Simon Cranmer
|
Posted: 01/04/2004, 1:51 PM |
|
Looks like I will be creating an internet application and am after some advise. Does anyone have any help / code on how to check & improve the standard security
TA
Si.
Win XP, apache, php, mysql + access via IE5.5 & 6
|
|
|
Steve Ebbrell
|
Posted: 01/04/2004, 3:13 PM |
|
Simon,
Are you concerned about site security or application security?
i.e. Do you want to stop hackers getting onto the system or are you concerned about having your application/scripts ripped off by the customer?
or are you refering to CodeCharge's Login/Security features?
What OS will Apache be running on?
|
|
|
Simon Cranmer
|
Posted: 01/05/2004, 11:44 AM |
|
Sorry good point.
I’m not worried about my scripts. I have someone paying (a small amount) for my time so they are welcome to the code. I’m more worried about the security of the data and the site. I will have the site hosted by a good reliable company and am already configuring .htaccess for include areas etc. I was really thinking about tightening/improving the standard cc login/security features as this may be of interest to everyone else on here.
TA
Si.
|
|
|
Steve Ebbrell
|
Posted: 01/05/2004, 8:53 PM |
|
Simon,
I always use Apache Aliases for the application directories as in
httpd.conf
Alias /mydir "/basedir/homexxx/"
<Directory "/basedir/homexxx/">
Options Indexes MultiViews ExecCGI
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
This helps to hide the actual location of the script.
In the past I have always written my own Logon routines, you can either have a screen for each security level, or more elegantly issue a different SQL statement from a Case statement depending on the access level, I prefer the latter as it makes future maintenance less of a chore. I use Session Variables rather than the URL to store and pass parameters for the access level.
Like all web packages CCS has good Session Variable support as Global Variables are a No No in multi-user applications.
|
|
|
Steve Ebbrell
|
Posted: 01/05/2004, 8:55 PM |
|
Continued from previous reply: appears there is a limit of 1,000 characters per message!
I also use a new CCS project for each part of the application, this way I can incorporate any part of previous applications into the current one very easily.
You can read about built-in MySQL encryption at http://www.mysql.com/doc/en/Miscellaneous_functions.html
Steve...
|
|
|
SiCranmer
|
Posted: 01/09/2004, 10:26 AM |
|
Ooo I do like the AES_ENCRYPT I must have had my head in the sand to miss that one. I too am using the alias pointer but only because I currently have loads of stuff on my server divided into projects and wanted a nice link to projects called externally. And I’m ensuring no global vars. So it looks like I’m already on the way there. I’ll visit the login scripts later.
I’m already developing a menu system where users are grated a “roll” which contains a collection of progs and only displays the ones you have access too. If I get it working I may release it on here, if not I’ll post a how-to.
Thanks hope this helps others.
Si.
|
|
|