4 Replies Latest reply on Mar 19, 2009 8:08 PM by (Rick_Gerard)

    Connections security

    Level 1
      I was wondering if there are any security concerns from the php files in the Connections folder. Right there in plain sight are the user name and password to the database. Should I have a worry?
        • 1. Re: Connections security
          Albert S. Level 3
          Hi Rick,

          I posted some info in your last topic

          http://www.adobeforums.com/webx/.59b83990/3

          If you should worry or not I don't know I don't know common practices of hackers. Maybe someone else here can shed some light.
          Let me know if that helps you?
          • 2. Re: Connections security
            HauteJordo Level 1
            Hi Rick,

            Unless you're making a website for a bank, I wouldn't be concerned about the connection.php file as a vulnerability. You might try giving it a less obvious name or further obscuring it by adding some fake ones in the same directory.

            Other Security Tips:

            Definitely use validation on all form fields. Set max char limits.
            Do not allow HTML or JS in forms if it can be avoided.
            This goes a long way to locking a site down.

            Also, when using levels, DO NOT use obvious level names like '1, 2, 3' pick codenames for the levels which are hard to guess. Otherwise, it's easy to change a user's level through the browser when the level is apart of a 'show if' conditional or a hidden form field.

            Generally, avoid putting any info in cookies also helps.

            If security is a major concern you can add extra code to hide your html and php output (but php is already hidden).

            You can also use HTTPS.

            Lastly, you could use custom transactions and only allow access to a page based on the referer, or based on a referer and a token. HTTPS would probably be easier to use than this.

            But if you're really concerned about security, then make use of the history tables which are apart of the user reg wizard and keep an eye on your stats--no sense in worrying about suspicious activity where there isn't any.

            - Mark
            • 3. Re: Connections security
              HauteJordo Level 1
              Oh...also. Remove the qub files from the production server--only use these in a dev area.
              • 4. Re: Connections security
                Level 1
                Thanks for the great info. I'll put your suggestions in place.

                Rick