PHP security

[david@bridgemics.co.]

I have posted this question elsewhere by mistake - sorry.
My ISP says that I most likely have a security hole in my website PHP coding.
My website uses PHP to call pages, overall it was written using dreamweaver.
I am not very familiar with either PHP or Dreamweaver, although I did write
the website, so I have no one else to blame but myself.
I have had a few rogue websites set up using my webspace. After deleting the
sites and uploading the original files and changing my password they still
arrived. My ISP says there is most likely a security hole in my PHP coding and
I should apply the most recent patches.
I don't know/understand how to do this, my ISP doesn't support PHP or any
website building really.
I am currently running the most recent version of PHP on my PC, but wasn't
when I wrote the website. How do I update my web pages to be using this most
recent version of PHP.
If I only send simple code to my webspace is it not the ISP PHP parser that
needs updating? (This probably shows my lack of knowledge)
Any help would be gratfuly received.

[Steve]

David,

The first thing that I would check is the directory/file permissions on your
web space. If others are posting files there, they must be wide open.

The subject of updating PHP is a little more complex than can be handled in
this forum. You absolutely need to have an ISP that can assist you with
this. In fact, I'm surprised that tou are able to use it at all if the ISP
doesn't support it. How did you install it on the server?

Could you provide a link to the site?

Respectfully,

Steve

"david@bridgemics.co." <webforumsuser@macromedia.com> wrote in message
news:g2jhnb$akv$1@forums.macromedia.com...

>I have posted this question elsewhere by mistake - sorry.
> My ISP says that I most likely have a security hole in my website PHP
> coding.
> My website uses PHP to call pages, overall it was written using
> dreamweaver.
> I am not very familiar with either PHP or Dreamweaver, although I did
> write
> the website, so I have no one else to blame but myself.
> I have had a few rogue websites set up using my webspace. After deleting
> the
> sites and uploading the original files and changing my password they still
> arrived. My ISP says there is most likely a security hole in my PHP coding
> and
> I should apply the most recent patches.
> I don't know/understand how to do this, my ISP doesn't support PHP or any
> website building really.
> I am currently running the most recent version of PHP on my PC, but wasn't
> when I wrote the website. How do I update my web pages to be using this
> most
> recent version of PHP.
> If I only send simple code to my webspace is it not the ISP PHP parser
> that
> needs updating? (This probably shows my lack of knowledge)
> Any help would be gratfuly received.
>

[david@bridgemics.co.]

Hi Steve,
My ISP doesn't support PHP in as much as they won't help with any PHP
problems, the webspace has PHP installed and enabled for use.
My site is at [url]www.hebdensound.co.uk[/url]
When you say file/directory permissions, is this beyond the ISP only allowing
logged in users to ftp to a site?
I have just now changed permissions to my directories to have a username and
password, I am not sure how this gets envoked however, but is this what you
mean? When I use an ftp program I can still get into these directories without
any extra password.

Thanks for your help

[Steve]

David,

I checked your site, and your FTP service is requesting a User ID and
password. I suspect that you re getting in through as you've cached the
authentication already. One way to check this is to clear your browser's
cache/cookies and try logging in again. You should get prompted.

This should stop users from posting files on your site unless you have
created an upload page that they can access. I didn't see one when I looked
at your site. You need to set the file/directory permissions on all of your
directories so that the users can read/execute PHP pages, but not write. If
you do create an upload page, point any uploads to a directory that can be
written to by the users, but won't give them execute scripts permissions.
Otherwise they can upload a script and then execute it, and then you're in
trouble.

The ISP needs to apply the latest patches to PHP on the server. This is not
something you can do. If you upgrade PHP on your workstation, any changes
that you make to yuour pages locally can be FTP'd to the server. However, if
you are coding to a later version of PHP than the ISP, some of your pages
may not work. I always try to stay in sync with the ISP to avoid this.

From the sound of it, you would be much better off getting a different ISP.
There are thousands out there, and most offer much better support than your
current one.

Steve

"david@bridgemics.co." <webforumsuser@macromedia.com> wrote in message
news:g2mqb3$40e$1@forums.macromedia.com...

> Hi Steve,
> My ISP doesn't support PHP in as much as they won't help with any PHP
> problems, the webspace has PHP installed and enabled for use.
> My site is at [url]www.hebdensound.co.uk[/url]
> When you say file/directory permissions, is this beyond the ISP only
> allowing
> logged in users to ftp to a site?
> I have just now changed permissions to my directories to have a username
> and
> password, I am not sure how this gets envoked however, but is this what
> you
> mean? When I use an ftp program I can still get into these directories
> without
> any extra password.
>
> Thanks for your help
>
>
>