koobas.hobune.stream
WWW class and PHP security issues
Is it possible to set the PHP files on the server sides only be visited by Unity3D's WWW class?
Is the PHP possibly be opened/viewed/downloaded with some text editor? I got my database's password in the php script.
I read some tutorial about pack some codes into some header file, like header.inc. It says it use the inc extension for the security purpose. Otherwise hackers might guess the header's filename, and then open it with some text editor. My question is, could it be downloaded and opened ?!
for the security purpose, where should I put the header file?
Anyone with a browser can potentially call up your PHP files. If you have some kind of session handling in place, you probably won't have to worry about it.
You cannot view the source of a PHP file if it's being accessed by HTTP, because the script is run on the server before being fed down the pipe. You can view the PHP file via FTP or some other protocol, but as long as you don't have those protocols publicly accessible, you'll be fine.
If you're talking about including files into a PHP script, and those files aren't PHP scripts, then I imagine it's possible that someone with the filename could simply point their browser at the file to view it. You may be able to adjust the permissions of the file (via chmod) so that only the PHP process can access it, but I'm not sure. That's over my head. :)
Not sure!
Just to point out you should also revise the SQL account's authorizations. Stacking all those measures should keep you fine... I've never had issues yet - or the hackers were good enough to not leave trace for me to notice.
for 3, I'm talking about including a PHP script, like mysql_connect(), however renname it like .inc ins$$anonymous$$d of .php.I don't see any advantages or disadvantages from it.
It's all up to the webserver you use. I've been on websites and it seems their webserver is, well buggy. Sometimes it returned the php script ins$$anonymous$$d of executing it on the server. This must not happen on a server that supports php.
using file extention inc is not a good idea since usually only .php files are feed to the php interpreter. If a user can access the file directly, he can download / view it since it's not a php file. The decision if a requested file goes through php or not is up to your webserver.
I noticed the mentioned bug on this wiki (just a wiki for a $$anonymous$$ecraft mod). Sometimes it doesn't open links but start a download of the php. As said this is up to the webserver and if it's configured / setup correctly it shouldn't happen.
