Reply to Re: know when user tries to access php file

Your name:

Reply:


Posted by ZeldorBlat on 10/25/07 00:41

On Oct 24, 6:33 pm, Dikkie Dik <dik...@nospam.org> wrote:
> Daniel wrote:
> > is there a way to detect if a user tries to access a php file?
>
> > For instance, db.config.php is called in many php pages but should
> > never actually be open directly. Is there a way to know if someone
> > tried to open it directly?
>
> The point is that there should no way to do that. If you put it outside
> of the web root, there is no URL for it. So lesson 1: put everything
> that should be internal in a non-accessible place.
>
>
>
> > Also, i want to learn more about securing php/MySQL pages any good
> > resources I should start with?
>
> I do not know of any resources on the net, but I found this book very
> useful: "Innocent Code" (seehttp://innocentcode.thathost.com/)
>
> The above book explains a lot about injection of all sorts, and gives
> you a nice primer on web standards and how they can be abused.
>
> There is a general advice that you should restrict any access to what
> you need to allow. This is a broad topic (involving rights on file
> systems, databases, etc, and how to use them), but if you take a good
> look at your site/server(s), it should not be that hard to see what can
> be done.
>
> You might off course google for some specific kinds of attack:
> - injection (sql injection is the classroom example, but mail injection
> is alas also very popular)
> - cross-site scripting
> - session fixation and session highjacking.
>
> Good luck!

Dikkie is right in that you shouldn't worry about detecting it -- you
should worry about preventing it. Putting things that shouldn't be
directly accessed outside the webroot is excellent advice.

As an additional measure, many applications will prevent direct access
to include files by requiring some constant to be defined -- and then
only defining it inside pages that should be directly accessed. For
example:

<?php
//This is an include file called foo.php that should not be accessed
directly
if(!defined('APPLICATION') || !APPLICATION)
exit('Nothing to see here. Move along.');

//More code inside foo.php
?>

<?php
//This is a file called bar.php that should be directly accessed
define('APPLICATION', true);
require('foo.php');

//More code inside bar.php
?>

So, if foo.php is called directly it will die. However, if bar.php is
called it will first define the APPLICATION constant and, when foo.php
is included, it won't die.

Make sense?

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация