Hacker News new | ask | show | jobs
by citricsquid 4516 days ago
Quick feedback: Don't commit vendor packages to your repository, make use of Composer (http://getcomposer.org). Separate out your application core from the public folder, that way you don't need to rely on your web server for security: if someone uses nginx your set up leaves them vulnerable. Look into MVC, you have logic and display mixed together.
2 comments
Schlaefer 4516 days ago
> Don't commit vendor packages to your repository, make use of Composer

But make sure you have a complete package for enduser (if you believe it's ready). This is very important esp. for PHP audience: download, unzip, upload, see "Hello World".

Automate this early, it will pay off fast.

link
techvibe2 4516 days ago
You are right. The application does not belong to public folder. My goal is to make installation as easy as possible. Just copy the code and start to blog. Another reason is, that you can't easily run the application in subdirectory for example /blog/ if put the application code behind public folder.

Composer is a good Idea, but with first version we wanted to deliver one single package for the end users. We would use composer for the next releases.

link
citricsquid 4516 days ago
If you absolutely cannot separate out the public portion of the application from the core -- which should be possible because even the worst shared hosts allow for folders above public_html -- then you'll need to use a PHP solution for protection the files. For example if you define a constant in index.php and then check for that constant in included files you can prevent access, eg:

    defined('BASEPATH') OR exit('No direct script access allowed');
From https://github.com/EllisLab/CodeIgniter/blob/develop/applica...
link
techvibe2 4515 days ago
You are right again. But I will complicate the installation. The PHP files are secure, they are classes ore arrays. if you execute them nothing happens. We have an .htaccess file in core applications folder. The .htacces file rejects all requests.

We would provide security tips also for nginx users. Just to repeat all files except index.php are classes ore arrays and and they don't execute any code.

link