Heya,
So I'm launching my new site tomorrow and I built this puppy with a project manager from the ground up. Clients can update their contact information, that sends me an email with a vCard including the updated information, they can rate my work on their projects, assign tasks which are then published to a calendar, view and comment in existing designs, and a few other things. That being said, all of the files that enable a user to do those things are in a directory called "nodes", index.php includes those files when their requested by the user.
My question is, are those files secure? What can I do to ensure they are? I assume starting with preventing direct access using .htaccess?
Also, my database connection file is included in my root, is that secure?
Thanks! (And forgive my lack of intelligence with security, I know I probably sound a little ridiculous)
Security noob here, need help...
Moderator: General Moderators
-
WithHisStripes
- Forum Contributor
- Posts: 131
- Joined: Tue Sep 13, 2005 7:48 pm
-
freelancer4
- Forum Newbie
- Posts: 1
- Joined: Mon Jun 01, 2009 4:46 am
Re: Security noob here, need help...
Hi,
Thats really good to hear that you are reviewing the security of your website. I would like to suggest you few things about security.
1. Security is not only related to direct access of your file such as connection files etc.
but also you have to make sure that that ever and where ever you are taking input from the users, you should always filter the data.
2. your application should be good enoughf to prevent SQL Injections, Spoofed Forms, Cross Site Scripting,Cross site Request Forgeries,Remote Code injection, and more over your database.
3. PHP and mysql both have built-in functions and classes that can be used to prevent the above things.
I hope this helps you.
http://www.freelancer4.com
Thats really good to hear that you are reviewing the security of your website. I would like to suggest you few things about security.
1. Security is not only related to direct access of your file such as connection files etc.
but also you have to make sure that that ever and where ever you are taking input from the users, you should always filter the data.
2. your application should be good enoughf to prevent SQL Injections, Spoofed Forms, Cross Site Scripting,Cross site Request Forgeries,Remote Code injection, and more over your database.
3. PHP and mysql both have built-in functions and classes that can be used to prevent the above things.
I hope this helps you.
http://www.freelancer4.com
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Security noob here, need help...
.htaccess can prevent a direct access to those files, but this does not inherently correlate to a secure environment.WithHisStripes wrote:My question is, are those files secure? What can I do to ensure they are? I assume starting with preventing direct access using .htaccess?
No one should ever have an access to that file, so, place it outside of the document root. No matter what files you have, if a file is not intended to be accessed directly - put it outside of your document root.WithHisStripes wrote:Also, my database connection file is included in my root, is that secure?
Disabling an access to files is just one part of a secure installation. Maybe you should ask someone to review your code in terms of security? You can also show us your code here, and we can take a look at it, too.