|
Forcing Users Through index.php
November 27, 2001
One of the basic concepts of Fusebox is that the users' requests to the server are always routed through a single file. Most commonly that file is index.php or whatever the default file happens to be.
Another of the basic concepts in Fusebox is that the coder can put very little code in a file and include it within the switch block, making fuses that are very modular and easy to reuse. These fuses are usually separated into functional groupings with a prefix: qry_ is for a file that queries or otherwise interacts with the database, act_ is for a file that performs business logic or other action on data, and dsp_ is for a file that displays content to the user. Fusebox 3.0 has also introduced the fbx_ prefix, which designates a file that is essential to the core of Fusebox.
Now that some of those standards are established and people are using them in a vast variety of sites, it makes sense that once a person figured out the system, they could guess what your files are names and try to view them independent of the rest of the application. For example, say a user figures out that you have a file called qry_getCreditCardNumbers.php. I'm not sure why you would have such a fuse, but for argument's sake, I'm pretty sure you would not want that "out there". Perhaps a better example is fbx_Settings.php: this is where you would typically set server passwords for your database or LDAP server or something of the like.
So the question remains: how do we make sure users do not have access to those files, or really any file except the "Fusebox" — index.php?
|
