Hi..
Here is my problem:

I have made a website and there was links there such as home,project,about me and so on..
But when the user click on those links the url seems to give me the full path/the full directory of where those related files/links are located.

To make it clear,if someone clicks the about me link,the URL will appear as http://localhost/ryzalyusoff.com/public/about me.php

I've read that this kind of information could be used by hacker to damage our website,so I really hope someone could told me how to fix this security issue.

Thank You :)

Recommended Answers

All 8 Replies

at that point they cant really as there are no parameters. You should read up on SQL injection

what can be dangerous is having something like the following in the url

http://www.yoursite.com/index.php?id=122343

what you can do to protect from this is to use functions like stripslashes and mysql_real_escape_string

do not believe everything you read

Member Avatar for Zagga

Hi samsons17,

To enable a browser to find and display your page for a user, it needs to know where to look for your page.
If a hacker just has the URL of your page, then all that means is that he will be able to view your page.

If the information on your page is snesitive, it may be an idea to place it inside a restirited (member only) area.


Hope this helps.
Zagga

oh i see..
so that means that my site is still secure right...
Thank You all..

but still want a little bit helps here,does anyone know any great books about SQL injection or any great websites about it?

because i want started moving to the security part so that i could really make sure
my sites is secure.any suggestion how or where i should start??

thank for your helps :)

examine as well the services available on your apache server mod_rewrite can change the displayed url to obfuscate parameters
examine php sessions
and there are a lot of access control /user contrl php scripts available premade at phpscipts hotscripts sourceforge (and others), that you can download and use, or,
If they arent perfect those scripts can provide valuable hints on what you need to roll your own,
a rolled your own script, has the benefit of uniqueness, any bugs will be obscure unpublished bugs bugs and hard for mailcious intent to find
user control system makes the entire site password protected, like daniweb, I can view your profile, public sections, you can view mine, but neither of us can change the other's or change the site in general

and as whieteyoh wrote always validate clean stripslash mysqlrealescape any data from user input before it goes to the database,

I find that a lot of the authors of those articles that overstate the security risks invloved in xxxxxxxxx are written by consultants, who happen to have a fiduciary interest in companies that specialise in removing the threats they write about.
I have received cold calls about malicious content on my site, who offer to clean the contaminated code for a fee, and they submitted a page ostensible from my site with all the wordpress headers et alexcept that my sites are not WordPress, too slow, I hand code for speed, database generated, and the page submitted does not existI assume they were looking for a ceo who was not closely associated with development

Trust no-one believe nothing till you independently verify it as pertinent to your own needs and uses

which |I guess includes this post :)

Hi,

Can you not change the web root of your server to point to the public folder?

E.g. /var/www/ryzalyusoff.com/public (or your equivalent path)

Then you can put any files you would like to prevent direct access above the web root, hence only scripts executing on your server will be able to access and serve their content.

R.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.