Ive installed it successfully with a SQL database. Could someone give me a run down on which files to delete or move to make this as secure as possible.
Ive seen several mentions of a "admin" folder or a folder1.html. I do not have these files with my install included with the zip. Am I missing something?
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There are many ways to do this.
1.) All files and folders don't have to be set with 777 permissions.
2.) In some cases .php files need a minimum of 755, but newer installations only require a minimum 644.
3.) All html files only need a minimum 644, same with any graphics files.
4.) Any username or password information should be kept in the config.inc.php file in the admin folder and the admin folder should be password protected.
5.) If you keep the form in a separate folder then you can also add an index file into the form folder.
6.) There are more progamming methods for security such as, controlling which files or url's are allowed to access the form, captcha, etc..
You have to decide what is worth while or required based on your own security concerns.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My interest in locking down this script comes from being hacked a couple different times. It should be very important for the people developing scripts and users downloading random scripts off the net. So any documentation concerning locking down this or any script is vital.
1, 2, 3.My file permissions are set as described above.
4. When I generated the form I choose the database version. I extracted it and ran the set up with my current sql info. This worked great but I do not have a "admin" folder within my install. Like I mentioned earlier I see this mentioned several times with in the forums and in the doc on this developers site, but never referencing a "how to" or what to do to make a admin folder or "portal".
As and experiment I did create a "admin" folder and moved my config.inc.php to it but as expected it broke the form after hitting the submit button. I assume some new code is needed to reference the new path to the admin folder. Again I haven't found any instructions on this.
5. Do you mean just a empty index.php file so bots or directory surfers just come up with a dummy page?.
6. I choose the captcha during the generation of my form.
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
4.)
The references to an admin folder are related to the old generator version wich comes with an admin page to view database contents. This is not currently part of the new 3.0 version. You can create one but you will have to follow-up by changing any references to files you move there.
For instance:
in the processor.php file,
include("config.inc.php");
would change to
include("admin/config.inc.php");
5.)
FYI, as an example this link is to a folder that had no index until I add it.
6.)
This is a good security measure all by itself.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
edit... To clarify... I have not been hacked on this script. The couple scripts That I have been hacked with were very outdated or had knows vulnerability . During this time people found holes in them or the developers gave up on updates or patches. Its nice to see this nice generator having a active development and forum. Again thanks guys.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the great form generator!
Ive installed it successfully with a SQL database. Could someone give me a run down on which files to delete or move to make this as secure as possible.
Ive seen several mentions of a "admin" folder or a folder1.html. I do not have these files with my install included with the zip. Am I missing something?
Thanks
There are many ways to do this.
1.) All files and folders don't have to be set with 777 permissions.
2.) In some cases .php files need a minimum of 755, but newer installations only require a minimum 644.
3.) All html files only need a minimum 644, same with any graphics files.
4.) Any username or password information should be kept in the config.inc.php file in the admin folder and the admin folder should be password protected.
5.) If you keep the form in a separate folder then you can also add an index file into the form folder.
6.) There are more progamming methods for security such as, controlling which files or url's are allowed to access the form, captcha, etc..
You have to decide what is worth while or required based on your own security concerns.
Thank you for your time and the quick reply.
My interest in locking down this script comes from being hacked a couple different times. It should be very important for the people developing scripts and users downloading random scripts off the net. So any documentation concerning locking down this or any script is vital.
1, 2, 3.My file permissions are set as described above.
4. When I generated the form I choose the database version. I extracted it and ran the set up with my current sql info. This worked great but I do not have a "admin" folder within my install. Like I mentioned earlier I see this mentioned several times with in the forums and in the doc on this developers site, but never referencing a "how to" or what to do to make a admin folder or "portal".
As and experiment I did create a "admin" folder and moved my config.inc.php to it but as expected it broke the form after hitting the submit button. I assume some new code is needed to reference the new path to the admin folder. Again I haven't found any instructions on this.
5. Do you mean just a empty index.php file so bots or directory surfers just come up with a dummy page?.
6. I choose the captcha during the generation of my form.
Thanks!
4.)
The references to an admin folder are related to the old generator version wich comes with an admin page to view database contents. This is not currently part of the new 3.0 version. You can create one but you will have to follow-up by changing any references to files you move there.
For instance:
in the processor.php file,
include("config.inc.php");
would change to
include("admin/config.inc.php");
5.)
FYI, as an example this link is to a folder that had no index until I add it.
6.)
This is a good security measure all by itself.
edit... To clarify... I have not been hacked on this script. The couple scripts That I have been hacked with were very outdated or had knows vulnerability . During this time people found holes in them or the developers gave up on updates or patches. Its nice to see this nice generator having a active development and forum. Again thanks guys.
Thanks for the follow up.