Security question

[litton1]

If spiders such as google bot can search a database eg such as this one at teck tips even though a password is obviously needed but the password has to be included in a script somewhere. How do I prevent spammers from reading the database. I have my include files away from the web root, what else do I do? I have to include the password otherwise there can be no access to the database

Binary Intelligence, true or false?

 

[BitFuzzy]

That would depend on how you have things setup,

If you require authentication, and a valid session on all pages pertaining to the data you wish to "hide" that should do what you need.

Other than that I'd setup your firewall to deny all connection requests from "non" local IP's

This will prevent someone running their scripts against your databases.

 

[litton1]

Hi thanks for replying,

If you require authentication,

Do you mean database authentication? If yes, then all scripts require that. There is no way into the database without a password! Only scripts that run on the web server are allowed access to the database server/machine.

Other than that I'd setup your firewall to deny all connection requests from "non" local IP's

Wouldn’t that block the website from being viewed in the public domain? Perhaps I miss understand you.

I cannot use a sessions as the user hasn’t logged in at the point they are asked for their email address.

I can block the area off with the use of the spider file but this only takes into account computers that use it

My point is that if I search google I can get a list of files/post that are stored in a database, let us call them forum results or posts. So how do we stop email being viewed. I cannot search google for emails because it doesn’t store them as they are not output to the web page but what about if another program was used that didn’t care what the output was! hope that is clearer.

Binary Intelligence, true or false?

 

[BitFuzzy]

Perhaps it would help if you tell me what it is you are doing, working on etc.

1. By Authentication I mean (a user or visitor must provide authentication by login/password to gain access to content)

2. [Wouldn’t that block the website from being viewed in the public domain]

NO, not if they are hosted domains. Since they are hosted, they would be local to the server and as such permitted to access your DBMS *assuming your firewall(s) is/are configured properly

The reason you're able to view content via google, is because there is no restriction on the result sites to view contect (as with tek-tips) the only restrictions are to post replies.

How ever, if there are restrictions in place preventing viewing content, then even google would fail since it would not be authenticated to view said content.

does that make sense?

 

[litton1]

I see what you are saying; you are saying that if I have an area that is only allowable by logging in, then this will prevent google from accessing that part because of the php code that is in place, therefore to run the email part of this page and get access to the email table the user/program would have to be logged in. yes? I am doing a forum that although different to tek tips the principles are the same. There is no very sensitive data such as credit card details but even so I think that if it was my email address I wouldn’t like just anybody getting hold of it. Therefore I wanted to clarify this before going live. Thanks for your input it is appreciated.

Binary Intelligence, true or false?

 

[BitFuzzy]

[you are saying that if I have an area that is only allowable by logging in, then this will prevent google from accessing that part because of the php code that is in place, therefore to run the email part of this page and get access to the email table the user/program would have to be logged in. yes?]

Correct

 

[sleipnir214]

litton1:
One thing to keep in mind....

Tek-Tips does not require a login to read posts. Only to contribute a post.


Want the best answers? Ask the best questions!

TANSTAAFL!!