Where to store source files that contains sensitive information
As you all may know, all networks on Ning are open, which means that anyone can look at the source code of a particular network or application, which is great by the way because allows people interested in tweaking their own networks to look at how other application developers have implemented a cool feature in order to learn or replicate.
Here is the url to view the source code of a network on ning:
http: / /w ww.ning.com/view-source.html?appUrl=subdomain
(replace subdomain with the name that goes before .ning.com in the url of the network you want to look at)
So, when developing keep that in mind, specially if you plan to access other webservices that requires authentication with a personal API key or a password, people can see your PHP... unless you store this sensitive PHP files on a special place: /xn_private/
The xn_private directory is the place to store this type of source files, everything in it is acessible only by the network owner and not listed on the public view-source pages.
Here is one example of how to access the sensitive information in your application by referencing a file in your xn_private folder, lets assume that you have a file called myKey.php like this on your xn_private folder:
Here is how you would access:
Here is the url to view the source code of a network on ning:
http: / /w ww.ning.com/view-source.html?appUrl=subdomain
(replace subdomain with the name that goes before .ning.com in the url of the network you want to look at)
So, when developing keep that in mind, specially if you plan to access other webservices that requires authentication with a personal API key or a password, people can see your PHP... unless you store this sensitive PHP files on a special place: /xn_private/
The xn_private directory is the place to store this type of source files, everything in it is acessible only by the network owner and not listed on the public view-source pages.
Here is one example of how to access the sensitive information in your application by referencing a file in your xn_private folder, lets assume that you have a file called myKey.php like this on your xn_private folder:
<?php $myKey='foo bar' ?>
Here is how you would access:
<?php$keyFilePath = $_SERVER['DOCUMENT_ROOT'].'/xn_private/my_key.php';if(file_exists($keyFilePath)){
include_once $keyFilePath;
echo "The secret key is:$myKey";
} else {
die('key not found');
}
?> Tags: apikey, examples, php, private, tip, xn_private
Replies are closed for this discussion.
Replies to This Discussion
-
Permalink Reply by Fabricio Zuardi on
-
yes :P thanks! updated
-
Permalink Reply by Rob on -
Fabricio - Does this require the paid "protect your code from prying eyes" option? Also if I were to want to develop mods to sell to other network owners is there any way of preventing the work from spreading like a virus around ning ;) besides developing a web service (on another site) and just providing network owners a script to "consume" the web service? Lastly if I as a network owner wanted to keep source from prying eyes and paid the subscription fee what would happen if say for example you were unable to process my credit card. If I don't get in contact does that mean it could become everyones work?
Thanks in advance!
-
Permalink Reply by Mike Nicholson on
-
Hello Rob,
This private folder is private even when you have not purchased the 'Remove Ning Promotional Links' premium service which also conceals your source code.
To prevent the proliferation of your services you will indeed have to prevent others from having access to the source code obviously. Providing them in the form of web services is an option if you'd like to proceed down this path.
Finally, if your payment becomes delinquent for any premium service it may indeed turn off. This means that your source may be exposed. I've never heard of this happening so far, though, so you'll just have to be careful with your payment. This is no different than any other utility, though. You have to pay us to guarantee that we'll keep the service operating!
Cheers!
Mike
-
Permalink Reply by Rob on
-
Mike,
Thanks for clarifying some of those questions.
Do you guys support zend / ioncube encoded scripts?
You could see why this might be a bad thing. I'm not in any way worried about my card being declined and frankly think the service is worth every penny but you can see why it would be better to gracefully suspend the entire network (app) before giving access to the code.
Rob
-
-
Hi Rob,
No, we don't support zend / ioncube encoded scripts :]
As for suspending the network instead of opening it, that is a great suggestion and makes total sense, I will pass it along, thanks!
-
Permalink Reply by Ted Cohn on -
Fabricio,
Wow, this is scary news. I just learned of this huge security hole by reading your post tonight. I haven't heard of this since I started using Ning on Nov 1, 2007. There is nothing described that I have found in the FAQ or in the premium services purchase section that says that one's code is public for all to see unless you purchase a premium service. Furthermore, WHICH premium service closes our code to the public? What is the reasoning for keeping code public? I assumed that our code was private from the start and that we needed a login/password to access our site, just like we do when we use SFTP. What a huge security risk and risk for Ning frankly. Thanks for alerting everyone.
Ted
-
Permalink Reply by Diego on
-
Hey Ted,
Actually, this is not a security hole, the Ning Network code is, by default, Open Source and as such already "accessible" to others. Code on the platform is world-readable (but can only be written by the owner of the network, through SFTP) unless you purchase the premium service "Remove Ning Promotion Links" which not only removes the "Create your own social network" link but also hides the source code from access by others, which is only useful if you've done specific modifications that you would like to keep private.
hope this helps!
d
-
Permalink Reply by Ted Cohn on
-
Diego,
Thanks. Yes, I understand it's open source, but I think you need to disclose this to people who get the code and make their own modifications--that the world can see and essentially steal any and all modifications they make without notice. I'm sure you would get more premium sign-ups that way for one thing. This was never made clear in your FAQ or promotional text. The screen shot of premium services I enclosed does not mention the fact about hiding the source code. I think this is critical and something that is obviously easy to add to your promotional text. This would benefit Ning and your users.
Ted - Attachments:
-
-
premium.png, 35 KB
-
-
-
Hi Ted, you're right that this is not clear and we will absolutely clarify it in the documentation and other places. Thanks for bringing it to our attention!
d
-
Permalink Reply by Gerald (carweb.com) on -
This makes sense. Thanks for the clarification.
-
-
This content has been moved to the documentation wiki. Please click here to access the latest, most up to date version.
Also, I'm closing this thread as it's become a big long. If you have any questions about this topic please create a new thread in the general discussion category.
Thanks!
Mike
© 2009 Created by Ning Developer Admin
