0

I was curious to know if it was acceptable to allow web developers to use PHP for when build a service for my site. If this was streamlined and excessively secure, would it be safe to do so?

Here's an example:

Someone's building a web application and requires access to the site's users (stored in a MySQL database table). How will get MySQL table results? Well, he can use PHP (or AJAX) to obtain the variable. If you set him up with some streamlined classes with excessively over-secured classes, he should be able to get these variables without a hassle.

Now, what I want to know is, is it secure to give a rando on the internet PHP abilities to use on my site. I don't know this person, nor will I ever actually meet them, but they need to create content for my website and I want to ensure that there will be no security risk doing so.

Thanks in advance.

  • PHP usually has access to the entire filesystem on most servers, do you want random internet users to have that? – TRGWII Feb 18 '15 at 04:52
  • Precisely the reason I asked this question, my friend. Is there a way to streamline and prevent security faults? –  Feb 18 '15 at 04:56
  • I'm not sure, I think some of the larger shared hosting services use an insane amount of config, or a unix-user for each web user that PHP runs under... I think this might be a good place to start: [PHP Security Guide: Shared Hosts](http://phpsec.org/projects/guide/5.html) – TRGWII Feb 18 '15 at 04:59
  • Otherwise you could revoke write access from the user the webserver is running under, that would fix the file issue – TRGWII Feb 18 '15 at 05:00
  • Remember that PHP also has access to your internal network by default, and can open sockets, so you may need to shield some services on your local network as well. – TRGWII Feb 18 '15 at 05:01
  • True. Those are all very valid and realistic points. –  Feb 18 '15 at 05:05
  • Maybe try with the guys over at [ServerFault](http://serverfault.com/), they probably know more about this stuff :) – TRGWII Feb 18 '15 at 05:07

1 Answers1

1

Allowing 3rd party access to your site is NOT advisable in native code - Not to write files, and not to the DB. This is a security risk, and ill advised.

The best solution to something like this is to write an API for the site:

for example, they need access to users list, so write a read only (key locked) api that gives a list of users and is searchable

Locking with a key means you can limit calls, log who called what, and how much, and also revoke access.

eg. they would call

yoursite/api/getusers?name=john&key=mykey

and get a list with all John's etc.

this way your DB remains secure, and no outside code can run on your site/server.

ConfusedDevelopment
  • 178
  • 1
  • 8
  • Could you give me an example of how I would build this key? Like a link or something along those lines? And what language should I write the API in? –  Feb 18 '15 at 15:29
  • Sure: As for the key you could do something like : `$key = md5($username.$salt);` (in php) for example, will generate an md5 for that user based on username and password (keeping in mind here, though, that md5 isn't very secure, but this is simply a key to bind or limit access to your API. As for what language, which are you most comfortable writing in? PHP is a good choice if your server is already running PHP. – ConfusedDevelopment Feb 19 '15 at 04:42
  • https://stackoverflow.com/questions/1448455/php-api-key-generator also deals with generating a key – ConfusedDevelopment Feb 19 '15 at 04:48
  • I'm fine with Javascript, PHP and the standard HTML/CSS syntax. I have no problem working with any of them. –  Feb 19 '15 at 20:45