|
|
Posted by Dikkie Dik on 10/24/07 22:33
Daniel wrote:
> is there a way to detect if a user tries to access a php file?
>
> For instance, db.config.php is called in many php pages but should
> never actually be open directly. Is there a way to know if someone
> tried to open it directly?
The point is that there should no way to do that. If you put it outside
of the web root, there is no URL for it. So lesson 1: put everything
that should be internal in a non-accessible place.
>
> Also, i want to learn more about securing php/MySQL pages any good
> resources I should start with?
I do not know of any resources on the net, but I found this book very
useful: "Innocent Code" (see http://innocentcode.thathost.com/)
The above book explains a lot about injection of all sorts, and gives
you a nice primer on web standards and how they can be abused.
There is a general advice that you should restrict any access to what
you need to allow. This is a broad topic (involving rights on file
systems, databases, etc, and how to use them), but if you take a good
look at your site/server(s), it should not be that hard to see what can
be done.
You might off course google for some specific kinds of attack:
- injection (sql injection is the classroom example, but mail injection
is alas also very popular)
- cross-site scripting
- session fixation and session highjacking.
Good luck!
Navigation:
[Reply to this message]
|