SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Wizard wonshikee's Avatar
    Join Date
    Jan 2007
    Posts
    1,223
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    Hiding handler scripts

    I read somewhere about hiding scripts so that it cannot be backdoored by using a combination of mod_rewrite to hide the real location of a file and $_SERVER['HTTP_REFERER'] so that a malicious user can't send a false HTTP_REFERER value if they don't know where the file is located in the first place..

    Anyone know anything about this?

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "Security through obscurity is no security at all."

    Using mod_rewrite doesn't "hide" your scripts at all, since any HTTP request will be routed to your scripts and anyone who gains filesystem access can easily read your rewrite rules to find your scripts or else just find them the old-fashioned way. All you accomplish with mod_rewrite is pretty URLs that look nicer in your users' browsers than "page.php?var=val&var2=val2&var3=val3".

    HTTP_REFERER is even more worthless, as many browsers and all or most anonimyzing proxies can be configured to not send the REFERER header and/or spoof it - many users use these features in an attempt to protect their privacy. Thus you can't rely on the header being there, nor even on it being accurate, and locking out your valid users because they are trying to defend their privacy is only going to drive your users away.

    To protect your scripts against "being backdoored", code them well and adopt strong security habits, such as always validating user input.
    PHP questions? RTFM
    MySQL questions? RTFM


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •