Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 5 of 5
  1. #1
    Member Anant's Avatar
    Join Date
    Feb 2005
    Location
    Indore , India
    Posts
    50
    Member #
    9049
    hi guys...

    well its a security question...i hav made a php page and included my config and obendb file in it...as i have seen anyone can access it ... as the path is included in it...

    pls help me out to solve this security problem...

  2.  

  3. #2
    Member
    Join Date
    Jan 2005
    Posts
    97
    Member #
    8727
    Post the source. I don't get what you are saying.

  4. #3
    Member Anant's Avatar
    Join Date
    Feb 2005
    Location
    Indore , India
    Posts
    50
    Member #
    9049
    Quote Originally Posted by n3on
    Post the source. I don't get what you are saying.
    see i have a form called visit.html..lik..this...

    <form method="POST" action="visitsearch.php">
    <input name="name" type="text" size="50" maxlength="50" tabindex="1"></b
    <input name="btnSign" type="submit" value="Search" tabindex="2"></b>></form>

    and anyone can just see the visitsearch.php by downloading it ...and can see the coding of it ...and database password...what i want is there is ant thing through which its impposible to dowload or to access this visitsearch.php...

  5. #4
    Member
    Join Date
    Jan 2005
    Posts
    97
    Member #
    8727
    Huh? I don't get the security risk. PHP will never reveal it's source as long as your webserver is properly configured.

    Resisting urge to put link to you are an idiot page...

  6. #5
    Senior Member rosland's Avatar
    Join Date
    Jul 2003
    Location
    Norway
    Posts
    1,944
    Member #
    2096
    Like n3on says, there's no security risk, as PHP is a serverside language. Nothing of your code is sent/output to the browser. Only the result of what your script is meant to do, is sent to the client (pure HTML).

    You're probably confusing this with JavaScript, where the whole code is output together with the HTML. Clicking "view source" will reveal all your code, as Javascript is a clientside language, and work through giving instructions to the browser itself. (hence, it has to be downloaded together with the HTML).

    However, in the remote case anybody gets access to your file tree (advanced hacking), you can hide your username/password in a seperate file, and place that file outside your webroot. That way it will be inaccessible to anyone contacting the server. Your script, however, can still access it through an "include" call, as the script resides locally and have file access beyond webroot. You just have to include a local "absolute" path in your include call.

    Example:
    If your server is Apache (which most hosts are), you place your file outside "public_html" (on the same level). Then in your script, you call 'include "/home/your-server-username/your-foldername/the_file.inc"'

    I.e.
    If your server username is "foo", the folder you created to store your include file is named "bar", and the filename "foobar.inc", then your include would look like:
    include "/home/foo/bar/foobar.inc".

    The file extension ".inc" could be anything. It's just named that to indicate it's an include file. You could name it "foobar.abc" for that matter.

    Your include file would look like this:
    PHP Code:
    <?php
    $host 
    "localhost"//if mysql resides on the same server
    $user "yourself";
    $password "your_password";
    ?>
    Your script like this:
    PHP Code:
    include "/home/foo/bar/foobar.inc";
    //blah
    //blah
    $con mysql_connect($host$user$password) or die(...); 
    S. Rosland


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 11:22 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com