iRev database access security question
Martin Baxter
mblivecode at harbourhosting.co.uk
Fri Feb 10 08:19:00 EST 2012
Hi Jonathan,
Sensible questions actually.
I would expect the situation to be the same as with php. In that
situation, if php crashes or becomes unavailable for some reason, and
precautions have not been taken, the webserver will serve the source
script rather than its output. I expect this applies to irev too.
It is usual to store database connection credentials in an include so it
can be accessed by multiple pages. If the hosting setup allows for
includes to be stored above webroot where the webserver has no access
but the scripting language does, then includes should be placed there.
If storage above webroot is not possible, keep includes in their own
directory having an htaccess (assuming apache) as follows:
<files "*.*">
order allow,deny
deny from all
</files>
This bars the webserver from accessing any files in the directory, but
does not bar the scripting engine. I expect that would work with irev too.
Martin Baxter
On 10/02/2012 12:18, Jonathan Lynch wrote:
> Hi everyone,
>
> If I have an iRev page that is going to access a database, I have to
> use a database query that includes the user name and password. Is it
> safe to put that information directly into the iRev page? That seems
> risky to me.
>
> If I put the information into another page and I use a script to pull
> in the information, wouldn't a hacker be able to look at the script,
> learn the location of the other page, and then directly access that
> page?
>
> I realize that the scripts on an iRev page do not show up when you
> view the source of the page through a browser. Does this mean that
> the script information on an iRev page is genuinely secure?
>
> I appologize if these are ignorant questions.
>
> Many thanks,
>
> Jonathan
>
More information about the use-livecode
mailing list