Jump to content

tork

Members
  • Posts

    64
  • Joined

  • Last visited

Profile Information

  • Gender
    Not Telling

tork's Achievements

Member

Member (2/5)

0

Reputation

  1. The /private and /data folders are 755. I didn't see any config files in cgi-bin (if that's what you're saying), and in the .config folder there's only a file called .keep which has no data in it (as far as I can tell).
  2. Thanks requinix. Here's a solution .. may help others .. [sc]=shortcut This is my directory structure: root /.config /.logs /[sc]public_html (points to /web) /[sc]my web site name without the .com (points to root) /web : /web/my web site folders Create private folders like this: /private /data /web (URL access can only read files from this folder on down, so the 2 folders above are private) Create include files in /private where they cannot be read by the browser but can include them with: require('../private/myIncludeFile.php'); The data goes in /data which needs world rw access and can be opened like this (example from w3schools): <?php $myfile = fopen("../data/webdictionary.txt", "r") or die("Unable to open file!"); echo fread($myfile,filesize("../data/webdictionary.txt")); fclose($myfile); ?> So the calling file within /web calls the include file in /private which reads the text file in /data. I tried getting the include file to run directly from the browser (not through the /web calling script) and it could not find the file. Also, I tried getting the text file from the /data text file directly from the browser and it couldn't find the file. This is what I expected to happen because only public files under the /web folder are accessible via a url. This means the folder structure makes the /web folder files safe against users who might try to gain access to /web files using uploads to /data files - hackers aside.
  3. So, should the 'not permitted to write' of 'group' and 'other' of a folder or file prevent anything being written to that folder or file except by the owner/user(7)? Or do I misunderstand?
  4. Ah! I'm too fast with checking once I create the folders. I just checked a new folder 10 minutes ago, and it did not show permissions. Yet now it does; 755. I guess the server's on valerian
  5. Strange. I just checked the properties of the uploads folder that I created 7 hours ago, and it now shows permissions and they are 755, with the user and group having the same id. To see if PHP (being subject to other) could upload the image file, I ran the upload test script again and it succeeded. Should the 'no permission to write' of group and other not prevent anything being written to that folder's files except by the owner/user (being 7)? Or do I misunderstand?
  6. I notice that the uploads directory does not show permissions, whereas all directories that I have created above it do show permissions. Those that were created by the host do not have permissions. Is all this normal?
  7. The permissions are 644. From the image file properties, the user (owner) and group have the same id.
  8. Yes, the default permissions are as you say. Here's my app structure: Scripts in PHP/MySql send text/images/videos/audios to the client and take form input from my users and write the data to DB; I send data back to them in the form of a report; The users may upload text/images/videos/audios if they wish, which I would then put in files with data about the files put into DB; The scripts then send back these files on request by the user. Given that security is important with this app, do I need to change permissions anywhere with this environment?
  9. FYI, the folder that my index.php file defaults to has permissions 775, and the index.php has permissions 644.
  10. Thanks requinix. Yes, it's shared hosting. My app is high security, so I thought I'd need to handle folder and file permissions. So I take it that even though I can change permissions that I shouldn't?
  11. I do not have direct access to the server since I'm a developer using PHP/MySql on a remote shared server that uses Linux/Apache. I have read that it's important for security of my web site to have the permissions on the folders and files set properly. I can change them using my ftp. I am the developer. I have a number of testers who run the web app from their browsers (that accesses data files and PHP scripts and reads/writes with a db server). After testing, the app would be available to the general public on their browsers who would have the same access needs as the testers. 1. In the above context: Does 'read' mean reading the scripts or data files or both? Does 'write' mean taking user input and changing the data file or db content? And what does 'execute' mean regarding scripts and data files if not to 'run' the scripts? 2. How do I let the server know which users are User/Owner users, which are Group users and which are Other users, in order for the server to apply the appropriate User/Owner, Group and Other permissions when these users call the web pages from their browser? (I understand the 421 read/write/execute *structure* since it's all over the internet through google searches).
  12. I made a silly error! My humble and profuse apologies guys. I was so used to entering the password on the keyboard (hundreds of times .. you know how that works) that I didn't even check the keys on the nexuses: 12 instead of qw .. :|
  13. I’ve got a well proven php-mysqli website that works perfectly on desktops. It requests the email and password on the login page, taking that data and inspecting it before processing further. I’ve designed the presentation using CSS to be responsive and it’s working well, except for .. .. when I used it on my Nexus 4 and 7 the web site appeared. I touched the menu item ‘login’ and I entered both the correct email and password. However, the application bounced back as it should if either the email or password was wrong. So I inserted PHP scripting and confirmed that the site was receiving the correct email but a wrong password. The logic is 100% proven and the data entry correct. Is there something with the google nexus (and smartphones in general) that disallows web site passwords until some parameter is set? I'm hoping a responsive website developer accommodating nexus 4 or 7 can assist here.
  14. I implemented google's reCAPTCHA V2 on http:// on the remote apache shared server and it worked 100%. I then changed the protocol to my shared server SSL using the same PHP script as the non-SSL script. The older version of reCaptcha had an SSL 'false' to 'true' SSL parameter, whereas I can't find one for V2. I had to use htaccess to redirect the example.com to the shared SSL server https://serverid.net/example/ which works perfectly without recCAPTCHA. I incorporated reCAPTCHA V2 and the error message where the reCAPTCHA image should be shows "ERROR: Invalid domain for site key". Here's the htaccess: RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://servername.net/example/$1 [R,L] And the recaptchalib.php code in case that helps: https://github.com/google/ReCAPTCHA/blob/master/php/recaptchalib.php Anyone know how to make this work? (If this is not the right forum for this, please direct me to the appropriate one. Thx)
  15. Solution: if (trim($answers [success]) == true) should be: if (trim($answers ['success']) == true)
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.