[SOLVED] Regarding security using php5, OO solution

[dalisra]

Hello, phpfreaks!

 

I am creating a webshop with php5, trying to do it in OOP maner, but I feel that there might be a security holes, and I need advice:

 

If I create a database class, that will take care of all inserts, updates and selects from the database. How can I prevent so that attacker won't be able to use it. I am defining a variable in my index.php file, which then I am checking upon in database.class.php file, and if it is not defined I return an error. This should prevent direct access to the database.class.php file aswell.

But what if attacker creates an index.php file on his own server, defines the right variables and includes the database.class.php file from my server? Will he then be able to use all the public methods in the database class? Is there any way to avoid that?

At the moment as long as attacker does not know what is the name of this variable or what is supposed to stand in it - it is safe, or is it?

 

I looked into Zend framework, and what they did there is put all the class files outside of public root folder (no public access). I can not do that on my server (provider does not allow it), so all the files will have a public access.

 

Any suggestions?

 

Edit: Modified the title to be more speciffic.

 

-Dal.

[Mchl]

But what if attacker creates an index.php file on his own server, defines the right variables and includes the database.class.php file from my server?

 

He will be running this script from his server, so the simplest way will be to disallow all connections to MySQL except from your IP. Not to mention, that if your server is configured properly, he will not be able to include code of your script (only parsed results).

[dalisra]

Thanks for the answer! I will look and see what configuration there is on the server.

 

-Dal