Security question

Security question

Postby Oldman » Sat Sep 13, 2008 12:26 am

Hola Chris,

Just signed in! Found your script on the Internet and I think it's the only suitable script for its layout and details! Out of the box!

Of course I shouldn't be here if had not a question to make... and that's because I'm concerned about the security of the script. In the config.inc.php you want me to state clip and clear all the details of the db. Username, db_name and DB_PASSWORD too... I think that is very unsecure, everybody has access to the db in that way, isn't it?

I'm curious how you think about that security issue.

De todos modos, muchisimas gracias por tu script, y saludos desde Holanda (mucha lluvia y frio). :cry:
Felix
Oldman
 
Posts: 4
Joined: Fri Sep 12, 2008 11:23 pm

Re: Security question

Postby chris » Sat Sep 13, 2008 12:50 am

Hi there and thanks for the comments.

In what way do you consider this a security risk?
As the page is a php page, it can't be seen in the browser (things would be different if it where just called config.inc) so no one should be able to read it.
That said, bear in mind that this is just a demo set up. Many hosting providers allow you to include files from "above" the "public" folder that are completely inaccessible via the browser so that might be the ideal solution.
As far as I know defining the db variables in a php readable file is the only way of creating a connection to the database - how would you do it otherwise? - I would love to know if there was an alternative method :)

Chris
User avatar
chris
Site Admin
 
Posts: 1089
Joined: Mon Dec 17, 2007 7:42 pm
Location: Málaga, Spain

Re: Security question

Postby Oldman » Sat Sep 27, 2008 12:39 pm

Hi Chris,
I'm not a coder, but read a lot about the PHP security. I send you some links, maybe they're useful to you. Here they go:

http://www.acunetix.com/websitesecurity ... rity-1.htm

http://phpsec.org/projects/guide/3.html

I have another request, I'll start a new threat.

Saludos,
Felix
Oldman
 
Posts: 4
Joined: Fri Sep 12, 2008 11:23 pm

Re: Security question

Postby Oldman » Sat Sep 27, 2008 12:57 pm

Found another one From the PHP site:

http://www.php.net/manual/en/security.d ... ection.php

That will do it. I'll send you no more of them....

Saludos
Felix.
Oldman
 
Posts: 4
Joined: Fri Sep 12, 2008 11:23 pm

Re: Security question

Postby chris » Mon Sep 29, 2008 8:46 pm

Hi there, thanks for the links :)

Though to be honest, I can't see anything there which is directly related to how this script works other than the db config details which, as I mentioned earlier, if they are in a file called config.inc.php (or whatever) the .php extension prevents the file contents from being shown.

Also, bear in mind that this script is really just a demo of how it could be set up. Clearly having the config info in a directory outside of the public file would be the ideal solution but that is not something that is feasible in the demo zip file - it is something that each devolper who uses the script should adjust according to their needs.

Thanks again :)
Chris
User avatar
chris
Site Admin
 
Posts: 1089
Joined: Mon Dec 17, 2007 7:42 pm
Location: Málaga, Spain


Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron