PHP code hide
Moderator: General Moderators
PHP code hide
is there any way to hide php code form the address bar and status bar?
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.
Re: PHP code hide
Secure what code?
- swhistlesoft
- Forum Newbie
- Posts: 9
- Joined: Fri Aug 14, 2009 10:53 pm
- Location: Ontario
Re: PHP code hide
I am assuming that you are referring to Warnings or Error messages that might be displayed on your site. If this is the case then you would need to turn off error reporting (but keep it logging to file on the server).
If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:
i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login
If you provide a little more information, we might be able to help you out further.
Thanks
If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:
i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login
If you provide a little more information, we might be able to help you out further.
Thanks
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP code hide
If you are trying to hide something, forget it. That is a doomed solution. You need to take care of the actual problem that I am not fully understanding here.yesjesh wrote:is there any way to hide php code form the address bar and status bar?
some people are taking the code from status bar and try to hack the site show some frekin mysql error
please help me how to secure the php code i am not rookie but not a professional programmer.
I don't agree. Error and warning messages should not be hid. They must be handled.swhistlesoft wrote:I am assuming that you are referring to Warnings or Error messages that might be displayed on your site. If this is the case then you would need to turn off error reporting.
Which achieves nothing really. Now they can use subdomain.com/login to attack login.php as the server automatically rewrites it.swhistlesoft wrote:If you are referring to the script names "i.e. login.php" and people are identifying them as php scripts and attacking your site with say sql injection, etc. then one possible solution is to make use of modRewrite in htaccess. You can use it to rewrite the URL:
i.e. http://www.somedomain.com/login.php => http://www.somedomain.com/login
Re: PHP code hide
Tbh, it sounds like you're not escaping user supplied data in mysql queries.
Re: PHP code hide
Hello,
Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
Custom error handlers and messages must be provided for the user.
Thanks
Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
I agree with what you are saying here, however I believe both must be done, errors must be handled by the code itself to provide some kind of graceful solution rather than everything just falling over, however, I dont believe that PHP errors or MySQL (or any other database) errors should EVER be displayed and error reports must at most be logged in a secure file.I don't agree. Error and warning messages should not be hid. They must be handled.
Custom error handlers and messages must be provided for the user.
Thanks
Re: PHP code hide
Great! Thanks for sharing the info.
comparatif simulation credit taux comparer auto - Taux crédit auto. Comparatif des offres! Les meilleurs taux crédit auto sont sur le net !comparatif simulation credit taux comparer auto
comparatif simulation credit taux comparer auto - Taux crédit auto. Comparatif des offres! Les meilleurs taux crédit auto sont sur le net !comparatif simulation credit taux comparer auto
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP code hide
There seems to be some confusion about disabling the errors and displaying them. You should never disable error reporting, however, in a live environment you should enact display_errors to false. Like you pointed out, they should be handled gracefully.juma929 wrote:Hello,
Secure your core system. Work from the inside out so *hopefully* by the time you even get to worrying about error messages and values passed in the URL etc, you are pretty watertight.
I agree with what you are saying here, however I believe both must be done, errors must be handled by the code itself to provide some kind of graceful solution rather than everything just falling over, however, I dont believe that PHP errors or MySQL (or any other database) errors should EVER be displayed and error reports must at most be logged in a secure file.I don't agree. Error and warning messages should not be hid. They must be handled.
Custom error handlers and messages must be provided for the user.
Thanks
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP code hide
What I do is that I show error messages such as "There was a problem with your upload. Please try again later." and give the full details to those (admins) who have the sufficient rights to see them. I also provide an option for the admin to encrypt important error messages.