ProcessForm fails to run from cgi-bin

NateMail, ProcessForm, JavaScript Form Validator, Form Security, etc.

ProcessForm fails to run from cgi-bin

Postby lmcmahon » 08/29/2005 @ 06:45

Hi,

A new user question.

ProcessFomr.php runs from /public_html/ but not from cgi-bin. The file permission is 755. I get an "Internal Server Error". The error log shows provides this information:

Premature end of script headers: /public_html/cgi-bin/ProcessForm.php
File does not exist: /public_html/500.shtml

Regards,
Larry

P.S. My hosting service claims that "its pretty much standard that php files will not run inside cgi-bin unless the php installation is deliberately misconfigured to run that way."

Yet the install SQL read me says:
"For better security, upload the file into a directory on your server that's a level higher than your web root folder. Or, your web host may have a cgi-bin (or similar) folder that prevents normal web browsing. This is to keep unwanted viewers from finding out your MySQL connection information in case PHP is not running as it should be."

I'm confused.
lmcmahon
 
Posts: 16
Joined: 08/29/2005 @ 06:35

Postby Nate Baldwin » 08/29/2005 @ 11:45

If your web host won't let you run PHP files from the cgi-bin (all the hosts I've worked with allow it, for what it's worth), then you'll have to put the scripts in your main site somewhere. It's best to keep the database connection info in a directory that's not available for HTTP browsing, such as most cgi-bin directories, but if it's not something that works on your server, you don't really have a choice, I'm afraid.
Nate Baldwin
Site Admin
 
Posts: 3724
Joined: 04/25/2003 @ 19:05

Postby lmcmahon » 08/29/2005 @ 17:01

Security, keeping the contents of ProcessForm.php and ProcessFormBD.php from being read is the goal. Both have tings we don't want others to read.

1). Putting PHP code in cgi-bin is no more secure than any other than directory. It may be a bit safer because the server will try to execute things in that directory rather dsplay them to the browser. On my server only Perl and GCI scripts will execute from cgi-bin. Other files generate a 500 internal server error. Is this more secure?

2). When I pull up a .php file in my browser (opera, ie6 or Mozilla) I can't view the php source code. If the php code echos html, I can view the html. This seems safe unless th euser has FTP access. Now I don't know if the WA Site Improt will copy such .php files, byt when I open one in my browser and save it, there is no php code visible. I tried saving PrcessFormDB.php as a test. Please tell me, how does user view the code in a php file?

Larry
I'm still tring to find out if php code should be able to execute from cgi-bin.
lmcmahon
 
Posts: 16
Joined: 08/29/2005 @ 06:35

Postby lmcmahon » 08/29/2005 @ 17:49

On the question of PHP code running out of /cgi-bin/ take a look at:

http://www.linuxhelp.ca/forums/index.php?act=ST&f=3&t=4597

This indicates that on a standard php install it won't work, but there are workarounds/hacks.

Larry[/url]
lmcmahon
 
Posts: 16
Joined: 08/29/2005 @ 06:35

Postby lmcmahon » 08/29/2005 @ 18:06

On the question of PHP code running out of /cgi-bin/ take a look at:

http://www.linuxhelp.ca/forums/index.php?act=ST&f=3&t=4597

This indicates that on a standard php install it won't work, but there are workarounds/hacks.

Still not sure how a file in cgi-bin is any more secure.

Larry
lmcmahon
 
Posts: 16
Joined: 08/29/2005 @ 06:35

Postby Nate Baldwin » 08/29/2005 @ 18:24

lmcmahon wrote:On the question of PHP code running out of /cgi-bin/ take a look at:
http://www.linuxhelp.ca/forums/index.php?act=ST&f=3&t=4597
This indicates that on a standard php install it won't work, but there are workarounds/hacks.

I'm not saying put the main ProcessForm.php file in your cgi-bin, just the database connection file. While many servers won't run PHP scripts in the cgi-bin when accessed directly, they usually (in my experience) will allow the main script file to be outside the cgi-bin, but import a separate PHP script as an include from the cgi-bin. So, ProcessForm would be in the main site. The database connection info would be stored in the separate PHP file and imported into ProcessForm as an include.
Still not sure how a file in cgi-bin is any more secure.

On pretty much every server I've worked with, the cgi-bin directory is above the root HTTP directory on the server. That would mean there's no possible way to access the file from a web browser (you can't browse higher than the site root). If your cgi-bin folder is inside your web root directory, then there's not much point in trying to force PHP to run from there.

I can't speak for every server configuration out there. If yours is different, then just put the script where they work. You can always set special folder permissions to make things as secure as possible. Info is generally pretty safe in a PHP file anyway, it's just an added precaution. Take it or leave it - it's up to you.
Nate Baldwin
Site Admin
 
Posts: 3724
Joined: 04/25/2003 @ 19:05


Return to Form Processing (NateMail, ProcessForm)



Who is online

Users browsing this forum: Google [Bot] and 0 guests

cron