Redirect current frame

[lardum]

Two questions:

1. I have a form in a html file. It posts to a PHP file. How can i after the posting has been done, redirect the current frame to another page on the same webserver?

2. In the PHP file, i do a connection to my mySQL server and i type in username and password. Is there a way for someone to find these values?

I'm very new to PHP. So any answers, please detailed descriptions.

Thanks

 

[sleipnir214]

1. Issue a "Location:" header using PHP's header() function:

http://php.he.net/manual/en/function.header.php

2. Yes, there is a risk that someone could get to your script source code and get the password.

Defenses:[ul][li]Make sure your are running the latest version of PHP and the most bug-free version of your web server[/li][li]Make sure your MySQL username is only allowed to log in from certain IP addresses, not '%'. That way, even if they get the password, it will be very hard for them to use it.[/li][li]Use PHP's include() (

http://php.he.net/manual/en/function.include.php)

function to include a file that is outside the document root of the current website. This makes it harder to exploit your web server to get to the password.[/li][li]Make sure that other protocols that allow access to your source files (FTP, SSH) are locked down well-enough to prevent hostile agencies from accessing your scripts.[li]Convert PHP to non-human-readable form using something like Zend Encoder (

http://www.zend.com/store/products/zend-encoder.php).

This won't make it impossible, of course, only harder, to get the password. This is an extreme suggestion.[/li]

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[lardum]

ANother question regarding the passwords:

Im running PHP 4.2.2 and Apache 1.3.27

Am i safe just with this? How can i test it out and see if i'm vulnerable? The MySQL server only accepts connections from the web server (=localhost).

 

[sleipnir214]

The most current version of PHP is 4.3.3. The most current version of Apache 1.3.x is 1.3.28. In accordance with the first defense of my last post, I recommend that you upgrade at least your installation of PHP.

Beyond that, there is insufficient data for a meaningful answer. At least a few of the considerations one must make in deciding whether you are "safe":[ul][li]What is the source against which authentication credentials are verified? .htaccess files? MySQL? LDAP?[/li][li]What are you securing? Admin access to your blog? NSA secrets? The amount of work to need to perform to make your site "safe" depends on the creditable threats you expect to face.[/li][li]Have you read the PHP manual section on securing PHP (

http://www.php.net/manual/en/security.index.php)?

[/li][li]How good are you at writing secure applications?[/li][/ul]


Oh, yeah, I forgot some elements of my last post:

[ul][li]Make sure your network is secure through the use of paranoidly-configured firewalls, etc.[/li][li]Ensure that your server is not running any services/daemons it does not have to.[/li][li]Make sure those services/daemons you must run are the mose secure versions and are configured in the most "reasonably paranoid" way.[/li][/ul]

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!