This is the biggest source of problems. Most non-programmers don't realize how important this is, particularly for web software.
Even if you aren't interested in making program modifications, encrypted source code will prevent you from even hiring someone else to do it. This means, for example, that if you need to make some change to your web site, you will not be able to change the way it functions. Encrypted software is a trap and can really hurt you in the long run.
This is a very common problem, it's almost universal these days. Even when configuration files are named with a .php extension, (usually some variation of config.php) there is still a very real possibility the web server can become mis-configured, thus dumping out the contents of such files, and yes, We've seen it happen many times!
If this file contains your database settings, look out!
This is such a common problem, we've written an article called Security, Keeping it Off the Web to warn people about this issue and provide some tips for dealing with it.
If it's a PHP file (typically configuration) you can often work around this by placing it
off of web space and then, in the original file, using require_once('/off/the/web/conf.php');
Usually these files are named .htpasswd
and they contain, you guessed it, your passwords. This is so common the default
apache configuration file denies access to them. While this is certainly helpful, such an approach
can become a liability during times when the web server software is being updated.
The correct way to handle this is to keep these files away from web space, that way, even if the web server configuration gets mixed up (hey, it happens!) you shouldn't be able to download them.
Sometimes this simply can't be avoided. The danger is that on a shared hosting platform,
a world-writable directory can be written to. This means, for example,
someone could potentially place a php file to your web space with a trojan in it. Now all they have
to do is run the script and end up causing you significant damage. Even on shared hosting platforms,
it is your log file that shows the script being run, therefore the actions
will likely be attributed to you.
Needless to say, this is something to avoid whenever possible.
This isn't a terribly serious problem if you are able to change the permissions back to reasonable settings after the installation is complete. The main issue with world-writable configuration files is that on a shared host, other people can "re-write" them with their settings.
Of course, shared hosting is open to other abuse, such as reading these values. Generally speaking, this can't be avoided with such hosts.
If you are installing a PHP script that insists on changing a file to mode 666
or mode 777 please do yourself a favor and remember to change it back
after the installation is complete. (typically, you can change it back to 644 to
be safe)
If possible, you should make sure configuration files containing sensitive information are not stored in web space for the reasons outlined above. (and yes, this is common!)
These are just a few handy things you can spot without pouring over the program source code.
Hopefully we've saved you some grief, of course for every rule there is an exception, the above checklist isn't written in stone and we've probably missed a few things. However if any of the above signs are shown in a PHP script you are evaluating, you would do well to investigate it further.
An ounce of prevention may save your website from being hacked later on.
Y! MyWeb
del.icio.us