _really_
know what you're doing. I don't want to discourage you from using it, but it's
something you have to be aware of - and if you plan on doing only casual web
development, I would highly recommend going with a framework instead.

~~~
hobarrera
I also don't quite understand why there's an apache htaccess file inside
`files/`, when the readme says:

    
    
        [...] without the need for a database or a .htaccess file.

~~~
jack9
The implication is that there is no need for a .htaccess per user/folder.

------
hennerw
I created this small script to easily create password protected areas on a
server without databases or .htaccess files. The problem is, i am not that
involved in PHP and backend programming in general. So i guess there are a few
flaws. Can you help me find them?

~~~
vatotemking
Try asking this on

[http://programmers.stackexchange.com/](http://programmers.stackexchange.com/)

[http://www.reddit.com/r/PHP](http://www.reddit.com/r/PHP)

~~~
hennerw
Thanks, will do.

------
ufo
I'm not sure you will get lots of help if you just dump the code on people
like that. Maybe you should update your readme and explain up front how your
arquitecture is supposed to work. When it comes to security its often the case
that vulnerabilities come from a bad arquitecture and notjust from sloppy
coding and bugs.

~~~
hennerw
I updated the README with a 'How does it work' part.

