Questions about integrating my own code

[solo_400]

I need a guideline on integrating my own code without security risk .

I develop my self a piece of code in order to send mail when a desired product is on sale . JQuery inserted on tpl_product_info that is calling php files places on includes ( same place where configure.php is placed , because I need to have access on database ) . The problem is .htaccess file that is blocking access to *.php .
Please provide a solution on placing the php files called by my custom jquery .

thx

[gjh42]

Lots of stock files deeper in /includes/ communicate with the database. Why do you think your file needs to be that high in the file structure? What methods are you using for db access, and when do they come into play?

[solo_400]

Lots of stock files deeper in /includes/ communicate with the database. Why do you think your file needs to be that high in the file structure? What methods are you using for db access, and when do they come into play?

1. tpl_product_info calling a jquery file . 2.Inside jquery file I call /include/my.php file 3. my.php file include .configure.php in order to access the database .

configure.php is protected by .htaccess by standard zencart settings .


I have put the php files on /includes because I thought I need include configure.php in order to have db access info . Please give me other solutions .

[DrByte]

Correct. For security reasons you cannot use webpages/jQuery/ajax/javascript/URLs to directly call PHP files located inside the /includes/ folder or its subfolders.

[solo_400]

Thank you DrByte , can you please provide a possible solution ? I really need my code running .. what should I do ?

[DrByte]

Put your file in another folder. PHP scripts can be run from the root folder without those security restrictions. That would be a suitable place.

[solo_400]

Put your file in another folder. PHP scripts can be run from the root folder without those security restrictions. That would be a suitable place.

Regarding the user/password/table_name : It is possible reading from configure.php which is included in /include and protected by .htaccess ? I don't want to put this info in my php .

[DrByte]

Right. So, include() the file when you need it.

[solo_400]

Right. So, include() the file when you need it.

Thank you DOC , I think I did it !

I think is impossible load configure.php from root directory without adding "Allow from localhost_IP" in my includes/.htaccess .

<Files *.php>
Order Deny,Allow
Deny from all
Allow from localhost_IP
</Files>

Do you think could be a security problem ?

thx again

[DrByte]

I think is impossible load configure.php from root directory without adding "Allow from localhost_IP" in my includes/.htaccess .

<Files *.php>
Order Deny,Allow
Deny from all
Allow from localhost_IP
</Files>

Do you think could be a security problem ?

I would not do that. There should NOT be any reason to edit the /includes/.htaccess file.

Your extra scripts really need to handle security properly. Or load application_top.php to invoke Zen Cart's security handling systems. Loading configure.php directly is not advisable. I didn't mention that earlier because it sounded like you didn't care and all you wanted was just a quick dirty way of doing things without care for the proper approach.

If you want to do it properly, use the same approach that Zen Cart uses: load a primary script from the main directory, and have it load the required additional assets after invoking application_top.php. In the case of ajax, there are many things that will be absent from your stateless connection, so you will have to write numerous additional custom scripts to handle those.

I don't understand why you're doing all this just to send an email, nor why you're sending emails from product pages anyway. But, since you haven't explained anything about the business problem you're trying to solve by this approach, all we can do is blindly guess.