- Above the Fold: Understanding the Principles of Successful Web Site De
- Adapting to Web Standards
- Art of Non-Conformity
- Art of Readable Code
- Art of SEO
- Back to the User
- Beginning PHP6, Apache, MySQL Web Development
- Book Notes
- Books to Read
- Bored and Brilliant
- Born For This
- Choosing A Vocation
- Complete E-Commerce Book
- Content Inc
- Core PHP Programming
- CRM Fundamentals
- CSS Text
- Dealing with Difficult People
- Defensive Design for the Web
- Deliver First Class Web sites
- Design for Hackers: Reverse-Engineering Beauty
- Designing Web Interfaces
- Designing Web sites that Work: Usability for the Web
- Designing with Progressive Enhancement
- Developing Large Web Applications
- Developing with Web Standards
- Economics of Software Quality
- Effortless commerce with php and MySQL
- Epic Content Marketing
- Extending Bootstrap
- Foundation Version Control for Web Developers
- Guerrilla Marketing for a Bulletproof Career
- HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
- Hacking Web Apps
- Happiness At Work
- Implementing Responsive Design
- Inmates Are Running the Asylum
- Instant LESS CSS Preprocessor How-to
- jQuery Pocket Reference
- Letting Go of the Words
- Lost and Found: A Painfully Honest Field Guide to the Startup World
- Making Every Meeting Matter
- Manage Your Day to Day
- Marketing to Millenials
- Mobile First
- Monster Loyalty
- More Eric Meye on CSS
- Official Ubuntu Book
- Organized Home
- Pay Me… Or Else!
- Perennial Seller
- Pet Food Nation
- PHP 5 E commerce Development
- PHP In a NutShell
- PHP Refactoring
- PHP5 and MySQL Bible
- PHP5 CMS Framework Development
- PHP5 Power Programming
- Preventing Web Attacks with Apache
- Pro PHP and jQuery
- Professional LAMP
- Purple Cow: Transform Your Business
- Responsive Web Design with HTML and CSS3
- Responsive Web Design with HTML5 and CSS3
- Rules of Thumb
- Saleable Software
- Search Engine Optimization Secrets
- Securing PHP Web Applications
- Serving Online Customers
- Simple and Usable Web, Mobile and Interaction Design
- Smart Organizing
- Smashing UX Design: Foundations for Designing Online User Experiences
- Studies in History and Philosophy of Science
- Talent is Not Enough
- The 10x Rule
- The Benefits of Working with Git In Your Software Projects
- The Clean Coder
- The Herbal Handbook for Home & Health
- The Life-changing Magic of Tidying up
- The Modern Web
- Think First
- This Is Marketing
- Traction
- Version Control with Git, 2nd Edition
- Web Analytics 2.0: The Art of Online Accountability and Science of Cus
- Web Site Usability: A Designer's Guide
- Web Word Wizardry
- Web Word Wizardy
- Website Owner’s Manual
- Whats Stopping Me
- Work for Money, Design for Love
- Your Google® Game Plan for Success: Increasing Your Web Presence with
- Checklists I Have Collected or Created
- Crafts To Do
- Database and Data Relations Checklist
- Ecommerce Website Checklist
- Learning Stuff From Blogs
- My Front End UI Checklist
- New Client Needs Analysis
- Newsletters I Read
- Puzzles
- Style Guides
- User Review Questions
- Web Designer's SEO Checklist
- Web site Review
- Website Code Checklist
- Website Final Approval Form
- Writing Content For Your Website
- Writing Styleguide
- Writing Tips
- 7 essentialls of graphic design
- Accidental Creative
- Choosing the right color for your logo
- CMS Design
- Communicating Design: Developing Web Site Documentation for Design and
- Designing for Web Performance
- Eat That Frog
- Elements of User Experience
- Flexible Web Design
- Forms that Work: Designing Web Forms for Usability
- Homepage Usability
- Responsive Web Design
- Seductive Interaction Design: Creating Playful, Fun, and Effective Use
- Strategic Web Designer
- Submit Now: Designing Persuasive Web sites
- The Zen of CSS Design
- Complete Book of Potatoes
- Creating Custom Soil Mixes for Healthy, Happy Plants
- Edible Forest Garden
- Garden Design
- Gardening Tips and Tricks
- Gardens and History
- Herbs
- Houseplants
- Light Candle Levels
- My Garden
- My Garden To Plant
- Organic Fertilizers
- Organic Gardening in Alberta
- Plant Nurseries
- Plant Suggestions
- Planting Tips and Ideas
- Root Cellaring
- Things I Planted in My Yard
- Way We Garden Now
- Weed Decoder
- 101 Organic Gardening Hacks
- 2015 Herbal Almanac
- Beautiful No-Mow Lawns
- Beginner's Guide to Heirloom Vegetables
- Best of Lois Hole
- Design in Nature
- Eradicate Invasive Plants
- Gardening Books to Read
- Gardens West
- Grow Organic
- Grow Your own Herbs
- Guerilla Gardening
- Heirloom Life Gardener
- Hellstrip Gardening
- Indoor Gardening: The Organic Way
- Landscaping with Fruits and Vegetables
- Real Gardens Grow Natives
- Seed Underground
- Small plot, high yield gardening
- Thrifty Gardening from the Ground Up
- Vegetables
- Veggie Garden Remix
- Weeds: In Defense of Nature's Most Unloved Plants
- What Grows Here
- Activities for Kids
- Animals In My Yard
- Baking & Cooking Tips
- Bertrand Russell
- Can I Get that on Sale?
- Cleaning Tips and Tricks
- Colour Palettes I Like
- Compound Time
- Cooking Tips
- Crafts
- Crafts for Kids
- Household Tips
- Inspiration
- Interesting
- Interior Design
- Keywording & Tags
- Latin Phrases
- Laundry Tips
- Learn Something New
- Links, Information, and Cool Videos - Stuff for My Kids
- Music Websites for Parents and Kids
- My Miscellany
- Organizing
- Quotes
- Reading List
- Renovations
- Silly Sites
- Things that Make Me Laugh
- Videos to Watch
- Ways to Be Nice
- YouTube Hacks
- Bug Tracking Tool
- Business Tips
- Code Packages I Like on GitHub
- Content Management systems
- Creating Emails & Email Newsletters
- Games
- I Made A Framework
- Open Source
- Patterns, Textures and other media
- PHP Coding Standards
- Programming
- Project Verbs for to do lists
- Qualities of Creative Leaders
- Scalable Vector Graphics
- SEO
- Software Design
- The Shell, Scripts and Such
- Writing Instructions
- Accessibility
- CSS Frameworks
- CSS Reading List
- CSS Sticky Footer
- Design of Sites
- htaccess files
- HTML Tips and Tricks
- Javascript (and jQuery)
- Landing Page Tips
- Making Better Websites
- More Information on CSS
- MySQL and Databases
- Navigation
- Responsive Design
- Robots.txt File
- Security and Secure Websites
- SVG Images
- Types of Content
- UI and UX and Design
- Web Design and Development
- Web Design Tools
- Web Error Codes
- Website Testing Checklist
- Writing for the Web
- Writing Ideas for your website
- Animations and Interactions
- Being a Better Designer
- Bootstrap Resources
- Color in Web Design
- Colour
- CSS Preprocessors: Sass and Less
- CSS Tips Tricks
- Customer Centered Design Myths
- Design Systems
- Designing User Interfaces
- Font & Typographical Inspiration
- Fonts, Typography, Letters & Symbols
- Icons
- Logo Designs
- Photoshop Tips and Tricks
- Sketch
- UX and UI and Design Reading List
- Web Forms
- Well Designed
Bibliographic Information
Professional LAMP: Linux®, Apache, MySQL®, and PHP5 Web Development
7.1
7.1. Controlling Access
7.1.1. Apache-Controlled Authentication
Using a combination of .htaccess and password files, you can quickly restrict access to any given website folder. This approach has many advantages.
Primarily, it is extremely easy to implement. Coming standard with the default installation of Apache, simple per-directory Basic Authentication can easily be set up using either .htaccess or
What is the downside to using the built-in Apache authentication? It can be a hassle to maintain a complex hierarchy of restricted folders and users. If you have a large number of users or groups, and a fair number of protected directories, it can quickly become a nightmare to ensure the proper users are in the proper groups, with access to the proper resources, with current passwords, and so on.
As an alternative to simple file-based authentication with Apache, you can also use the mod_auth_mysql Apache module. Using mod_auth_mysql centralizes your username/password storage, and also gives you the ability to do complex permission-matching abilities—not a simple username-match as with the standard Apache Basic Authentication.
Like simple authentication with Apache, mod_auth_mysql relies on access rights specified in .htaccess files or a
7.1.2. PHP-Controlled Authentication
If Apache-controlled authentication is out of the question, you can actually use the power of PHP to emulate standard Basic Authentication. By sending the proper response headers, and checking for the right server variables, you can build your own basic authentication system from scratch, and it'll have just as much power as mod_auth_mysql, if not more.
To show how you can use PHP for basic authentication, you're going to set up a simple database to use as your repository for user credentials. PHP will then check the usernames and passwords against that database; all the end-user will see is the standard Basic Authentication prompt.
7.1.2.1. Creating the Authentication Database
Start by creating a database in MySQL called WebAuth:
Next, create a MySQL login for the authentication system, and give it read-only access to the database you just created:
Now, set up the table to hold the usernames and passwords. In this example, the table will store just the username and hashes of the password, but if you wanted, you could easily add extra fields for any other access criteria you want.
Notice that instead of simply creating a field to store the user's password as raw text, you're creating fields to store one-way hashes of the user's password. Doing this ensures the password can still be compared to the value entered at the password prompt, but makes it extremely difficult for those who would try to crack the passwords if the database was compromised.
To combat any sort of collision attacks as seen with MD5, you create the Users table to hold both MD5 and SHA1 hashes for the password. Doing this effectively makes any collision attack attempts futile—even if an intruder manages to find an input string that matches the MD5 hash, unless it's the real password, it will not match the SHA1 hash.
To make the database useful to the authentication script, you need to add at least one user:
7.1.2.4. Other Access Restrictions
In addition to restricting access by username and password, you can also use PHP to check other user parameters. One common variable to check is the source IP of the user. By referencing the server variable $_SERVER['REMOTE_ADDR'], you can make sure that only certain ranges of IPs are allowed to view a resource, or conversely, you can block specific IPs. If you're creating a website for a corporate intranet, you can restrict access to internal IPs (assuming your network uses them). For example, you could decide that only members of the 10.0.1.x network can view a special area of your website. Another example would be BBS sites or web forums.
Another server variable worth checking is the $_SERVER['HTTP_REFERER'] variable. This variable holds the name of the previous page viewed, and can help you eliminate a certain class of web attacks. Suppose you create a simple form that saves data to a database, emails people, or anything that relies on valid user input. You might have even gone to great lengths to perform client-side input validation and specified maximum lengths on your forms. Unfortunately, anything you might expect as input from a web client can easily be corrupted using an external form. Any site attacker can easily copy your form's HTML markup, and then modify it to suit their needs—whether it be for information-gathering, cross-site scripting, SQL injection, or anything really.
All they need to do is make a copy of the form that can submit improper data to your site, host it on their own machine, but have it post to your form, using an absolute URL as the method. This kind of attack can be especially harmful when hidden form variables are used, and when register_globals is enabled in php.ini.
By checking the HTTP_REFERER value, you can eliminate a majority of spoofed form attacks, as long as you ensure the input is coming from a page actually on your website.
This code simply checks the referring page first, to make sure it came from localhost or the expected domain (assuming you've changed it to match your own domain), and then checks the user's IP address to make sure it comes from an internal/private IP range.
These are notes I made after reading this book. See more book notes
Just to let you know, this page was last updated Saturday, Dec 21 24