This content has been marked as final. Show 4 replies
I posted some info in your last topic
If you should worry or not I don't know I don't know common practices of hackers. Maybe someone else here can shed some light.
Let me know if that helps you?
Unless you're making a website for a bank, I wouldn't be concerned about the connection.php file as a vulnerability. You might try giving it a less obvious name or further obscuring it by adding some fake ones in the same directory.
Other Security Tips:
Definitely use validation on all form fields. Set max char limits.
Do not allow HTML or JS in forms if it can be avoided.
This goes a long way to locking a site down.
Also, when using levels, DO NOT use obvious level names like '1, 2, 3' pick codenames for the levels which are hard to guess. Otherwise, it's easy to change a user's level through the browser when the level is apart of a 'show if' conditional or a hidden form field.
Generally, avoid putting any info in cookies also helps.
If security is a major concern you can add extra code to hide your html and php output (but php is already hidden).
You can also use HTTPS.
Lastly, you could use custom transactions and only allow access to a page based on the referer, or based on a referer and a token. HTTPS would probably be easier to use than this.
But if you're really concerned about security, then make use of the history tables which are apart of the user reg wizard and keep an eye on your stats--no sense in worrying about suspicious activity where there isn't any.
Oh...also. Remove the qub files from the production server--only use these in a dev area.
Thanks for the great info. I'll put your suggestions in place.