|
|
Posted by Adam Hubscher on 01/14/05 08:59
Thomas Goyne wrote:
> On Thu, 13 Jan 2005 16:25:30 -0600, Adam Hubscher
> <webmaster@offbeat-zero.net> wrote:
>
>> 1 (the preferred way): user accesses
>> http://www.example.org/index.php?function=Join, this loads the class
>> NewUser and begins its implementation. Because of the __autoload, it
>> includes class.join.php, in order to utilize the class.
>>
>> 2 (the wrong way): user accesses
>> http://www.example.org/includes/class.join.php without going through
>> index.php.
>>
>> I am trying to prevent 2 from even occuring, utilizing a piece of
>> code that would check if index.php had included it, or not. This code
>> would be in the beginning of all the class files, at the top, before
>> any other code was to be executed.
>>
>
> Ideally, you'd put all of the files users aren't supposed to access
> outside of the document root, so there just isn't a uri that points to
> the file.
>
> If (as your question makes it sound) the includes do nothing but define
> a class, and don't actually run any code, then it really doesn't matter
> if users directly access an include, as nothing will happen.
>
>
Ok, thats what I expected to be the case - I was just being cautious.
Unfortunately with what the application is providing for (a game
server), there is a large userbase of people that would potentially do
anything in their power... or learning ability, to inflict harm upon the
users and the database of the site/game server which I am running.
Security has been my primary lack-of-sleep for the last few days, and
this was one of the last things eluding me.
Thank you very much Thomas!
Navigation:
[Reply to this message]
|