suPHP vs mod_php

Posted on | 十一月 4, 2010 | No Comments

suPHP vs. mod_php. When is suPHP superior.
Wednesday, June 18th, 2008 11:31AM UTC

A long time customer of ours asked about another shared hosting provider’s PHP setup. They need to write files to the

file system using PHP. He was having issues with creating files and folders through PHP. This provider uses mod_php,

instead of our setup on HostASite.com that is suPHP based. To get around the issue their tech support recommend

setting the folder to use permission 777 (writeable by ANYONE).

Using 777 permissions on a folder means ANYONE on that server can write to it. Hackers LOVE this type of setup. In

addition, with mod_php you must have at least 644 perms on PHP files, which ALSO means your files can be read by

anyone. This means your MySQL password, key to your merchant account, etc., can be read by any customer on that shared

server! If you ask me, not a secure solution.

We use suPHP instead of the default apache/mod_php for shared hosting.

SuPHP
Pros:

* PHP runs as your user/group
* PHP files can have perms of 640 (hiding things like passwords from other accounts)
* Files/folders written by PHP are written as user/group (no apache or other global user)
* Custom php.ini file per site (can add/remove security options)
* Can run php4 and php5 at the same time (on even the same site!)

Cons:

* Slower
* many PHP .htaccess options do not work (since you can have your own php.ini file this make this point moot)

apache/mod_php
Pros:

* Faster (about 25-30%)

Cons

* PHP safe mode isn’t safe
* files written by PHP are saved as the apache process (usually apache/apache user/group)

For our Shared hosting servers it’s a no brainer to use suPHP instead of mod_php, even if we take a performance hit.

PHP is the #1 method hackers gain access to customer accounts. So once an account is hacked on a shared server, they

can do much more damage with a mod_php setup. SuPHP accounts are much more sandboxed. We’ve had many hacked accounts

via suPHP, and none of them have affected our other customers. In the future are going to replace suPHP and use

LiteSpeed’s web server instead. It offers the same performance as mod_php and yet the same security as suPHP.

Our VPSes and dedicated servers we give the customer the option to select which PHP setup they want.

Author: Larry
Category: Hosting, Security
RSS 2.0 comment feed
Both comments and pings are currently closed.
Comments

1. On June 18th, 2008 2:52+00:00 UTC Rob M says:

I use suPHP in my dev environment with both php4 and php5 just so I can imitate what is used by

hostasite/10for10. Having a custom php.ini is actually a really nice feature since you can do some things that you can

’t do in .htaccess. But LiteSpeed seems like the best of both worlds.

Under suPHP:

* Any scripts that require 777 should use 755 instead.
* Generally, set folders to 755.
* Generally, set files to 644.

What should my .htaccess file look like if my account is on a suPHP server?
You should remove the lines that begin with "php_value" and "php_flag". You will need to move these files to a file

named php.ini and upload php.ini into your public_html directory. Then, add the following line into the .htaccess file

in your public_html:

suPHP_ConfigPath /home/username/public_html

where "username" is your cPanel username. You will need to remove php_value and php_flag from ALL .htaccess files you

may have. However, you only need to add the suPHP_ConfigPath line in the .htaccess file in your public_html directory

only.

Please note that you will need to change the format of your php_value and php_flag lines into the php.ini format.

(Refer to the FAQ entry on how your php.ini file should be formatted).
Another consideration while everyone is "banging on" about you MUST use suPHP. ( taken from a post by Doug Robbins ).

Without suPHP

Without suPHP, intruders might gain write-access to all files and directories that are owned by "nobody" or are world

-writable — e.g. chmod xx6 for files or xx7 for directories.

With suPHP

Intruders might gain write-access to all files owned by the user.

If an exploit runs with permissions of the account owner, all files in the account are susceptible to being

overwritten.

You might want to consider installing suhosin for added security.

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

.htaccess & php.ini in suPHP

Posted on | 十一月 4, 2010 | No Comments

php.ini EZConfig is a proprietary cPanel feature not found in all cPanels.

It makes life easier for Joomla users as it provides a GUI for editing a global php.ini file.

The global php.ini file is stored in the home directory.

The global php.ini file has a recursive affect meaning that the settings in the file will affect all directories on

the account.

This is an improvement over the traditional method of manually editing php.ini files and placing them in every

directory to be affected.
Overriding php.ini EzConfig:

Create a custom php.ini and add the following to a .htaccess file in the same directory:
<IfModule mod_suphp.c>
suPHP_ConfigPath /home/USERNAME/public_html/PATH/TO/DIRECTORY/php.ini
<Files php.ini>
order allow,deny
deny from all
</Files>
</IfModule>

You will have to edit the "suPHP_ConfigPath" line to point to the proper php.ini file.

(Technically it doesn’t need to be in the same directory, but putting it there may be best for the sake of

organization.)

apt-get yum port

Posted on | 十月 26, 2010 | No Comments

APT 常用指令如下：

apt-get update
更新套件列表

apt-get dist-upgrade
升級 rpm

apt-cache search
搜尋套件，ex: apt-cache search httpd

apt-get install
安裝套件，這裡的套件安裝，會考慮到相依性的問題。 ex: apt-get install httpd

apt-get remove
移除套件，這裡的套件移除，也會考慮到相依性的問題。 ex: apt-get remove httpd

apt-get clean
清除安裝時下載的暫存套件原始檔案，位於 /var/cache/apt/archives

YUM 常用指令如下：

yum update
更新套件， ex: yum update httpd，如果只有 yum update ，會更新所有已經安裝的套件。

yum search
搜尋套件，ex: yum search httpd*，會搜尋所有跟 httpd 有關的套件。

yum install
安裝套件，這裡的套件安裝，會考慮到相依性的問題。 ex: yum install httpd

yum remove
移除套件，這裡的套件移除，也會考慮到相依性的問題。 ex: yum remove httpd

yum clean
清除安裝時下載的暫存套件原始檔案，位於 /var/cache/yum，因為這裡可以清除的項目很多，我最常用的是 yum clean all ，一

次給他清掉 :p

yum list
列出套件名稱，用法常用有分以下幾種：

yum list updates
列出所有可以更新的套件

yum list installed
列出所有已安裝的套件

20.1. 如何只抓取 tarball？

# make fetch

# cd /usr/ports/editors/joe
# make fetch

# cd /usr/ports/systuils/portupgrade
# make fetch-recursive

# cd /usr/ports/ftp
# make fetch-recursive

# cd /usr/ports/editors/joe

# make extract

# cd /usr/ports/editors/joe

# make patch

# cd /usr/ports/editors/joe

# make install

# cd /usr/ports/editors/joe

# make clean

# cd /usr/ports/editors/joe

# make package

# mkdir -p /usr/ports/packages/All

# cd /usr/ports/editors/joe

# make package clean

# cd /usr/ports/sysutils/portupgrade

# make DEPENDS_TARGET=package package

# cd /var/db/pkg

# pkg_create -b joe-{版本號}

# cd /usr/ports/editors/joe

# make clean

# cd /usr/ports

# make clean

# cd /usr/ports/ftp

# make clean

# cd /usr/ports/editors/joe

# make distclean

# cd /usr/ports

# make distclean

# cd /usr/ports/ftp

# make distclean

# cd /usr/ports/mail/p5-Mail-SpamAssassin

# make all-depends-list

# cd /usr/ports/mail/p5-Mail-SpamAssassin

# make pretty-print-build-depends-list

# cd /usr/ports/mail/p5-Mail-SpamAssassin

# make pretty-print-run-depends-list

# cd /usr/ports/editors/joe

# make deinstall

# pkg_delete joe-{version}

# pkg_delete -f joe-{version}

# cd /usr/ports/sysutils/portupgrade

# make deinstall-depends

# pkg_delete joe-{version}

# pkg_delete -r joe-{version}

# cd /usr/ports/editors/joe

# make deinstall clean install

# cd /usr/ports/editors/joe

# make reinstall

# portupgrade -f joe

# cd /usr/ports

# make search key=ldap

# cd /usr/ports/ftp

# make search key=ldap

# cd /usr/ports

# make search name=ldap

# portupgrade joe

# cd /usr/ports/editors/joe

# make clean reinstall

# portupgrade -f joe

# pkg_info

# pkg_info | grep joe

# pkg_info -W /usr/local/bin/joe

# pkg_info -L /var/db/pkg/joe-{version}

# vi /usr/share/examples/cvsup/ports-supfile

default date=2002.10.05.00.00.00  #將 date 改成當日

# vi /usr/share/examples/cvsup/ports-supfile

#ports-all #將 ports-all 標示起來

ports-lang #加入這行

php zip and unzip

Posted on | 十月 8, 2010 | No Comments

source code:

zip

<?php
include ("Archive_Zip-0.1.1/Archive/Zip.php");
$zipfile = New Archive_Zip("tempzip/zipfile.zip");
$file_list = array("test.php");
$zipfile->create($file_list);
?>

unzip

<?php
include ("Archive_Zip-0.1.1/Archive/Zip.php");

if (file_exists(‘tempzip/zipfile.zip’))
{
$obj = new Archive_zip(‘tempzip/zipfile.zip’); // name of zip file
}
else
{
die(‘File does not exist’);
}

if ($obj->extract(array(‘by_preg’ => ‘/.*/’, ‘add_path’ => ‘tempzip/’)))
{
echo ‘Extracted successfully!’;
}
else
{
echo ‘Error in file extraction’;
}
?>

php validation form

Posted on | 十月 4, 2010 | No Comments

<?
session_start();
//生成验证码图片
Header("Content-type: image/PNG");
$im = imagecreate(44,18);
$back = ImageColorAllocate($im, 245,245,245);
imagefill($im,0,0,$back); //背景srand((double)microtime()*1000000);
//生成4位数字
for($i=0;$i<4;$i++){
$font = ImageColorAllocate($im, rand(100,255),rand(0,100),rand(100,255));
$authnum=rand(1,9);
$vcodes.=$authnum;
imagestring($im, 5, 2+$i*10, 1, $authnum, $font);
}for($i=0;$i<100;$i++) //加入干扰象素
{
$randcolor = ImageColorallocate($im,rand(0,255),rand(0,255),rand(0,255));
imagesetpixel($im, rand()%70 , rand()%30 , $randcolor);
}
ImagePNG($im);
ImageDestroy($im);$_SESSION['VCODE'] = $vcodes;
?>

eshop problem

Posted on | 九月 15, 2010 | No Comments

1054 – Unknown column ‘p.products_id’ in ‘on clause’

select count(p.products_id) as total from products_description pd, products p left join manufacturers m on p.manufacturers_id = m.manufacturers_id, products_to_categories p2c left join specials s on p.products_id = s.products_id where p.products_status = ’1′ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ’1′ and p2c.categories_id = ’528′

In Catalog/index.php file..

Find this…

// show the products of a specified manufacturer
if (isset($HTTP_GET_VARS['manufacturers_id'])) {
if (isset($HTTP_GET_VARS['filter_id']) && tep_not_null($HTTP_GET_VARS['filter_id'])) {
// We are asked to show only a specific category
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = ‘" . (int)$HTTP_GET_VARS['manufacturers_id'] . "‘ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p2c.categories_id = ‘" . (int)$HTTP_GET_VARS['filter_id'] . "‘";
} else {
// We show them all
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and pd.products_id = p.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = ‘" . (int)$HTTP_GET_VARS['manufacturers_id'] . "‘";
}
} else {
// show the products in a given categorie
if (isset($HTTP_GET_VARS['filter_id']) && tep_not_null($HTTP_GET_VARS['filter_id'])) {
// We are asked to show only specific catgeory
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = ‘" . (int)$HTTP_GET_VARS['filter_id'] . "‘ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p2c.categories_id = ‘" . (int)$current_category_id . "‘";
} else {
// We show them all
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m on p.manufacturers_id = m.manufacturers_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p2c.categories_id = ‘" . (int)$current_category_id . "‘";
}
}
————————————-

and replace with this

// show the products of a specified manufacturer
if (isset($HTTP_GET_VARS['manufacturers_id'])) {
if (isset($HTTP_GET_VARS['filter_id']) && tep_not_null($HTTP_GET_VARS['filter_id'])) {
// We are asked to show only a specific category
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from (" . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c ) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = ‘" . (int)$HTTP_GET_VARS['manufacturers_id'] . "‘ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p2c.categories_id = ‘" . (int)$HTTP_GET_VARS['filter_id'] . "‘";
} else {
// We show them all
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from (" . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and pd.products_id = p.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = ‘" . (int)$HTTP_GET_VARS['manufacturers_id'] . "‘";
}
} else {
// show the products in a given categorie
if (isset($HTTP_GET_VARS['filter_id']) && tep_not_null($HTTP_GET_VARS['filter_id'])) {
// We are asked to show only specific catgeory
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from (" . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = ‘" . (int)$HTTP_GET_VARS['filter_id'] . "‘ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p2c.categories_id = ‘" . (int)$current_category_id . "‘";
} else {
// We show them all
$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from ((" . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p) left join " . TABLE_MANUFACTURERS . " m on p.manufacturers_id = m.manufacturers_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = ’1′ and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = ‘" . (int)$languages_id . "‘ and p2c.categories_id = ‘" . (int)$current_category_id . "‘";
}
}

554 Message not allowed – [320]

Posted on | 九月 15, 2010 | No Comments

Within a few minutes he had solved the problem and it was so simple. The date on my computer had been changed at some point and was showing a month ahead. This would have meant that any emails that I sent out would have been date stamped a month in the future. Obviously the Yahoo mail system doesn’t like this and so it bounced back my emails.

客戶端電腦時間問題.

install PDO for cPanel

Posted on | 九月 14, 2010 | No Comments

Log in to WHM, go to "Software >> EasyApache". Select PHP 5 and go to exhaustive options list and there you will find PDO. Select and follow the options. This will recompile php/apache with PDO.

Java tutorial

Posted on | 九月 13, 2010 | No Comments

http://caterpillar.onlyfun.net/Gossip/JavaGossip-V2/ConnectDB.htm

How to check if an email address exists without sending an email?

Posted on | 九月 13, 2010 | No Comments

We have all been doing email address validation for a very long time to make sure that the email is correctly formatted. This is to avoid users entering wrongly formatted email address but still they can accidentally give us a wrong email address.

Example of a correctly formatted email address but still wrong:

mailbox.does.not.exist@reddit.com [VALID email fromat but still not correct]

Above case specifically happens when you take important customer email on phone and you type in the wrong email. So is there a QUICK solution to really check the email without sending a test message to the user? Yes.

The solution

A quick & simple check below can be implemented in most programming language including PHP, Python etc. It relies on using the same SMTP which is used to send emails.

To check if user entered email mailbox.does.not.exist@reddit.com really exists go through the following in command prompt.

First - Find mail exchanger of reddit.com

COMMAND:
nslookup – q=mx reddit.com
RESPONSE:
reddit.com      MX preference = 10, mail exchanger = mail.reddit.com
mail.reddit.com internet address = 208.96.53.70

Second - Connect to mail server mail.reddit.com

COMMAND:
telnet mail.reddit.com 25
RESPONSE:
220 mail.reddit.com ESMTP Postfix NO UCE NO UEMA  C=US L=CA Unsolicated electronic mail advertisements strictly prohibited, subject to fine under CA law CBPC 17538.45.  This electronic mail service provider’s equipment is located in the State of California.  See http://www.reddit.com/static/inbound-email-policy.html for more information.

COMMAND:
helo hi
RESPONSE:
250 mail.reddit.com

COMMAND:
mail from: <youremail@gmail.com>
RESPONSE:
250 2.1.0 Ok

COMMAND:
rcpt to: <mailbox.does.not.exist@reddit.com>
RESPONSE:
550 5.1.1 <mailbox.does.not.exist@reddit.com>: Recipient address rejected: User unknown in local recipient table

COMMAND:
quit
RESPONSE:
221 2.0.0 Bye

NOTES:

1) the 550 response indicates that the email address is not valid and you have caught a valid but wrong email address. This code can be on the server and called on AJAX when user tabs out of the email field.  The entire check will take less than 2 seconds to run and you can make sure that the email is correct.
2) If email was present the server will respond with a 250 instead of 550
3) There are certain servers with a CATCH ALL email and this means all email address are accepted as valid on their servers (RARE but some servers do have this setting).
4) Please do not use this method to continuously to check for availability of gmail / yahoo / msn accounts etc as this may cause your IP to be added to a blacklist.
5) This is to supplement the standard email address javascript validation.

Recently Written

• FreeBSD 安裝
• Get Remote Filesize
• Wget 下載網站所有資料.
• remove the BOM of UTF-8 file
• 7z in linux
• auto reboot system
• google apps
• exim faq
• find advanced
• count tcp connection

Categories

• FreeBSD
• Linux
• Windows
• 未分類

Archives

• 2012 年 四月
• 2012 年 一月
• 2011 年 十二月
• 2011 年 五月
• 2011 年 一月
• 2010 年 十一月
• 2010 年 十月
• 2010 年 九月
• 2010 年 八月
• 2010 年 七月
• 2010 年 六月

Blogroll

• Documentation
• Plugins
• Suggest Ideas
• Support Forum
• Themes
• WordPress Blog
• WordPress Planet

About

This is an area on your website where you can add text. This will serve as an informative location on your website, where you can talk about your site.

Subscribe to our feed

Search

Admin

• 登入
• Wordpress
• XHTML