TalkPHP
Home Forums Articles Glossary Awards Register Rules Members Search Today's Posts Mark Forums Read
 
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
by awuehr on 11-10-2008 in Tips & Tricks
» Vulnerable methods and the areas they are commonly trusted in.
by Village Idiot on 11-04-2008 in Classes & Objects
» Simple way to protect a form from bot
by codefreek on 10-23-2008 in Basic
» The Basics On: How Session Stealing Works
by wiifanatic on 09-12-2008 in Security & Permissions
» How to keep your forms from double posting data
by drewbee on 07-03-2008 in Tips & Tricks
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
TalkPHP > Developer Forums > General » How to detect and prevent including from anothers?
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 08-20-2008, 02:03 AM   #1 (permalink)
The Wanderer
 
superthin's Avatar
 
Join Date: Aug 2008
Posts: 16
Thanks: 7
superthin is on a distinguished road
Default How to detect and prevent including from anothers?
Hi everybody,

My database (of a phpBB version 3 forum) was bogus data / garbage. I am using shared hosting with many people. I read apache log file and saw a man (script kiddie) who had an account on the same server hosting with me, included my config.php and inserted random text overwrite my topics, my users,... so that the forum was not able working correctly.

I used Zend Guard to encrypt the config.php but he still included successfully. My hosting provider said that they cannot config to prevent "local-hack" 100% because server have PHP4 and PHP5 concurrent (many customers remain to run PHP4 script).

Could I have some lines of codes in config.php to detect and prevent including to get variables value? I can include my config.php certainly.

Thank you very much.

Best regards,
__________________
http://khoancatbetong.com - Vietnamese Concrete Technician Forum
superthin is offline   		Reply With Quote
Old 08-20-2008, 03:30 AM   #2 (permalink)
is cute and cuddly
 
delayedinsanity's Avatar
 
Join Date: Mar 2008
Location: Vegas, Baby
Posts: 963
Thanks: 31
delayedinsanity is on a distinguished road
Default
One way, and I'm sure there's better, but create a random string or hash, and;

PHP Code:
// in config.php
define('12618922d9beec178c306b184c1810ac'TRUE);

// in files that include config.php
if (! defined('12618922d9beec178c306b184c1810ac')) die ('AAAaaaaAAUUURRrrrrgggHHHh!'); 
This will only work if the only way he has access to the file is via include or require. If your host permits him to run a file_get_contents() or file() on your data, I would switch hosts, ASAP. Hell, I'd probably switch anyways if they're letting this guy run amuck.
-m
delayedinsanity is offline   		Reply With Quote
The Following User Says Thank You to delayedinsanity For This Useful Post:
superthin (08-20-2008)
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 02:42 AM.

 
     
Contact Us - TalkPHP - PHP Community - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design