Page 1 of 1
directory structure..
Posted: Mon Nov 05, 2007 12:54 pm
by SirChick
Hey guys,
What are the advantages of putting php scripts in folders and sub folders in terms of security.. i know it helps for knowing where everything is and its neater but is there any difference in terms of security?
And also if it does help security should the directories be difficult to guess so that attacks won't happen or something?
Posted: Mon Nov 05, 2007 1:01 pm
by feyd
The security involved depends entirely on the permissions set on the directories involved. PHP doesn't care beyond "do I have permission to access this?"
Posted: Mon Nov 05, 2007 1:11 pm
by SirChick
how do i deal with permissions i've not known how to do it :S
cos i have all my files in one folder named htdocs i didn't separate them all i find it easier that way =/
Posted: Wed Nov 07, 2007 3:54 am
by alex.barylski
1) Protect scripts from outside access by removing read/write access - not very practical unless you have direct control over the system.
2) Use .htaccess to protect files - again not very practical unless you plan on password protecting scripts.
3) Store scripts outside the docroot. Not practical again unless.
Each of these solutions will prevent your scripts from being directly accessed by the outside world. Some better than others - favour the latter it's most fail safe.
What do you mean by scripts? As in classes, includes, etc or executable scripts, as in index.php, etc???
If the latter, you will likely have to use option #2 above or implement your own access control into each script. The latter here is what is most common.
Posted: Wed Nov 07, 2007 8:01 am
by SirChick
Ummm im not sure hang on ill give you an example with what the problem is:
say i have a form which updates users money to + 1000
Now say the form was "moneyprocess.php"
but moneyprocess.php should only run if the user presses a certain button withing a form on the "bank.php" script.
Now say the user decided to change the url so it has
http://www.bleh.com/moneyprocess.php then entered it.. the script would run rather than jumping out because the user should have come from the bank.php form rather than just going to it by url...
Posted: Wed Nov 07, 2007 4:29 pm
by feyd
You need to set up tokens and switch to an interaction model that only has one, or very few, points of interaction.
Posted: Wed Nov 07, 2007 4:47 pm
by SirChick
What do you mean tokens?
Posted: Wed Nov 07, 2007 5:35 pm
by feyd
Tokens: single use identifiers generated for a specific request that only work for the page they were intended to be sent to.
Posted: Thu Nov 08, 2007 7:31 am
by SirChick
never seen a tutorial on that or is it not an actual built in function ?
do you mean like set a session then check in the process if the session was made?
Posted: Thu Nov 08, 2007 8:11 am
by feyd
Search the forums for it. The concept has been talked about a fair bit. Some recently, too.