| self-modifying program [message #174352] |
Wed, 08 June 2011 04:44  |
Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
|
Junior Member |
|
|
Hello,
I need your opinions about my solution.
I have written a website containg twenty .php pages. I don't use any
framework, but I use my libraries of functions and classes.
These .php pages need a number of global constants, for example MySQL
user and password or path to log file. I have these constants in
secure/constants.php file, where "secure" is a folder available
through SSL protocol (I mean it contains .htaccess file). Here's part
of my secure/constants.php:
<?php
define('MYSQL_SERVER', 'localhost');
define('MYSQL_DATABASE', 'ogloszenia');
define('MYSQL_USER', 'root');
define('MYSQL_PASSWORD', 'mysql');
define('LOG_PATH', 'C:\Documents and Settings\Robert\Moje dokumenty
\Informatyka\ogloszenia-nieruchomosci\log\log.txt');
....
I also have a page secure/configure.php contaning a form to assign
values to these constants, and proper file_put_contents call (to write
"define" commands to secure/constants.php file). As I said before,
"secure" folder is available through SSL only.
Q: What do you think of my solution? Do you have any better idea?
Thanks in advance.
newbie
|
|
|
|
| Re: self-modifying program [message #174358 is a reply to message #174352] |
Wed, 08 June 2011 07:17  |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
El 08/06/2011 6:44, Jivanmukta escribió/wrote:
> I need your opinions about my solution.
> I have written a website containg twenty .php pages. I don't use any
> framework, but I use my libraries of functions and classes.
> These .php pages need a number of global constants, for example MySQL
> user and password or path to log file. I have these constants in
> secure/constants.php file, where "secure" is a folder available
> through SSL protocol (I mean it contains .htaccess file). Here's part
> of my secure/constants.php:
>
> <?php
> define('MYSQL_SERVER', 'localhost');
> define('MYSQL_DATABASE', 'ogloszenia');
> define('MYSQL_USER', 'root');
> define('MYSQL_PASSWORD', 'mysql');
> define('LOG_PATH', 'C:\Documents and Settings\Robert\Moje dokumenty
> \Informatyka\ogloszenia-nieruchomosci\log\log.txt');
> ...
>
> I also have a page secure/configure.php contaning a form to assign
> values to these constants, and proper file_put_contents call (to write
> "define" commands to secure/constants.php file). As I said before,
> "secure" folder is available through SSL only.
>
> Q: What do you think of my solution? Do you have any better idea?
> Thanks in advance.
Why do you need that the file is reachable through the web browser? Are
you by chance doing stuff like this?
require_once('https://example.com/secure/constants.php');
If you do so, that would explain why it isn't working.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
|
|
| Re: self-modifying program [message #174360 is a reply to message #174358] |
Wed, 08 June 2011 09:55 |
Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
|
Junior Member |
|
|
> Why do you need that the file is reachable through the web browser?
BTW, my website contains also "include" folder (for class.X.php,
lib.X.php). Should it be placed inside public_html? How about
"public_html/images" (.gif, .png files)?
|
|
|
|
| Re: self-modifying program [message #174361 is a reply to message #174360] |
Wed, 08 June 2011 11:44 |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
El 08/06/2011 11:55, Jivanmukta escribió/wrote:
>> Why do you need that the file is reachable through the web browser?
>
> BTW, my website contains also "include" folder (for class.X.php,
> lib.X.php). Should it be placed inside public_html? How about
> "public_html/images" (.gif, .png files)?
The name says it all: *public*_html
If it needs to be public, it must be there. Otherwise, it's up to you.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
| Re: self-modifying program [message #174362 is a reply to message #174360] |
Wed, 08 June 2011 11:50 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(Jivanmukta)
>> Why do you need that the file is reachable through the web browser?
>
> BTW, my website contains also "include" folder (for class.X.php,
> lib.X.php). Should it be placed inside public_html?
No, such scripts and configuration files should be stored outside the
document root.
> How about
> "public_html/images" (.gif, .png files)?
These files have to be inside the public folder, because they need to be
reachable by a browser.
Another thing regarding your LOG_PATH constant. You shouldn't hard-wire
its value, but use relative paths based on $_SERVER['DOCUMENT_ROOT']
instead.
Micha
|
|
|
|
|
|
| Re: self-modifying program [message #174364 is a reply to message #174363] |
Wed, 08 June 2011 13:07 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(jeff)
> On 6/8/2011 7:50 AM, Michael Fesser wrote:
>> .oO(Jivanmukta)
>>
>>>> Why do you need that the file is reachable through the web browser?
>>>
>>> BTW, my website contains also "include" folder (for class.X.php,
>>> lib.X.php). Should it be placed inside public_html?
>>
>> No, such scripts and configuration files should be stored outside the
>> document root.
>
> Why?
Security.
> The public sees nothing if they hit the script.
If it's not intended to be reachable by a URL, then why put it there at
all? You not only have to trust the server to always parse such files,
usually you also have to protect that folder with an .htaccess file.
It's much easier, safer and more reliable to keep such files outside the
public folder.
> Not that I have a problem with putting such files outside public, but
> it's not uncommon to FTP to a server and just have the html root
> visible.
I would not choose such a host, because I definitely need a place
outside the document root. It's not only for my scripts, but for example
also for documents and images which require authorization - they are
stored outside the public folder and are served by a script. With just
the public folder I would have to rely on .htaccess files and HTTP
authentication, which would be much less flexible.
Micha
|
|
|
|
| Re: self-modifying program [message #174366 is a reply to message #174363] |
Wed, 08 June 2011 14:44 |
Jivanmukta
Messages: 20
Registered: January 2011
Karma: 0
|
Junior Member |
|
|
> Myself, I would be far more concerned about having the MySQL user as: root.
This is localhost setting only. On hosting server I created special
user for my application.
|
|
|
|
| Re: self-modifying program [message #174368 is a reply to message #174352] |
Wed, 08 June 2011 21:41 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Tue, 07 Jun 2011 21:44:17 -0700, Jivanmukta wrote:
> Hello,
> I need your opinions about my solution. I have written a website
> containg twenty .php pages. I don't use any framework, but I use my
> libraries of functions and classes. These .php pages need a number of
> global constants, for example MySQL user and password or path to log
> file. I have these constants in secure/constants.php file, where
> "secure" is a folder available through SSL protocol
nonono
Put your secure folder somewhere outside of your servers document root, eg
if your web server document root is /var/htdocs, then create /var/secure
and use
require_once "/var/secure/globals.php";
in your php code.
No-one can access globals.php with an http request, because the web
server only gives access to files below /var/htdocs
Rgds
Denis McMahon
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]