security
Andres
regarding security for Genetify?
Specifically, how could I prevent malicious people from forging calls,
calling up the control panel and generally messing with the stats and
scripts?
On a related note... I saw the comment on the PHP recorder " //TODO:
mysql escape *all* $_REQUEST variables"... so the PHP part is open to
SQL injection attacks?
Thanks in advance,
-Andres.
Greg Dingle
Keeping to its experimental nature, Genetify defaults to unrestricted operation. To add more security, you could do any number of things: hash a password and put it in the JS, do a server side check on a whitelist of IP addresses, eliminate certain operations entirely.
The TODO was a note to myself to systematically lockdown the app against mysql injection attacks. I haven't heard any vulnerabilities, so, to be honest, I don't think I will get to it any time soon.
Please request a pull on github for any improvements you make!
Greg
> --
> You received this message because you are subscribed to the Google Groups "genetify" group.
> To post to this group, send email to gene...@googlegroups.com.
> To unsubscribe from this group, send email to genetify+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/genetify?hl=en.
>
Enrique Ferraro
Glad to know its not that vulnerable. I was thinking of pulling off something dead-simple like at .htaccess restriction somewhere. I'm really new at JavaScript - Just locking down the admin parts to my own IP with .htaccess would suffice for me.
I guess I could do that by locking down access to controls.js - that might help at least a bit.
Again, thanks for the package.
-Andres.
-------------------------------------------------------------