Security Problem

greenspun.com : LUSENET : S-Mart Shopping Cart : One Thread

The track.db contains Credit card info. The directory containing the track.db file can be password protected from direct access via http, but how can the track.db file be protected from anyone guessing the name/path and invoking the smartadmin.cgi script?

-- denny ladwig (denny@desertcactus.com), December 21, 1997

Answers

Just name them both something obscure. like admin0001.cgi and trk01.db, as long as the directories don't have global read, people won't be able get a directory listing, and therefore won't be able to see the filenames.

If you want to take it a step further, just make the base directory outside the httpd, that way no one will be able to see any of the files directly.

-- Barry Robison (brobison@rcinet.com), December 22, 1997.


Moderation questions? read the FAQ