At 4:44 PM +0100 2/15/07, Tim wrote:
OK here is the background:
My app will: have an admin access at http://sitename/admin/
Obviously authenticated users only are allowed access..
Now my issues is this, i do all the processing from a single index.php in
admin/ folder that includes files from all over the webapp directory
structure for example modules/thismodule/admin/index.php folder for getting
the admin page for the module or modules/thismodule/index.php for displaying
the modules in the public part of the page etc.. You get the picture.. What
i want is to restrict acces to all these "included" php files such that by
typing http://sitename/modules/thismodule/admin/index.php, this file will
only be processed by the browser if and only if it has been included by
http://sitename/admin/index.php
NO "included" php file should be able to be processed by itself or accessed
even for files that do not output anything..
So essentially i think i may be doing somethings wrong..
1. My included files "assume" the top file has initiated an instance of an
certain object thus being able to use the resources of the instanced objects
in the top file..(obviously i have the necessary checks to make sure the
instance has been created before including the file)
-Should i be initializing new instances of the object at the top of each
included file to prevent errors from appearing incase someone access the
file directly? Or should i believe it doesn't really matter as in a
production environment display_errors is set to off so no error output will
be shown...
2. what is the assesed security risk if someone access a file directly even
if it does not output anything?
3. is their a way to check that a file has been included by such and such
file or should i develop a hash system where the top page that includes
files generates a hash, stores it in the db for the length of the script and
in a variable, and have the included file check that the variable from the
top file and the hash in the db correspond?
Security is driving me insane i'm becoming totally psychotic at the
possiblity of someone taking over my admin systems...
Regards,
Tim
Tim:
Use require_once ("auth.php"); in every include. This should be the
same auth code you use for your admin page. If you want I can provide
an example.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php