|
Posted by Brent Baisley on 04/07/05 17:47
If properly designed, it shouldn't really matter if someone sees your
code. Everyone can see the source code for Linux and lots of other
systems you may be using (MySQL, PHP, etc.), but they are considered
fairly secure. Knowing your methodology will only help someone in
finding security holes in your code. Knowing your table structures and
how you query them only allows someone to skip the trial and error
phase of hacking.
Keeping important information outside the document will prevent
downloading of that information using the method your describe. If the
web server is configured correctly of course. Your code should fail
gracefully if the relevant information and validation is not present.
It sounds like you've read about proper security measures. As long as
you always assume that the data you are receiving may not have come
from one your pages, you should be in pretty good shape.
On Apr 7, 2005, at 9:55 AM, Don wrote:
> Hi,
>
> I'm developing a small web site that does a bit of e-commerce (that is,
> it creates security keys and such). I've been very careful to keep all
> constants used in calculations in a local directory above docroot, but
> all of my main .php pages are in (or under) docroot (my host won't
> allow
> .php scripts to operate in /cgi-bin).
>
> I was feeling pretty secure until a friend reminded me you can download
> complete sites by importing them with such tools as FrontPage and
> Dreamweaver. That way, the "protection" provided by the PHP server is
> non-existant.
>
> Someone doing an import would be able to see the specific methodology
> I'm using for calculations and security, even though they wouldn't have
> access to MySQL passwords and constants. But the "security" that
> provides suddenly doesn't seem like much security at all!
>
> Can I manage this situation by setting directory and/or file
> permissions
> in docroot? Or is there some other solution?
>
> Thanks in advance.
>
> -Don
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Brent Baisley
Systems Architect
Landover Associates, Inc.
Search & Advisory Services for Advanced Technology Environments
p: 212.759.6400/800.759.0577
Navigation:
[Reply to this message]
|