Table of Contents

Security

You can configure security with the following properties:

password Password protect phpLens dynamic editing.
bannedTags If phpLens is configured to support HTML text (with the htmlLens property), you can ban certain tags. The list of banned tags (expressed as a regular expression) is set with this property.

All scripting, table, frame, div and object tags are banned.

dynEdit For stronger security, you can disable phpLens dynamic editing completely by setting this property to 0 or false.
securityCheckReferer To ensure that the user who is modifying a record is not using an unauthorised Web server, we check that the referer when we save is the same as the host server.
securityEditSeq To keep track of the order of updates we store a sequence number for every New or Edit record. A session cannot save a record from a stale New or Edit record.

Also enables checksuming of fields that can be edited, so no unauthorised field can be accessed by someone modifying the Web page.

md5Input MD5 fingerprints the fields that are editable, so the hacker cannot create additional fields without being detected. Defaults to true.

Field Sanitization

Form fields are sanitized before processing by properly quoting all < characters, and also single and double-quotes so intruders cannot generate dangerous SQL statements from the following sql: 
select * from passwordtable where user='$user'
by entering john' or 'hack' = 'hack into the input field. The following will be generated by phpLens: 
select * from passwordtable where user='john\' or \'hack\' = \'hack'

PhpLens also correctly handles magic-quotes, whether they are enabled or not.

Moving phpLens To A Secure Directory

Some users have asked how to make phpLens 100% secure. What we want do is to make the js and gif files available to all web browsers, but prevent anyone else from accessing any of the phpLens include files.

We are assuming you are on Unix/Linux, and the /u/htdocs directory is the root of your web site.

  1. First password protect your /u/htdocs/phplens directory (and all sub-directories). Consult your web server documentation if you are not sure how to do this.

  2. Then create a an image directory (or something similar) and link to the img directory like this: 
    mkdir /u/htdocs/images
cd /u/htdocs/images
ln -s /u/htdocs/phplens/img
    If you are on Windows, just copy the contents of phplens/img to the image/img directory. Now we want the images will be accessible from /images/img...

  3. Modify your /u/htdocs/phplens/config/phplens.config.inc.php file. Uncomment the following line and modify this: 
    $PHPLENS_GRAPHICS_SERVER='/images';
    Make sure you do not put '/images/img' - this is wrong. Note that you can place the images on another web server also - that's why this variable is called PHPLENS_GRAPHICS_SERVER.

  4. If you have any images in the database that you want phpLens to display, you will need to move the file /u/htdocs/phplens/phplens-img.php to another unprotected directory, say /images/img/phplens-img.php, and set the following constant in /u/htdocs/phplens/config/phplens.config.inc.php: 
    define('PHPLENS_IMG_CODE','/images/img/phplens-img.php');
    This file contains the code that displays the images.

  5. If you are using hot updates with popup lists, then the file phplens_remoteq.php must be moved to another directory (on Unix, just create a link to the file), say /u/htdocs/phplens_remoteq.php, and the includes must be modified to point to the correct paths. Then define the following constant in /u/htdocs/phplens/config/phplens.config.inc.php:

    define('PHPLENS_REMOTE_CODE','/u/htdocs/phplens_remoteq.php');
  6. Now the system is secure, and you can create phpLens objects safely, and prevent visitors from accessing the Grid Builder and other unauthorized phpLens files.