PHP: The magic to protection.
- You ask, "What magic?" Magic, implies a trick/illusion. Though there is a few tricks that are just an illusion, I assure you, mine are real. One sample of an illusion of protection would be the use of a custom file extension. I saw one whole article where someone wrote about making a ".ass" extension as the PHP extension. Sure, you can keep people from trying to find, "MY-BIG.php", because it is really, "MY-BIG.ass", but that does not stop them from seeing, "MY-BIG.ass", when the PHP server crashes, or has a temporary hiccup, and decides to send, "MY-BIG.ass", as a plain text file, unprocessed by PHP.
- You could turn that illusion into a real trick, if you added a .htaccess protection, which would only allow your server to access that file. (In addition to setting the file permissions in the actual files themselves, something like [7-0-0].) If your ".ass" files were given a [F,L] command, they would result in a [Forbidden Page] result, if someone typed the URL to that file in a browser. I don't want them looking at "MY-BIG.ass", only my server, and that creeps me out a little too!
- In my previous posting "HTACCESS: My nightmare continues.", I covered how I use, ".pp", for my, "Protected PHP", files. This is how I use them.
[mypage.php] is sister to [mypage.pp]
[mypage.php] has this inside.
<!-- <? Include('mypage.pp'); DIE; ?>-->Sorry, the PHP server is down.
[mypage.pp] has this inside.
--><? {MY PROTECTED CODE HERE}; ?>
- If the PHP server is down, the INCLUDE stays hidden in the comments. They can see it if they VIEW SOURCE, but that will not help them, because the file "*.pp" is [Forbidden] from viewing.
If the PHP server is not running, this is the output...
<!-- {IGNORED STUFF}-->Sorry, the PHP server is down.
If the PHP server is running, this is the output...
<!-- --><MY PROCESSED PHP CODE ECHO>
- That is handled by the DIE; command. That tells PHP to stop processing the rest of the document. Thus, the last portion is never displayed.
- Short, sweet, but it only goes to one level. You would not use this method with in-line code that could cause odd HTML. That is another situation, which can be handled in a similar way, using JAVASCRIPT and VARIABLES.
[mypage.php]
<HTML Header stuff>
<SCRIPT>var $myval = "test.php";</SCRIPT>
<!--<? Include('mypage.pp'); ?>-->
</HEAD>
<BODY onLoad="document.getElementById('mylink').src = $myval;">
<A ID="mylink" HREF="">MY LINK</A></BODY></HTML>
[mypage.pp]
--><SCRIPT>$myval +="<? echo(MYTEXT_FROM_MySQL); ?>";</SCRIPT><!--
The end result if PHP is not running...
<HTML Header stuff>
<SCRIPT>var $myval = "test.php";</SCRIPT>
<!--{IGNORED STUFF}-->
</HEAD>
<BODY onLoad="document.getElementById('mylink').src = $myval;">
<A ID="mylink" HREF="">MY LINK</A></BODY></HTML>
[$myval = 'test.php']
The end result if PHP is runing...
<HTML Header stuff>
<SCRIPT>var $myval = "test.php";</SCRIPT>
<!-- --><SCRIPT>$myval +="?hello=12345;"</SCRIPT><!-- -->
</HEAD>
<BODY onLoad="document.getElementById('mylink').src = $myval;">
<A ID="mylink" HREF="">MY LINK</A></BODY></HTML>
[$myval = 'test.php?hello=12345']
- I stay away form an alternate format, one which includes the code inside existing <SCRIPT>, because PHP and JAVASCRIPT both have similar comment markers. "//" tells PHP and JAVASCRIPT to treat a line as a comment. "/*", is a multi-line BEGIN COMMENT, paired with, "*/", which is a multi-line END COMMENT. The problem becomes apparent, if you manually include your PHP into the file where the INCLUDE statement exists. Saying INCLUDE is just a fancy way of COPY/PASTE from a programming level. You are bonding several documents into one file. Having a comment begin in JAVASCRIPT, and then terminate after your first line of a PHP comment, is where all the bad stuff happens. It will ruin, "MY-BIG.ass"!
|
