MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Please Tell Me If This Is Secure...
Full Version: Please Tell Me If This Is Secure...
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

seeker

2008-11-08, 01:22 PM
Hi, I'll describe this in basic terms, if you need more details to understand the question, please ask:

* simple_admin.php = A simple utility to help develop multiple sites and / or projects.
* db_data.php sits outside of the public_html path and cannot be viewed or directly accessed by any browser-based hacker.


1) simple_admin.php is an experiment to help easily make changes in several databases at once, using basic to medium-level PHP.
2) db_data.php is included in simple_admin.php
3) Also note:
<?php
rename("simple_admin.php", "simple_admin.txt");
?>

Every time the admin uses simple_admin.php it is automatically renamed to .txt, so hackers have no chance of running the file themselves.

Quick Summary:
> The Database login info is outside of the public_html path
> The "main file" is automatically renamed to .txt every time.


Please tell me, is there anything about this set-up which is not 'reasonably' secure?

Thank you.

Edit: Oops... Of course, simple_admin.php can also, be in a password protected area.
Now, can I think "it" is secure?

Tim B.

2008-11-09, 02:30 AM
I don't think renaming it to .txt is a good idea because then the .txt file can be viewed and therefore will expose the PHP source won't it?

dikidera

2008-11-09, 01:02 PM
Rather, try 
rename("simple_admin.php", "simple_admin");

Tomm M

2008-11-09, 03:52 PM
(2008-11-09, 02:30 AM)_Tim Wrote: [ -> ]I don't think renaming it to .txt is a good idea because then the .txt file can be viewed and therefore will expose the PHP source won't it?

My thought... Undecided The best way is to put as many things you can think of into your script as possible...

I haven't tested this, but surely using something like...

if(eregi(basename(__FILE__),$_SERVER['REQUEST_URI'])){ print "<h1>Incorrect access</h1>You cannot access this file directly."; exit(); }

... would stop anybody from accessing the script directly. Or, use define. In your main script, put something like define("OnlyMe",1);, and in simple_admin, use...

if(!defined("OnlyMe"){ die("A horrible death"); }

Of course, include("simple_admin.php") should work in both cases... but just try it out... Smile

Tim B.

2008-11-09, 09:14 PM
What Tom.M says what it does in MYBB, i would go with it because evan with what dikidera said i am pretty sure you could still go open with and click notepad.

dikidera

2008-11-09, 09:52 PM
So when i oppen http://site.com/simple_admin it will open the file? Wouldnt it be treated like a folder? It would and when the folder aint there it is 404

Tim B.

2008-11-09, 09:56 PM
Hmm, maybe. Ill try it this afternoon.

A htaccess password is also another good form of protection.

dikidera

2008-11-09, 10:10 PM
Htaccess is also good but it is another example of a no extension file that cannot be opened by browser

User 2877

2008-11-10, 12:08 AM
Why not make it a hidden file?
.simple_admin

And it might be most secure as PHP since you can add some protection scheme to the file.

seeker

2008-11-10, 10:30 AM
Thanks all, for the good advice.
Pages: 1 2
MyBB Community Forums > Community > General Discussion > Please Tell Me If This Is Secure...