status on Homepage

hi ng.

I want to integrate a status on my (business) Homepage

It should look like:

Right now we're in the shop
... are closed.

(.. we have different working hours between saison)


the status is in a text-file status.txt
1 or 0

I will change the status like:
http://www..../status/changestatus.php?on
http://www..../status/changestatus.php?off

is there a security-issue because i have to set the status file writeable

how can i prevent someone else changing it


thanks

Armin Horner

Re: status on Homepage

> I will change the status like:
> http://www..../status/changestatus.php?on
> http://www..../status/changestatus.php?off
>
> is there a security-issue because i have to set the status file writeable
>
> how can i prevent someone else changing it

By password-protecting the status directory, if if not also used to
query the status. You usually do this in the webserver.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/

Re: status on Homepage

> I want to integrate a status on my (business) Homepage
Then - honestly - you should consider giving this task to someone who knows
what he does.

Re: status on Homepage

Armin Horner wrote:

> hi ng.
>
> I want to integrate a status on my (business) Homepage
>
> It should look like:
>
> Right now we're in the shop
> .. are closed.
>
> (.. we have different working hours between saison)
>
>
> the status is in a text-file status.txt
> 1 or 0
>
> I will change the status like:
> http://www..../status/changestatus.php?on
> http://www..../status/changestatus.php?off
>
> is there a security-issue because i have to set the status file
> writeable
>
> how can i prevent someone else changing it

First of all, make sure the status.txt file is in a directory that's
inaccessible from the web (ie. only accessible via your scripts),
preferably one step below the webroot, although not required.

On all my PHP projects, I create a seperate directory called "inc" in
the webroot (or the root directory of my project). If Apache is used, I
place a .htaccess file containing the keyword "deny from all" in it.
Or, if IIS is used (which has happened on a rare occasion), I make sure
all outside access is denied for this directory from the IIS manager.
That way, I protect my code (as well as the base configuration) from
being exposed and/or accessed directly.

Second, make sure your changestatus.php script ONLY reacts to the "on"
or "off" keywords. Or any other keyword you'd like to use instead (such
as "open" or "closed").

Further, to avoid someone outside your organization from setting the
status (such as opening the URL and making it look like you're closed
when you're open for business or vice-versa), you should place this
script under some sort of password protection (either via your CMS or
via a simple basic authentication method).

--
Kim André Akerø
- kimandre@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)

Re: status on Homepage

Kim André Akerø schrieb:
>
> First of all, make sure the status.txt file is in a directory that's
> inaccessible from the web (ie. only accessible via your scripts),
> preferably one step below the webroot, although not required.
... it is, ok.

>
> On all my PHP projects, I create a seperate directory called "inc" in
> the webroot (or the root directory of my project). If Apache is used, I
> place a .htaccess file containing the keyword "deny from all" in it.
... i'll use htaccess

> Or, if IIS is used (which has happened on a rare occasion), I make sure
> all outside access is denied for this directory from the IIS manager.
> That way, I protect my code (as well as the base configuration) from
> being exposed and/or accessed directly.
>
> Second, make sure your changestatus.php script ONLY reacts to the "on"
> or "off" keywords. Or any other keyword you'd like to use instead (such
> as "open" or "closed").
>
> Further, to avoid someone outside your organization from setting the
> status (such as opening the URL and making it look like you're closed
> when you're open for business or vice-versa), you should place this
> script under some sort of password protection (either via your CMS or
> via a simple basic authentication method).
>

i'll protect it with a weird name and keywords so nobody switches on and
off.

thanks for help
(.. been a long time ago since i last used php so this is very helpful)

Armin

Re: status on Homepage

Armin Horner wrote:
> Kim André Akerø schrieb:
>>
>> First of all, make sure the status.txt file is in a directory that's
>> inaccessible from the web (ie. only accessible via your scripts),
>> preferably one step below the webroot, although not required.
> .. it is, ok.
>
>>
>> On all my PHP projects, I create a seperate directory called "inc" in
>> the webroot (or the root directory of my project). If Apache is used, I
>> place a .htaccess file containing the keyword "deny from all" in it.
> .. i'll use htaccess
>
>> Or, if IIS is used (which has happened on a rare occasion), I make sure
>> all outside access is denied for this directory from the IIS manager.
>> That way, I protect my code (as well as the base configuration) from
>> being exposed and/or accessed directly.
>>
>> Second, make sure your changestatus.php script ONLY reacts to the "on"
>> or "off" keywords. Or any other keyword you'd like to use instead (such
>> as "open" or "closed").
>>
>> Further, to avoid someone outside your organization from setting the
>> status (such as opening the URL and making it look like you're closed
>> when you're open for business or vice-versa), you should place this
>> script under some sort of password protection (either via your CMS or
>> via a simple basic authentication method).
>>
>
> i'll protect it with a weird name and keywords so nobody switches on and
> off.
>
> thanks for help
> (.. been a long time ago since i last used php so this is very helpful)
>
> Armin
>

Armin,

Don't. Obfustication is not security! It's only the illusion of security.

Follow the suggestions others gave you.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
=================

Re: status on Homepage

Jerry Stuckle schrieb:
>>
>> i'll protect it with a weird name and keywords so nobody switches on
>> and off.
>>
>> thanks for help
>> (.. been a long time ago since i last used php so this is very helpful)
>>
>> Armin
>>
>
> Armin,
>
> Don't. Obfustication is not security! It's only the illusion of security.
>
> Follow the suggestions others gave you.
>

your true!

i will use a password-form if it is a problem
(someone switches)

thanks

Armin