phpLens manual: Security
Table of Contents
Security
You can configure security with the following
properties:
|
password
|
Password protect phpLens dynamic editing.
|
|
bannedTags
|
If phpLens is configured to support HTML text (with the htmlLens property),
you can ban certain tags. The list of
banned tags (expressed as a regular expression) is set with this property.
All scripting, table, frame, div and object tags are banned.
|
|
dynEdit
|
For stronger security, you can disable phpLens dynamic editing completely
by setting this property to 0 or false.
|
|
securityCheckReferer
|
To ensure that the user who is modifying a record is not
using an unauthorised Web server, we check that the referer when we save
is the same as the host server.
|
|
securityEditSeq
|
To keep track of the order of updates we store a sequence number for every New or Edit record.
A session cannot save a record from a stale New or Edit record.
Also enables checksuming of fields that
can be edited, so no unauthorised field can be accessed by someone modifying the Web page.
|
|
md5Input
|
MD5 fingerprints the fields that are editable, so the hacker cannot create additional fields
without being detected. Defaults to true. |
Field Sanitization
Form fields are sanitized before processing by properly quoting all < characters, and also
single and double-quotes
so intruders cannot generate dangerous SQL statements from the following sql:
select * from passwordtable where user='$user'
by entering john' or 'hack' = 'hack into the input field. The following will
be generated by phpLens:
select * from passwordtable where user='john\' or \'hack\' = \'hack'
PhpLens also correctly handles magic-quotes, whether they are enabled or not.
Moving phpLens To A Secure Directory
Some users have asked how to make phpLens 100% secure. What we want do is to make the js and
gif files available to all web browsers, but prevent anyone else from accessing any of the phpLens
include files.
We are assuming you are on Unix/Linux, and the /u/htdocs directory
is the root of your web site.
- First password protect your /u/htdocs/phplens directory (and all
sub-directories). Consult your web server documentation if you are not sure
how to do this.
- Then create a an image directory (or something similar) and link to the
img directory like this:
mkdir /u/htdocs/images
cd /u/htdocs/images
ln -s /u/htdocs/phplens/img
If you are on Windows, just copy the contents of phplens/img to the image/img
directory. Now we want the images will be accessible from /images/img...
- Modify your /u/htdocs/phplens/config/phplens.config.inc.php file.
Uncomment the following line and modify this:
$PHPLENS_GRAPHICS_SERVER='/images';
Make sure you do not put '/images/img' - this is wrong. Note that you can
place the images on another web server also - that's why this variable is
called PHPLENS_GRAPHICS_SERVER.
- If you have any images in the database that you want phpLens to display,
you will need to move the file /u/htdocs/phplens/phplens-img.php to another
unprotected directory, say /images/img/phplens-img.php, and set the following
constant in /u/htdocs/phplens/config/phplens.config.inc.php:
define('PHPLENS_IMG_CODE','/images/img/phplens-img.php');
This file contains the code that displays the images.
-
If you are using hot updates with popup lists, then the file phplens_remoteq.php
must be moved to another directory (on Unix, just create a link to the file),
say /u/htdocs/phplens_remoteq.php, and the includes must be modified
to point to the correct paths. Then define the following constant in /u/htdocs/phplens/config/phplens.config.inc.php:
define('PHPLENS_REMOTE_CODE','/u/htdocs/phplens_remoteq.php');
- Now the system is secure, and you can create phpLens objects safely, and
prevent visitors from accessing the Grid Builder and other unauthorized phpLens
files.
This documentation system is maintained using phpLens
|
