By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,954 Members | 1,354 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,954 IT Pros & Developers. It's quick & easy.

status on Homepage

P: n/a
hi ng.

I want to integrate a status on my (business) Homepage

It should look like:

Right now we're in the shop
... are closed.

(.. we have different working hours between saison)
the status is in a text-file status.txt
1 or 0

I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file writeable

how can i prevent someone else changing it
thanks

Armin Horner
Nov 30 '07 #1
Share this Question
Share on Google+
6 Replies


P: n/a
I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file writeable

how can i prevent someone else changing it
By password-protecting the status directory, if if not also used to
query the status. You usually do this in the webserver.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/
Nov 30 '07 #2

P: n/a
I want to integrate a status on my (business) Homepage
Then - honestly - you should consider giving this task to someone who knows
what he does.
Nov 30 '07 #3

P: n/a
Armin Horner wrote:
hi ng.

I want to integrate a status on my (business) Homepage

It should look like:

Right now we're in the shop
.. are closed.

(.. we have different working hours between saison)
the status is in a text-file status.txt
1 or 0

I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file
writeable

how can i prevent someone else changing it
First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.

On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).

--
Kim André Akerĝ
- ki******@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)
Nov 30 '07 #4

P: n/a
Kim André Akerĝ schrieb:
>
First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.
... it is, ok.
>
On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
... i'll use htaccess
Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).
i'll protect it with a weird name and keywords so nobody switches on and
off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin
Nov 30 '07 #5

P: n/a
Armin Horner wrote:
Kim André Akerĝ schrieb:
>>
First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.
.. it is, ok.
>>
On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
.. i'll use htaccess
>Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).

i'll protect it with a weird name and keywords so nobody switches on and
off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin
Armin,

Don't. Obfustication is not security! It's only the illusion of security.

Follow the suggestions others gave you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
=================
Nov 30 '07 #6

P: n/a
Jerry Stuckle schrieb:
>>
i'll protect it with a weird name and keywords so nobody switches on
and off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin

Armin,

Don't. Obfustication is not security! It's only the illusion of security.

Follow the suggestions others gave you.
your true!

i will use a password-form if it is a problem
(someone switches)

thanks

Armin
Dec 1 '07 #7

This discussion thread is closed

Replies have been disabled for this discussion.