security - PHP writing to a text file on server -


i have log process writes little custom .txt log file on server when people supply input on particular form (so can keep eye on trying use injection).

my question: file plaintext, , not link anywhere in code other php calls file_get_contents , file_put_contents. there way see file? search engine possibly find it?

(i understand security obscurity. question how 1 might possibly "unobscure" this.)

i understand security obscurity. question how 1 might possibly "unobscure" this.

they need able know site’s code structure & logic. if name directory logs stored in other logs/ first decent step. or keep directory named logs/ have nested in directory know such my_cool_stuff/logs.

if want sure nobody get’s it, can set apache config rule block directly reading .txt files directly browser, use apache files directive in web site’s apache config or in .htaccess on site:

<files ~ "\.(txt|yml|yaml)$">   order allow,deny   deny </files>

and official apache documentation states placement of files directives:

note unlike <directory> , <location> sections, <files> sections can used inside .htaccess files. allows users control access own files, @ file-by-file level.

so place in .htaccess file on server’s root , tells apache, “do not allow directly access files end .txt, .yml or .yaml extension directly via web server.”

now people recommend place file 100% outside of main web root. , maybe help. let’s malware infection gets code & can browse directory structure—which happens more not—then doesn’t matter virtual rock hide data under: exposed can penetrate system & have same access rights web user.

or put simply: if apache can access directory & read file, if site penetrated, malware penetrates have exact same access rights apache & can read files & directories pretty anywhere apache can.

that’s why feel “security through reasonable obscurity” best real world tactic. block direct access files not want parsed through web browser, place files in reasonably obscure location—even if in web root—and call day.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more