469,641 Members | 1,129 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,641 developers. It's quick & easy.

status on Homepage

hi ng.

I want to integrate a status on my (business) Homepage

It should look like:

Right now we're in the shop
... are closed.

(.. we have different working hours between saison)
the status is in a text-file status.txt
1 or 0

I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file writeable

how can i prevent someone else changing it
thanks

Armin Horner
Nov 30 '07 #1
6 1268
I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file writeable

how can i prevent someone else changing it
By password-protecting the status directory, if if not also used to
query the status. You usually do this in the webserver.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/
Nov 30 '07 #2
I want to integrate a status on my (business) Homepage
Then - honestly - you should consider giving this task to someone who knows
what he does.
Nov 30 '07 #3
Armin Horner wrote:
hi ng.

I want to integrate a status on my (business) Homepage

It should look like:

Right now we're in the shop
.. are closed.

(.. we have different working hours between saison)
the status is in a text-file status.txt
1 or 0

I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file
writeable

how can i prevent someone else changing it
First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.

On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).

--
Kim André Akerĝ
- ki******@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)
Nov 30 '07 #4
Kim André Akerĝ schrieb:
>
First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.
... it is, ok.
>
On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
... i'll use htaccess
Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).
i'll protect it with a weird name and keywords so nobody switches on and
off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin
Nov 30 '07 #5
Armin Horner wrote:
Kim André Akerĝ schrieb:
>>
First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.
.. it is, ok.
>>
On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
.. i'll use htaccess
>Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).

i'll protect it with a weird name and keywords so nobody switches on and
off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin
Armin,

Don't. Obfustication is not security! It's only the illusion of security.

Follow the suggestions others gave you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
=================
Nov 30 '07 #6
Jerry Stuckle schrieb:
>>
i'll protect it with a weird name and keywords so nobody switches on
and off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin

Armin,

Don't. Obfustication is not security! It's only the illusion of security.

Follow the suggestions others gave you.
your true!

i will use a password-form if it is a problem
(someone switches)

thanks

Armin
Dec 1 '07 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Mark Constant | last post: by
1 post views Thread by rolear01 | last post: by
2 posts views Thread by arbpen | last post: by
1 post views Thread by Macneed | last post: by
reply views Thread by gheharukoh7 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.