How to stop someone running my php scripts from their server

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ryan-uk
Forum Newbie
Posts: 1
Joined: Thu Jan 08, 2004 5:07 pm

How to stop someone running my php scripts from their server

Post by ryan-uk »

I am new to php and still a little wet behind the ears so please be gentle with me!

I have developed a large mySQL database which I've made accesible to the public for browsing purposes.

I am concerned that someone might just rip off my whole database though and publish it elsewhere.

I've been told that someone could 'post' sequential variables to my form (perhaps using a php counter?) and then 'harvest' the subsequent output for repackaging into a database of their own.

Is this true or would they manually need to 'post'?

I have used if ($REQUEST_METHOD != "POST") on the form processing page to stop input directly from a url.

How could I prevent other folks from easily ripping of my database?

I have tried using a $HTTP_REFERER trap (ensuring that only queries from my domain name can get through) but I've discovered that this blocks quite a number of 'innocent' people from viewing the database for some reason.

Any ides please?

Many thanks.

Ry.
Bennettman
Forum Contributor
Posts: 130
Joined: Sat Jun 15, 2002 3:58 pm

Post by Bennettman »

As far as I know, the database should be safe from a full save as long as you have the viewing access in your own PHP page and don't provide any access to run SQL queries. If that's the case, I think the only real way of getting the database contents would be to have a program to analyse the HTML, or to do it manually (which you can't block without denying access to the 'base in the first place).
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

The solution I recommend is to restructure your entire operation. Rather than having others have direct DB access, why not output things, you are safe with everyone having, into a txt file or html page and have them query that page for the info? (By that I mean use [php_man]fopen[/php_man]() or whatever.)

There might be a solution for you to keep your current setup with a tighter clasp on who is accessing what, but even if there was, I recommend doing the more secure thing for your db and that is only allowing yourself to access it.
Post Reply