Re: Newbie Security Questions
- From: The Natural Philosopher <a@xxx>
- Date: Sat, 24 Nov 2007 12:48:33 +0000
Dan wrote:
Hello!
I've got some misc. questions about PHP and its usage with MySQL.
The following web page:
http://www.freewebmasterhelp.com/tutorials/phpmysql/3
shows that it is normal to include mysql database usernames and
passwords in the php file. Is this good programming practice? I'm
worried that people would be able to read my php file through a web
browser or through other nefarious means.
Only on a misconfigured server. Files with a .php extension will ALWAYS be executed rather than downladed by te web serve.
And even if they do, its a strange Mysql server that is sitting on the internet accepting requests from all and sundry..normally you run them (php/apache/mysql)on a local network, or the same box and set mysql to only accept requests FROM the apache server..
Of course if your server machine itself is hacked, all bets are off anyway..never mind password access to Mysql, just strip all the database files out and run them on YOUR mysql setup..
In essence, on a properly configured server, php sources are private. End of story.
Also one more question on how to keep track of people who are
submitting information on a website. How to set a time limit to how
often people can submit information? This is easy to do on the client
side, just disable the button for a set amount of time, but if they
went hunting through my html and found the php script they could
easily whip up a program to POST information willy nilly as fast as
they wanted.
Should be able to use a cookie or session thing to keep track of individual users..but no absolute certainty. One of essences of web acess is there is intrinsically no notion of a connected user. You have to layer that over the top using cookies and user logins if you want it. But that relies on co-operation from the remote user.
So, unless you enforce some kind of user login, you cant distinguish between loads of different people doing stuff, and one person doing lots of stuff.
IP address stuff doesn't work either as you may be dealing with a proxy server.
.
- References:
- Newbie Security Questions
- From: Dan
- Newbie Security Questions
- Prev by Date: Re: Newbie Security Questions
- Next by Date: Re: PHP/MySQL warnings about results
- Previous by thread: Re: Newbie Security Questions
- Next by thread: Re: Newbie Security Questions
- Index(es):
