|
|
Posted by Phil on 06/01/07 14:45
On Jun 1, 5:17 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Phil wrote:
> > Jerry posed some good ideas, a while back, on website a security issue
> > that comes up often. Gary Jones was asking how to keep users from
> > directly accessing php pages, out of sequence.
>
> > Jerry posed a directory management solution. No one seems to have
> > mentioned an alternative. Maybe there is a reason?
>
> > We took a different approach, noting that the only way we wanted a
> > user to enter some phps would be through a predefined series of steps
> > like that posed by Gary Jones. Header information (http_referer, or
> > maybe another) is a path check.
>
> > If a client request hits, say, step_4-something.php without going
> > through steps 1, 2, & 3, the php takes suitable action, maybe posting
> > an error message.
>
> > Jerry's directory-solution is sound, but maybe we want to prohibit
> > someone from going straight to
>
> > www.somewebsitecom/nonrootdirectory/step2.php.
>
> > This approach seems to work, but can a clever web-crawler or
> > programmer get past it?
>
> > Thoughts?
>
> > Phil
>
> >>> Newsgroups: comp.lang.php
> >>> From: "Garry Jones" <garry.jo...@morack.se>
> >>> Date: Wed, 26 Apr 2006 23:53:13 +0200
> >>> Local: Wed, Apr 26 2006 3:53 pm
> >>> Subject: Prevent loading of php pages
>
> >>> I have a website consisting of php segments.
>
> >>> Example
>
> >>> page1.html calls in code from seg1.php and seg2.php
>
> >>> If the user goes directly towww.mydomain.com/seg1.phpthey see everything
> >>> visible to a browser on that page. Can I prevent users from loading individual
> >>> php segments.
>
> >>> The only time that seg1.php should be visible is in its original context on
> >>> page1.html
>
> >>> Garry Jones
> >>> Sweden
>
> >> Jerry Stuckle wrote:
>
> >> The document root id the root directory of your website. But it is not the root
> >> directory of your machine. For instance, your document root might be
> >> "/var/www/website1/html".
>
> >> When you upload them, put them in a directory below the root of your website,
> >> i.e. "/var/www/website1/myfiles". You can then include this page in your
> >> other PHP pages with something like (assuming Apache):
>
> >> include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
>
> >> Anyone accessing a page through http protocol can only access those files in
> >> your web root. But PHP accesses the file system directly, so it can access any
> >> file on the system (assuming the appropriate permissions are set).
>
> >> ==================
> >> Remove the "x" from my email address
> >> Jerry Stuckle
> >> JDS Computer Training Corp.
> >> jstuck...@attglobal.net
> >> ==================
>
> http_referer is not reliable. The browser is not required to send it, a
> firewall may strip it, or it can easily be faked.
>
> My suggestion just protected pages from being loaded directly; it really
> doesn't address your issue.
>
> I think the best way to handle your sequence might be to keep track of
> the last page (or pages) visited in the session variable. Not much more
> work, and much more accurate.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================- Hide quoted text -
>
> - Show quoted text -
Jerry:
Even better. Thank you.
Phil
P.s. Does $_SERVER["HTTP_REFERER"] get stripped or can it be faked?
Navigation:
[Reply to this message]
|