Radicore Forum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » RADICORE development » Framework » OWASP standards vs. Radicore Framework
Re: OWASP standards vs. Radicore Framework [message #122 is a reply to message #121] Thu, 29 June 2006 12:09 Go to previous messageGo to previous message
andy is currently offline  andy
Messages: 7
Registered: June 2006
Location: Reno, NV, USA
Junior Member
Hey Tony,

you are on top things, that was one fast reply Surprised

I am onboard with using extensions to differentiate file usage, it makes sense to me. However, my employer (as a company) is security paranoid (obsessed, maybe).

Your instructions do clearly layout the usage of non-web path placement of the includes folder.

But nonetheless, one must consider the programmers daily battle against the "idiot factor". Even that the idiot may be the next developer, who may not configure a server correctly.

I don't quite get this point,

Even if these instructions were to be ignored there should be no security issues as all the critical .inc files are held in a directory which is outside the web root and are therefore totally inaccessible even if Apache were to be mis-configured.

... when I did a simply unzip and drop into my web root, the "includes/config.inc" is readily viewable. The only thing stopping a text display of the is the .htaccess setttings.

IF (the bit about .inc files is omitted)you_have == trouble;

Don't get me wrong, I'm not trying to bash. I'm a fan of your work, have been for some years now. Just seems to me that by using the .php extensions, with entry point checks (not to get off on a tangent) one could have a framework that is secure regardless of server configurations.

 
Read Message
Read Message
Read Message
Read Message
Previous Topic: metadata vs. business logic
Next Topic: Framework Version
Goto Forum:
  


Current Time: Sun Nov 24 14:09:53 EST 2024

Total time taken to generate the page: 0.00935 seconds