You certainly wouldn??™t want anyone to view those files, so it would
550 CHAPTER 21 ?– SECURE PHP PROGRAMMING
be a good idea to place them outside of the document root. Therefore, you could save
them to some directory residing outside of the previous paths:
C:/Apache/sitelogs/ # Windows
/usr/local/sitelogs/ # Unix
Denying Access to Certain File Extensions
A second way to prevent users from viewing certain files is to deny access to certain
extensions by configuring the httpd.conf file Files directive. Assume that you don??™t
want anyone to access files having the extension .inc. Place the following in your
httpd.conf file:
Order allow,deny
Deny from all
After making this addition, restart the Apache server and you will find that access
is denied to any user making a request to view a file with the extension .inc via the
browser. However, you can still include these files in your scripts. Incidentally, if you
search through the httpd.conf file, you will see that this is the same premise used to
protect access to .htaccess.
Sanitizing User Data
Neglecting to review and sanitize user-provided data at every opportunity could
provide attackers the opportunity to do massive internal damage to your application,
data, and server, and even steal the identity of unsuspecting site users. This section
shows you just how significant this danger is by demonstrating two attacks left open to
Web sites whose developers have chosen to ignore this necessary safeguard.
Pages:
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633