I am hosting my website on a linux server with php5 (no mySQL). Now I am the administrator, and I'm building my first website. I want to know about security, how do I secure my site from malicious injections and hackers? With the htaccess file? And what do I need to put in there?
Any help appreciated.
Thank you
If you have no SQL, you don't have to worry about injection attacks.
Security for your site depends on what you have running on your site. If it's only PHP, I suggest keeping important code which may reveal things such as passwords and authentication keys or functions in a separate php file outside of your wwwroot and include them.
Example:
Your website runs in /home/wwwroot/
Put your php files with important data or functions in /home/privatephp/
Now in all your php files where you want to use those private functions or call on data that you want hidden, you simply use
include (../privatephp/privatestuff.php); at the top of each php file.
Your privatestuff.php file can contain such things as
$adminusername="imtheadmin"; or $adminpassword="adminpassword";
Then you can simply reference those variables in any PHP file where you have used the include command.
Related
I am working on an angular Web-Application where it's possible to view pdf-files in a pdf-viewer in the browser.
The Web-Application is also consuming a REST-Service in Django.
In the Database the information of the pdf-files is stored. The Web-App is calling the REST-API to check where the files are stored.
As I am still in the Proof-Of-Concept Phase of the project, the PDF-Files are currently stored in the assets folder of the angular web, which of course is not what I want in the end.
When the Files or the Directories change, the Database should be updated automatically (or via a trigger in the app).
I have two questions:
Is there an obvious way to serve the files in this combination? i.e. an apache server? I imagine there are built in solutions in dedicated file servers to detect changes of the watched directory.
For a partly solution would it be reasonable to write a script on the django site, which does the file-serving, the updating and also providing the REST-API?
I would like to open PDF file inside my Django application, something like
file:///...
I know that a lot of posts state that this should not be done because security reason, and that google block this calls with error. link.
But, I know that:
I saw this behaviour so, I know it can be done somehow
I don't have security risk, because application is internal, not connected to the internet (available over lan)
Protocol file:/// wouldn't exist if there wouldn't be a way to use it.
I also read somewhere that you need to put file in 'public' if you would like to access it via this method. Do anyone know how to do this?
file:// is only available for browsers, not servers.
If you want your Django application to access local files, you need to upload them to the Django application server (at which point they're not really local).
(If the application server is running on the same machine as the client, naturally you can use Python's usual file functions to read the local file system.)
JavaScript can also access local files and process them in-browser as long as they're manually selected by the user.
Hello smart people on stackoverflow,
I would be very happy if someone could point me to the right libraries/frameworks to do what I want.
We have the following web architecture set up.
1. We have a tomcat server that offers REST services.
2. We have an apache2 server that serves up php pages to users.
a. Some of these php pages make REST calls to tomcat for data.
b. Other php pages contain javascript that makes REST calls that are routed through apache2 via mod_proxy to tomcat. e.g. All request to http://myapache.com/PASSTOTOMCAT/rest/getSecureData would go to tomcat.
Now, I'm asked to add authentication to everything, both the user pages as well as the REST calls. It would obviously be ideal for the user to sign-in once for access to both.
What library can I use for this? I don't think I can use any php-based solution (ie. one that involves adding a ) because the pass-through url's won't have a chance to add this code and check for authentication. I think I need to use something built into apache2 itself.
One minor requirement is that I would like the user credentials stored in a mysql database as opposed to a file.
Am I over-thinking this?
Thanks in advance
Well it's been 5 days, so I guess I'll answer my own question...
I ended up using the new mod_auth_form for authentication because it lets you use a nice stylized webpage to log users in.
I also used mod_dbd to access user credentials in mysql.
I couldn't find a nice tutorial on this so I struggled through the installation and setup a bit, but if anyone cares, I created a set of instructions on my blog in case anyone else tries to do the same thing.
Installation
Setup
Similar to technologies like ASP.NET, PHP, JSP and some other web languages which run on the server side are often called within a web pages code. For instance a web server may parse through a file hit
I don't have any difficulty writing server / client programs, only I am unsure where to tie in to web servers such that it will realize my own tag, run it through my software and output the resulting text to the requested file (most likely a web page.)
What does one need to do in order to accomplish this tie-in with a simple custom language?
The software is coded in C++.
To implement your own simple custom language you would need to do the following under Apache and something very similar under IIS.
For example for an Apache server to process PHP the following configuration is required.
LoadModule php5_module modules/libphp5.so
ScriptAlias /php/ "/usr/local/php/bin/"
AddType application/x-httpd-php .php
Action application/x-httpd-php /php/php
This directs the server to pass all calls to the server with the file extension .php to the php processor and replaces and execute the tags in the file.
IIS has a similar mechanism which I think is configured through 'Handler Mappings'
I don't personally think that creating a custom tag language is the correct route to go. You would be better served by writing a wrapper in either ASP or PHP to your C++ application. This would give you full access to the range of function in PHP or ASP that you will probably need e.g. Request parameter handling, etc.
I am trying to create simple flex application, which uses django as a back-end part. Have a question:
Usually when I run my application Flex Builder creates a file in a directory on my local PC and then opens a browser and points to it. Everything was fine, but when I decided to link django server to flex applications via xml data providers I started to get security errors. (Related to absence of crossdomain.xml). When I created the file and put it on the server:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="http://127.0.0.1:8000"/>
<allow-access-from domain="127.0.0.1"/>
</cross-domain-policy>
Then tried the application again, I got error in console of my FB Error: Request for resource at http://127.0.0.1:8000/go/active/ by requestor from file:///Users/oleg/Documents/FB3/usersList/bin-debug/usersList.swf is denied due to lack of policy file permissions.
I don't know how to fix the error. But also the question is there a way to configure FB3 to put my swf files to the server directly, so I will not need any crossdomain?
Thanks
Oleg
We struggled with this a lot. The Flex security stuff didn't strike me as well built, but perhaps we just had different approaches in mind than Adobe's developers. The solution that worked for us was to serve both the SWF and the dynamic data from the same host and port.
On our development boxes, we tell Apache to serve the SWF from a directory in the workspace, and the dynamic data from a local copy of the app. When we push to production, SWF and app get pushed simultaneously to the same virtual host.
If that's inconvenient for you, the Apache ProxyPass directive can be used to make Apache front for other servers. I've not used that in production, but it's been very handy for developer setups.
I don't know a way to get FlexBuilder to automatically deploy your changed SWF; you could certainly look into an automation approach (like Maven and Flex-Mojos) to make that happen.
That said, getting rid of that error is usually just a matter of adding a policy file to the server.
The second error is caused because you're trying to fetch http resources from a "file" location. My recommendation is that you change your Flex Builder project so it outputs to a location within the Django web site, rather than to the flex-bin directory. This setting can be changed in the properties dialog of the project. Then, you should be able to have your front-end and back-end share the same protocol and domain.