Jump to content

How to protect my db


Recommended Posts

personally I make another folder outside the public directory, then stick the database files in there, and change the permissions.

however this is not the only security you need, you also need to secure your pages, because you don't have to necessarily have access to files to execute a url hack...


how do you go about doing this and is any one good at spotting loop whole or can look at the game online and suggest areas of improvement

Link to comment
Share on other sites

Assuming a small Mccodes game, you ideally only want SELECT, INSERT, UPDATE and DELETE privileges for the game user; the lack of DROP privileges is easy enough to work around. Larger games will probably need other permission sets or multiple (mysql) users.

You can protect files easily enough by moving them outside of the document root - for example - However that in turn raises a whole host of other permission related problems and frankly I'm not overly sure what benefit there would be over a .htaccess file with a simple <Files ...>...</Files> block outside of keeping the public_html (or whatever it is called on your hosting platform) clean. (A lot of people still hide their cron jobs in long/winded/folder/names in an attempt to hide them rather than using this method - why, I've no idea)

As for spotting problem areas; decent logs help; your web server's own logs can be a start though they seldom provide sufficient information; ie: they don't log POST parameters or X_HTTP_xxx variables both of which are susceptible to common tricks. Knowing what is happening to you is the key to tracking down the problem itself; then understanding how the problem arose in the first case and either learning how to patch it yourself or employing somebody with necessary skills to patch it for you.

Link to comment
Share on other sites

Sample of a htaccess file protection by name and extension.

This will throw up a login dialogue box for a htaccess user if no valid user/pass is entered then it will throw a unauthorized webpage.

<FilesMatch "(nameofafile|someotherfile)\.php$">

AuthName "Dialog prompt"

AuthType Basic

Require valid-user


Link to comment
Share on other sites


Access controls provided by AuthName and AuthType directives need directives such as AuthUserFile and AuthGroupFile in order to work correctly.

And why support authentication for a file you don't need access to anyway?

<Files ...> or <FilesMatch ...>

Order Deny, Allow

Deny From All


would suffice no?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...