[nitro4file]

Hi Everyone,

have something that got throught my mind and wanted to have you opinions, it's about security as title tells

1.can someone uses require() or inlcude(), to get a remote file,

example require("http://programingtalk/vb/lib/config.inc.php"); ??

2. Should all post/get made with php carry addslashes() ?

3. and last what are the basic precausion one should take in regards to security issue while writing a script which connect to sql or just a script.

Thanks for your reply in advance

Cheers
Nitro

i would definately do addslashes() i dont knwo about the rest

[Barnz1986]

Quote:

Originally Posted by nitro4file

Hi Everyone,

have something that got throught my mind and wanted to have you opinions, it's about security as title tells

1.can someone uses require() or inlcude(), to get a remote file,

example require("http://programingtalk/vb/lib/config.inc.php"); ??

2. Should all post/get made with php carry addslashes() ?

3. and last what are the basic precausion one should take in regards to security issue while writing a script which connect to sql or just a script.

Thanks for your reply in advance

Cheers
Nitro

About the require() and include(), Yes they can be included in other websites remotely, But the PHP is still exectued on your web server.

So basically they wont see the PHP in the file, and wont have access to any of your variables within the file, they will still just get the HTML output.

[Acecool]

If the file was a .inc or so, then they can...

Look at it this way, If you can see the page source in your browser window, then so will everyone else, whether or not they include or require it remotely..

[SwitchBlade]

1) If it is on another web server then it will be the equivelant of using file_get_contents() on a file on another server.

2) I generally dont put addSlashes() on anything I just turned on magic quotes via the php.ini

can you tell me more about magic quotes? what if you do not have access to php.ini is there a way to turn them on or are you left with add slashes?

[Christian]

Quote:

Originally Posted by koncept

can you tell me more about magic quotes? what if you do not have access to php.ini is there a way to turn them on or are you left with add slashes?

I would just use the addslashes(), magic quotes can be a pain in the butt....But if you still want to enable magic quotes, I think you can use a .htacces file if you don't have access to your php.ini(not really sure how tho).

thank you, thats good to know.

[wiremind]

Quote:

Originally Posted by koncept

can you tell me more about magic quotes? what if you do not have access to php.ini is there a way to turn them on or are you left with add slashes?

You cant turn magic quotes on without php.ini You are also better off using mysql_real_escape_string . addslashes only escapes according to what PHP defines, not what your database driver defines.

[nitro4file]

Hi All,

so i can require a or include a remote file, that mean if i request a remote file e.g db.inc.php on any server and run my own local apache server with Mysql i can easily see through my logs which username the has try to access my DB and at the same time see encript password, that then means with some work i get the password and username(without efforts) of a remote host and can get in there data!!

That scary! would the possible security breach be solve with a CHMOD? if yes which one? meaning noone can run the said config file except the server itself, but then when a user connect doesn't it has some kind of confusion ??

Thanks to everyone for your reply and interest on the subject

Cheers
Nitro