> I am beginning work on a new web-based application using PHP and MySQL. I > have been doing a lot of reading about PHP security and web application > security in general to make sure I am up-to-date on what is known in this > area. > > My style of PHP is to name all included files with a .php extension and of > course this raises the problem of people accessing these script files > directly. My main question is if all of the code inside an included PHP > file > is put inside one or more functions this should prevent anyone from > running > any of that code by directly calling that PHP file correct? There is no > way > for them to invoke a function just from a URL assuming I have no code at > all > outside the functions.
No, the user can't run anything; it'll simply load the code into memory. > And this leads to another question... if I encapsulate most of my > variables > inside one or more classes doesn't this help protect against attacks also? > Is there a way for someone to set a class variable to a value just from a > GET or POST request (or even file or cookie)? As long as I am carefully > validating what information I put into the object variable this seems to > be > a way of adding another layer of protection. No, the user can't set a class variable directly, but if you are doing something like $this->var = $_GET['something'], then it's unsecure unless you are validating $_GET['something'] first. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
