Reply to Re: Newbie Security Questions

Your name:

Reply:


Posted by The Natural Philosopher on 11/24/07 12:48

Dan wrote:
> Hello!
>
> I've got some misc. questions about PHP and its usage with MySQL.
>
>
> The following web page:
>
> http://www.freewebmasterhelp.com/tutorials/phpmysql/3
>
> shows that it is normal to include mysql database usernames and
> passwords in the php file. Is this good programming practice? I'm
> worried that people would be able to read my php file through a web
> browser or through other nefarious means.

Only on a misconfigured server. Files with a .php extension will ALWAYS
be executed rather than downladed by te web serve.

And even if they do, its a strange Mysql server that is sitting on the
internet accepting requests from all and sundry..normally you run them
(php/apache/mysql)on a local network, or the same box and set mysql to
only accept requests FROM the apache server..

Of course if your server machine itself is hacked, all bets are off
anyway..never mind password access to Mysql, just strip all the database
files out and run them on YOUR mysql setup..

In essence, on a properly configured server, php sources are private.
End of story.


>
> Also one more question on how to keep track of people who are
> submitting information on a website. How to set a time limit to how
> often people can submit information? This is easy to do on the client
> side, just disable the button for a set amount of time, but if they
> went hunting through my html and found the php script they could
> easily whip up a program to POST information willy nilly as fast as
> they wanted.
>

Should be able to use a cookie or session thing to keep track of
individual users..but no absolute certainty. One of essences of web
acess is there is intrinsically no notion of a connected user. You have
to layer that over the top using cookies and user logins if you want it.
But that relies on co-operation from the remote user.

So, unless you enforce some kind of user login, you cant distinguish
between loads of different people doing stuff, and one person doing lots
of stuff.

IP address stuff doesn't work either as you may be dealing with a proxy
server.

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация