My name is Abdoulaye Siby aka Asiby aka WebMaestro.
You are doing an awesome job with Joomla. Keep it up.
I have be developing for Mambo and Joomla for several years now and I also do for Drupal and A2Billing. After dealing with several hacking situations involving Joomla, I have realized that there is one thing that you can add in order to improve the security.
I have noticed that it is required that the configuration file and many folders must have the 777 permission in order for Joomla to work properly on a web hosting environment. That is pretty unsafe. Also, making configuration.php read-only will negate the global configuration as it would prevent even the super administrator from modifying Joomla's global configuration on the fly.
Now, Joomla's is using class JConfig to contain all the configuration options. I suggest that you move all the configuration (except the database settings) into the database. JConfig class will look roughly like the following.
Code: Select all
<?php
class JConfig {
/* Database Settings */
var $tablename = "configuration";
var $dbtype = 'mysqli';
var $host = 'localhost';
var $user = 'myusername';
var $password = 'mysecret';
var $db = 'my';
var $dbprefix = 'jos_';
public function __construct(){
/**
* Connect to the DB here or make sure that the framework does it
* before any configuration variable is either read or written
**/
}
public function __get($var) {
//Query: SELECT $var FROM {#__$this->tablename};
$value = <<result of the above query>>;
return $value;
}
public function __set($var, $val) {
//Query: UPDATE {#__$this->tablename} SET $var = '$val';
}
}
The above code does not require any change in the existing modules that access the configuration options properly. Simply accessing or setting a configuration settings will be enough. PHP will use the magic functions __get() and __set() to do the rest.
After moving the config in the DB, the configuration.php file can be permanently have a read-only permission while the admin user will still enjoy the admin interface. I understand that some changes will be required in the admin interface because it is currently reading and saving all the global configuration data in the flat file.
Cheers
A. Siby