GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Security: preventing account A from seeing account B

raymor · 02-14-2012, 05:11 PM

Talk to your server admin about "chrooted FTP". Most FTP servers can be set where you see only your own files.

Other than that, assume he can use PHP to SEE your files (but then he can see most of them in a browser anyway.) Any sensitive information stored on the server should be properly encrypted or hashed.

To prevent someone with an account seeing your files through their PHP script requires a bit more complex setup than I want to detail here, and it creates very significant new security problems the way most people do it, so the "short version" would be dangerous. The key is to create two NEW users - you_apache and him_apache. Your scripts would be set to run as you_apache and his would be set to run as him_apache.

02-14-2012, 05:11 PM
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Talk to your server admin about "chrooted FTP". Most FTP servers can be set where you see only your own files. Other than that, assume he can use PHP to SEE your files (but then he can see most of them in a browser anyway.) Any sensitive information stored on the server should be properly encrypted or hashed. To prevent someone with an account seeing your files through their PHP script requires a bit more complex setup than I want to detail here, and it creates very significant new security problems the way most people do it, so the "short version" would be dangerous. The key is to create two NEW users - you_apache and him_apache. Your scripts would be set to run as you_apache and his would be set to run as him_apache. Last edited by raymor; 02-14-2012 at 05:14 PM..