On Thu, February 15, 2007 9:44 am, Tim wrote: > typing http://sitename/modules/thismodule/admin/index.php, this file > will > only be processed by the browser if and only if it has been included > by > http://sitename/admin/index.php One simple way to be sure it's not access directly by the browser is to just MOVE it out of the web tree and set up your include_path to include the new location. Then it can't be surfed to AT ALL, much less executed as PHP code. > file directly? Or should i believe it doesn't really matter as in a > production environment display_errors is set to off so no error output > will > be shown... Hmmm. Random bits of code being executed completely out of sequence in ways you've never even imaginged, much less tested. I don't think that's something you want to ignore, personally... > 2. what is the assesed security risk if someone access a file directly > even > if it does not output anything? What does the file contain? exec("rm -rf /"); mysql_query($_GET['query']); include $file; Hopefully you have nothing that blatantly wrong in your PHP. Unfortunately, you probably DO have something much more subtle somewhere in your PHP code, for any large project. I'd say the risk is fairly low, but the CONSEQUENCES are immeasurable. Given that it's trivial to move the files and set up include_path, I'd recommend you just fix it. > 3. is their a way to check that a file has been included by such and > such > file or should i develop a hash system where the top page that > includes > files generates a hash, stores it in the db for the length of the > script and > in a variable, and have the included file check that the variable from > the > top file and the hash in the db correspond? You could do all that as well... Or, possibly, simply write robust code that errors out if more normal things are out of whack, like the DB object you expected to be created at the beginning. For that matter, your script should error out gracefully if, in the MIDDLE of your script, the DB process DIES. It's amazing how many PHP scripts don't have even rudimentary checking on their result, and just assume the DB is still there, just because mysql_connect( )succeeded at the beginning. Bad News: The DB could easily go down AFTER mysql_connect() but before you actually do anything useful. Your PHP code should handle that. > Security is driving me insane i'm becoming totally psychotic at the > possiblity of someone taking over my admin systems... But are you paranoid enough? :-) You are now in a normal state of security-conciousness. Learn to accept it, embrace it even. MUST READ: http://phpsec.org/ -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
