I am beginning work on a new web-based application using PHP and MySQL. I have been doing a lot of reading about PHP security and web application security in general to make sure I am up-to-date on what is known in this area.
My style of PHP is to name all included files with a .php extension and of course this raises the problem of people accessing these script files directly. My main question is if all of the code inside an included PHP file is put inside one or more functions this should prevent anyone from running any of that code by directly calling that PHP file correct? There is no way for them to invoke a function just from a URL assuming I have no code at all outside the functions. And this leads to another question... if I encapsulate most of my variables inside one or more classes doesn't this help protect against attacks also? Is there a way for someone to set a class variable to a value just from a GET or POST request (or even file or cookie)? As long as I am carefully validating what information I put into the object variable this seems to be a way of adding another layer of protection. Any thoughts or comments regarding this and any other issues I should take into consideration regarding security are welcome. Jacob -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
