Security

[Guest So Called]

If you want to prevent user from executing include files safest option will be putting it in outside of web root.

I did that too. Only my index.php is inside web root area, and it includes other scripts by full absolute name. I believe in multiple layers of security. Maybe one of my layers is messed up or maybe I got the wrong idea on some security concept, but the other layers will keep my site safe. I also check that my include file exists before including it, and error out if it's absent. That way it avoids the error message that exposes my absolute path to the public. Additionally I use require_once() instead of include. Every time I see a more secure way to do something that's what I do. Every time I see a way to make it harder on hackers or give them less information that's what I do. Edited June 7, 2012 by So Called

[birbal]

I also check that my include file exists before including it, and error out if it's absent. That way it avoids the error message that exposes my absolute path to the public.

There is another better option for that. you can log http://php.net/error_lo your errors in separate file and put error_display directive off. or you can override the default error handling http://php.net/se_error_handler. it is effective for not only for include as well as every kind of error. revealing error publicaly is another vulnerability. I would not spare some function call (on each page request by many users) to check the existence of file before including as include file mostly expected not to change its location specialy when it is hardcoded. in rare case if it happens error log or overriding error handler will tackle that nicely. Edited June 7, 2012 by birbal

[Guest So Called]

I have been known to have accidentally deleted a file on my site, and not notice it until later. It doesn't happen very often but when it does my script checking hides the error by issuing a message that means little to anybody but me. After a few years of running my custom code I'm pretty familiar with all the errors it can create, and feel I have them all covered. There is really little exposure to being hacked because my site is so unimportant and because other than viewing content the only other thing a visitor can do is use my contact form, which is pretty well secured (IMO). I backup my site frequently so the worst any hacker could do is deface my site for a few hours. It would take me perhaps 15 minutes to put things back. So there's little benefit to hackers to bother with me, and little cost to me to put it back if it ever happens. In other words I'm a low risk target and I have sufficient security in place to handle any situation that may arise. Some of the members at the W3S forum either have or will have much more important data to guard and sites which will be much more likely to be hacked.

[Don E]

I just thought I'd post this here to those who may be interested in capturing unexpected file requests to their website: http://w3schools.invisionzone.com/index.php?showtopic=43993

[es131245]

2 IT hobbies: Web technology and ISP technology =)i always may find out what my dear friends are "up too"moreover SSL certificats for a domain with subdomains casts alot of money (~500$ per year?) and they arent 100% secure too

[birbal]

I belive there is cheaper hosts with ssl support and mutiple subdomain. SSL does not protect from everything in your web site or web apps. it has its purpose of encrypting the data between two machines to transfer data securely.thats it. there is also other thnigs to consider server level flaws or application code level flaws can make sites/apps unsecured.