 |
|
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
September 29th, 2008, 01:40 AM
|
|
|
Greate about PHP, want more about PHP-Nuke Development
The guide lines you have written about PHP security notes is really excellent and very much useful for the me.......
can you share more knowledge about PHP-nuke development?
|
January 24th, 2009, 07:20 PM
|
|
|
Don't know if it's been mentioned but how to keep prying eyes out of your include files:
PHP Code:
 Original
- PHP Code |
|
|
|
if(strpos($_SERVER['SCRIPT_NAME'], __FILE__)) { header('Location: ./'); // change to whatever you want }
$_SERVER['SCRIPT_NAME'] = the currently executing script
__FILE__ = the actual file that's currently being parsed
|
January 24th, 2009, 07:34 PM
|
 |
Still alive
|
|
Join Date: Mar 2007
Location: Washington, USA
|
|
I've always preferred making the server handle issues like that.
Like an .htaccess with
Code:
Order Allow, Deny
Deny from All
Personally I put my "secret" files in folders named _include or _classes. Starts with an underscore. Then I can use
Code:
RewriteRule (^|/)_ - [R=404]
They try to access a file or directory, they see a 404 message.
|
January 24th, 2009, 07:39 PM
|
|
|
|
I agree but when working on redistributable software (specifically software that is installable by regular users), this is not always an option. If anything the includes, classes and administrative folders should be stored far outside of the http folder.
|
August 14th, 2009, 09:59 PM
|
 |
Web Developer/Musician
|
|
Join Date: Nov 2004
Location: Tennessee Mountains
|
|
If you are running a hosting server, and are having difficulty finding a script that is sending spam, the instructions here will be very useful. The instructions are specific to cPanel, but the concept will work regardless.
It involves a proxy script, between the mail function and the MTA (mail transfer agent) that records mail details and the scripts that sent mail to a log file. The script in the example is a perl script, but it could just as easily be a PHP script.
Incidentally, PHP 5.3 does this natively, but not everyone has it, in fact cPanel software won't support it for a few months.
__________________
Visit my blog PHP && Life for technical articles and technology musings.
|
January 14th, 2010, 06:20 AM
|
|
Registered User
|
|
Join Date: Jan 2010
Posts: 4
Time spent in forums: 1 h 10 m 41 sec
Reputation Power: 0
|
|
|
Make a secure PHP script
Security tips for PHP
By default, PHP is set to announce its presence whenever anyone asks - this is usually through the web server.
You can turn this off using ServerTokens and ServerSignature. For example, if you leave ServerTokens and ServerSignature on, you can still hide PHP's existence by changing "expose_php" to "Off" in php.ini - this leaves most server information showing, but hides the PHP data.
If you do this, as well as using a different file extension, your use of PHP is mostly hidden. However, if your code generates any error messages, your use of PHP will become immediately obvious. To get around this, and thereby truly hiding PHP, you should force PHP not to display error messages - edit your php.ini file and set "display_errors" to "Off". This will make debugging a little harder, but be sure to set "log_errors" to "On" - this will make sure that whenever your script generates an error, it will be stored away in the error log file so that you can analyse the problem at your leisure.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
