wdvlTalk Roundup August 2002 Page 29

My current site is constructed as

root
root/connections
root/books


with connections holding the db connections inc files for the php scripts and books holding all the scripts and image directories etc

I would like to prevent the connections directory from being downloaded/accessed for obvious reasons.

It seems I can prevent access by http:// via my hosting service passwording the directory but this doesn't seem to protect against website nabber programs such as black widow and the rest (or does it?). Some guidance would be much appreciated. Should I construct the site layout differently perhaps? Maybe put the connection directory in its own subdomain?

• There are two good ways to handle this - either will do, but I'd use both if you can (belt and braces):
  
  1. Make sure all your scripts that contain connection settings and whatnot end in .php, so they get processed instead of output - this way, even if someone calls the script directly, all that happens is they get a blank page.
  
  2. Reconstruct your site a bit. It should look something like this:

  /
    /cgi-bin
    /logs
    /public_html
      /public_html/connections
      /public_html/books
  

  If you move the connections folder outside the public tree, then no-one can request your connection stuff via HTTP (but you can still include it).

  /
    /cgi-bin
    /includes
      /includes/connections
      /includes/any-other-sensitive-stuff
    /logs
    /public_html
      /public_html/books
  

• The simplest way to do it - name your files db_connections.inc.PHP. then this files will be parsed by the server and since they don't generate any output (or do they?) user will be presented with a blank page. If they do generate an output, all vars will be hidden. If you use .ini files to store connection information then add a comment line in the beginning and add a SQL extension to it, so the file looks like this:

  ;// Connection configuration file.
  ; <?SQL die(); ?>
  
  [MySQL]
  database = ... etc
  

  
  
  parse_ini_file will skip the comment line, and if the file is called directly it will show only text that was before a call was made to die();
  
  Of course you can .htaccess directory, but then you definitely need to rearrange directory structure, because all directories inside of .htaccess protected dir will be protected as well.

Does anyone have a CGI mail script handy please?

• http://www.scriptarchive.com/formmail.html

• Here's something I use... https://www.utkalika.org/projects/mailer.zip
  If you know SQL then you can use it easily.. look at the mailer.SQL file after extracting. Its pretty straight forward.
  
  You can find more information about the script at http://phpmailer.sourceforge.net/

• I recently received [..a note..] from my hosting company regarding security problems and a request to change to a new version at http://nms-cgi.sourceforge.net/scripts.shtml. It is a drop-in replacement for "Matt's" FormMail. I did it, no problems, in just a few minutes.

• I'd recommend the BNB Form Handler from http://www.bignosebird.com - I've been using a modified version of it for a couple of years, and it's been brilliant - coped under real hard usage as well, I've had it being used by thousands of visitors each day to process large, complex order forms.

wdvlTalk Roundup August 2002 - Page 28
wdvltalk Roundup
wdvlTalk Roundup August 2002 Page 30