Making the content of LC Server Scripts Safe
Devin Asay
devin_asay at byu.edu
Thu May 22 11:01:04 EDT 2014
On May 21, 2014, at 10:31 PM, Nakia Brewer <Nakia.Brewer at westrac.com.au>
wrote:
> Afternoon all,
>
> As I venture down the road of learning what the wonders of LC Server scripts can do I find myself wondering how safe are the content of these scripts.
> Being completely new to Web and Server development it's probably a silly question but for example:
>
> I have a LC Server script that is called from a mobile testing app that records the devices location into a MySQL Database using $_GET params.
> In the LC Server Script file resides all my connection details for my database etc.
>
> So, what stops someone from accidentally stumbling across that URL and getting the content of that file?
>
> Or am I completely not understanding?
>
> Sorry in advance :)
As John said .lc files are parsed by the server and only the output is visible to the browser. But I'm like you, when storing things like MySQL login credentials I'm nervous about saving them in plain text, even in a .lc file. So I take the extra step of storing the credentials in an encrypted form in a file separate from the .lc script that calls it. Then I have the .lc script read in and decrypt the login credentials before logging in to the MySQL server. It may be overkill and one extra step, but most hackers go for the low-hanging fruit. I figure this makes it harder, so the bad guys will just move on to other targets.
My $.02.
Devin
Devin Asay
Learn to code with LiveCode University
http://university.livecode.com
More information about the use-livecode
mailing list