SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Zealot
    Join Date
    Aug 2005
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    security with inc files and remoted access

    HI

    I posted this in another group as well but thought I would mentionit here.

    I Just starting to read about "URL fopen wrapper" and such. I am in the beginning stages of designing a CMS for site that I will also be building. At first I thought everyone that had a site would have their own admin folder on their site, but as the number of sites gre I thought it might be easier if I have one admin panel that access the users database and inc files remotely.

    It would be much easier to manage the admin section that way since their would only be one site, but do I open myself up by accessing the db and inc files from a different site? The incs would have to be in a public directory in order to do that, right? Am I already opening myself up by using inc files in this fashion?

    Thanks

    Matt

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you can access this data from a remote server, so can other people.

    one possibility would be to not blindly output the data, but to require login/authentication before the data can be accessed remotely.

  3. #3
    SitePoint Zealot
    Join Date
    Aug 2005
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    >>but to require login/authentication

    I do that already. Is validating that $_SESSION[user] exists before I do a write enough to make it somewhat secure? Everything in the files (except for DB login and some paths) will be on the website publicly anyway so it is not like there is anythign too personal in these files. I just don't want to do somethign stupid in this regard.

    Thanks

    MK

  4. #4
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what exactly is it that you need to do remotely?

    i still dont see a reason to put your inc files in a web accessible directory. put a php script in a web accessible directory. that php script will handle the authenication. if everything is ok, then that php script will access the inc files via the filesystem, that way they remain protected.

  5. #5
    SitePoint Zealot
    Join Date
    Aug 2005
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yea, that makes sense. My brain hasn't quite worked out how that would work but I will give it some experimenting.

    Lets say machine 1 is the admin and machine 2 is the target. the logged in user on Machine 1 reads an inc file from machine 2, then updates a setting thru my control panel. That setting (lets say a string) is transferred to a script on machine 2. Machine 2 then does the checking and if everything is ok, writes to the inc file on machine 2.

    How would I move the string? thru a get?

    Sorry I am just trying to work thru this a little.


    Basically my 2 design options I am considering:
    1) Each website has their own admin/control panel section. No remote anything neccessary but I would have to update each admin area individually when I had a new control panel version.
    2) have only one admin section that everyone logs into to adjust the settings on their own website. This is much more convenient in the way of upkeep, but opens up more security issues.

  6. #6
    SitePoint Zealot
    Join Date
    Aug 2005
    Posts
    102
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am bumping this up because I would like to get some feedback on this design idea.

    Thanks

    Matt

  7. #7
    SitePoint Enthusiast
    Join Date
    Jul 2004
    Location
    Brisbane, Australia
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Matt,

    This is a topic I've been mulling over too. After some thought I decided every site I make gets its own control panel. Its much simplier, and safer - I'd be very worried about security breakins with the central option.

    Primarily though, most of the sites I have are based on a common framework, but probably 20% of each site is customised for that particular project. And at the end of the day, it just seems like a better option to keep each project packaged by itself.

    I'd hate to update a file on one server, and then find out later that it broke 3 other sites.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •