|
|
Posted by Dave Schwimmer on 02/18/06 04:31
I am relatively new to PHP. One of the things that seems glaring obvious
to me (coming from a C/C++ background) is how 'open' everything seems -
(AFAIK). For instance, URLs typically have the name of the php script
that they are calling - also just viewing the source of most web pages
will show you in glorious detail, the paths and names to any PHP scripts
they may be using.
If one was to implement user authorisation (or any other module whose
logic needs to be kept private) in a PHP module (apart from encypting
the script - which has its own pitfalls) -it makes no sense in having
such a module (script or set of scripts) plainly visible/accesible to
the user - who can inspect your user authentication etc at leisure,
whilst sipping his favourite beverage. What is the way to keep your
script inacesible to users so that they cannot simply FTP or GET your
script - giving that the path and file name has been kindly provided?
I think I remember reading somewhere that this is to do with setting
file permissions - for example placing the scripts in afolder above the
web server doc root. But this begs the question that if the user has no
permision to the folder where the php files are kept - how can he
execute them. Actually, the last sentence made me realise that the way
around this (may?) be to have Apache run as a different user from the
web client. Am I correct in this assumption?. Suggestions welcome.
Navigation:
[Reply to this message]
|