I authored a PHP web-application using SQLite and periods saved on filesystem.
This really is functionally fine and beautifully low maintenance. But, now it must operate on a shared host.
All web-programs around the shared host run because the same user, so my users' session information is vulnerable, out of the box the database, code, etc.
Many recommend storing periods in DBMS for example MySQL in cases like this. So in the beginning I figured I'll simply do that, and move the SQLite data into MySQL too. However I recognized the MySQL qualifications have to be readable through the web application user, so I am to where you started.
I believe the very best solution is by using PHP like a CGI therefore it runs as different user for every web-application. This sounds great, but my host doesn't do that it uses mod_php. What are the disadvantages from an admin's point-of-view for enabling this? (performance, backward compatibility, etc)? Otherwise i quickly will request these to enable this.
Otherwise, can there be anything I'm able to caused by secure my database and session data in cases like this?
As lengthy as the code is running because the shared web user, anything saved around the server will probably be vulnerable. Every other user could write a PHP script to look at any readable file around the server, as well as your data and PHP code.
In case your host company allows it, running as PHP like a CGI within different user can help, however i expect you will see a substantial performance hit, as each request will need a brand new process to become produced. (You could think about FCGI like a better-carrying out alternative.)
Another approach is always to set a cookie according to something the consumer provides, and employ that to secure session data. For example, once the user logs in, have a hash of the username, password (as just provided by them) and also the current time, secure the session data using the hash, set a cookie that contains the hash. Around the next request, you will get the cookie back, which you'll then use to decrypt the session data. Note however this is only going to safeguard the present session data your user table, other data, and code it's still vulnerable.
In cases like this, you have to decide if the tradeoff from the inexpensive of hosting that is shared is acceptable thinking about the lower security it offers. This can rely on the application, also it might be that instead of attempting to develop an intricate (and perhaps not really extremely effective) method to add security, you are best just accepting the danger.
I do not view security as any nothing. You will find things you can do. Provide the web db user just the permissions it requires. Store passwords as hashes. Use openid login so customers provide their qualifications over SSL.
PHP on cgi could be reduced plus some hosts should not need to aid several evidonment.
You may want to stay with your host for whatever reason, but generally you will find a lot of available that it's a good indication for individuals to check functionality and security in addition to cost. I've observed a lot of companies beginning to provide virtual machine hosting -- nearly devoted server level securty when it comes to separating your code using their company customers -- at what's in my experience reasonable cost.
A shared host isn't any method to run an internet site if you're aware of security and privacy of the data in the sites that you simply share the server with. Anything available to your internet application is fair game for that others it'll simply be dependent on time before they are able to can get on (presuming they are doing have incentive to achieve that for you).
"you can put your DB connection variables inside a file below the net root. this can a minimum of safeguard it from web access. if you are likely to use file based periods too, you are able to set the session path inside your user's directory and again outdoors the net root."
I do not come with an account and so i can't downvote that.. but seriously it's not even highly relevant to the question.
Duh you store stuff outdoors the webroot. That applies to any hosting scenario and isn't specific to hosting that is shared. We are not speaking about safeguarding from outsiders here. We are speaking about safeguarding using their company programs on a single machine.
Towards the OP I believe PHP as CGI is easily the most secure solution, while you already recommended yourself. But as another person stated there's a performance hit with this particular.
Something you may take a look at is moving your periods and db to MySQL and taking advantage of safe_mode and/or open_basedir.