Page 1 of 1

How to stop someone running my php scripts from their server

Posted: Thu Jan 08, 2004 5:07 pm
by ryan-uk
I am new to php and still a little wet behind the ears so please be gentle with me!

I have developed a large mySQL database which I've made accesible to the public for browsing purposes.

I am concerned that someone might just rip off my whole database though and publish it elsewhere.

I've been told that someone could 'post' sequential variables to my form (perhaps using a php counter?) and then 'harvest' the subsequent output for repackaging into a database of their own.

Is this true or would they manually need to 'post'?

I have used if ($REQUEST_METHOD != "POST") on the form processing page to stop input directly from a url.

How could I prevent other folks from easily ripping of my database?

I have tried using a $HTTP_REFERER trap (ensuring that only queries from my domain name can get through) but I've discovered that this blocks quite a number of 'innocent' people from viewing the database for some reason.

Any ides please?

Many thanks.

Ry.

Posted: Fri Jan 09, 2004 12:44 am
by Bennettman
As far as I know, the database should be safe from a full save as long as you have the viewing access in your own PHP page and don't provide any access to run SQL queries. If that's the case, I think the only real way of getting the database contents would be to have a program to analyse the HTML, or to do it manually (which you can't block without denying access to the 'base in the first place).

Posted: Fri Jan 09, 2004 1:02 am
by m3mn0n
The solution I recommend is to restructure your entire operation. Rather than having others have direct DB access, why not output things, you are safe with everyone having, into a txt file or html page and have them query that page for the info? (By that I mean use [php_man]fopen[/php_man]() or whatever.)

There might be a solution for you to keep your current setup with a tighter clasp on who is accessing what, but even if there was, I recommend doing the more secure thing for your db and that is only allowing yourself to access it.