|
Posted by Jasen Betts on 02/19/06 02:21
On 2006-02-18, Dave Schwimmer <dschwim@nospam.com> wrote:
> I am relatively new to PHP. One of the things that seems glaring obvious
> to me (coming from a C/C++ background) is how 'open' everything seems -
> (AFAIK). For instance, URLs typically have the name of the php script
> that they are calling - also just viewing the source of most web pages
> will show you in glorious detail, the paths and names to any PHP scripts
> they may be using.
state has to be propogated somehow.
> If one was to implement user authorisation (or any other module whose
> logic needs to be kept private) in a PHP module (apart from encypting
> the script - which has its own pitfalls) -it makes no sense in having
> such a module (script or set of scripts) plainly visible/accesible to
> the user - who can inspect your user authentication etc at leisure,
> whilst sipping his favourite beverage. What is the way to keep your
> script inacesible to users so that they cannot simply FTP or GET your
> script - giving that the path and file name has been kindly provided?
that can all be hidden.
visible ??? they can see the box, but not the content, just don't leave
backups lying around, it's good practice to write them to be secure even if
their content is revealed..
> I think I remember reading somewhere that this is to do with setting
> file permissions - for example placing the scripts in afolder above the
> web server doc root. But this begs the question that if the user has no
> permision to the folder where the php files are kept - how can he
> execute them. Actually, the last sentence made me realise that the way
> around this (may?) be to have Apache run as a different user from the
> web client. Am I correct in this assumption?. Suggestions welcome.
typically apache runs in a different city to the web client... not sure what
you mean.
--
Bye.
Jasen
[B
[Back to original message]
|