Posted by Jerry Stuckle on 11/30/07 18:47

Armin Horner wrote:
> Kim André Akerø schrieb:
>>
>> First of all, make sure the status.txt file is in a directory that's
>> inaccessible from the web (ie. only accessible via your scripts),
>> preferably one step below the webroot, although not required.
> .. it is, ok.
>
>>
>> On all my PHP projects, I create a seperate directory called "inc" in
>> the webroot (or the root directory of my project). If Apache is used, I
>> place a .htaccess file containing the keyword "deny from all" in it.
> .. i'll use htaccess
>
>> Or, if IIS is used (which has happened on a rare occasion), I make sure
>> all outside access is denied for this directory from the IIS manager.
>> That way, I protect my code (as well as the base configuration) from
>> being exposed and/or accessed directly.
>>
>> Second, make sure your changestatus.php script ONLY reacts to the "on"
>> or "off" keywords. Or any other keyword you'd like to use instead (such
>> as "open" or "closed").
>>
>> Further, to avoid someone outside your organization from setting the
>> status (such as opening the URL and making it look like you're closed
>> when you're open for business or vice-versa), you should place this
>> script under some sort of password protection (either via your CMS or
>> via a simple basic authentication method).
>>
>
> i'll protect it with a weird name and keywords so nobody switches on and
> off.
>
> thanks for help
> (.. been a long time ago since i last used php so this is very helpful)
>
> Armin
>

Armin,

Don't. Obfustication is not security! It's only the illusion of security.

Follow the suggestions others gave you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
=================

[Back to original message]