Protection against hacks
This is about protection. Not How to hack!!
Injecting PHP code into an image file.
With MVC, we can easily restrict direct access to any php script.
Images and resources are accessed via their URL, but PHP
may never need to be directly accessed via the URL
The Session Hijacking attack compromises the session token by stealing or predicting
a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:
- Store uploaded image files outside the public html area
A little redirection would work here. If you have a list of scripts,
give them each a token label and always load the same script,
passing this label to a switch statement
that knows the real paths.
Biscuits Considerations for reducing loading
- Guest access controls
- Possible hashing of the directory listings to avoid disk IO
- Turn off the biscuits logs
- Direct access to php file via URL Should fail
Direct Access to THIS PHP script should be disallowed
- Profile Image upload should validate images with embedded scripts.
This image should be blocked as it contains scripts