Everything is validated before it is included. The file name on the command line is really just a variable stating what file I want included. I don't include what I get from the command line.
PHP is also installed in "safe mode" which from what I understand requires the hacker to . . . a) put the file they wish to include into my space on the web server. (or replace the contents of one of my existing files) b) add a new option to my validation routine so that their file is loaded. I'm assuming that if they have the ability to put stuff in my web server directory space, I'm screwed anyway. But if anybody sees anything I'm missing, I'd be grateful for any warnings. One trouble area I can see is giving away the name of the file I'm including . . . I assume the less information you give out, the safer you are. I should have used another variable value, but at the time I figured it would be just another value I would need to remember. I admit I'm grateful for "php safe mode". Having done a bit of programming, it's easy enough to figure things out in PHP. Unfortunately not having any web programming experience, it's really easy to do create things that can get you into a lot of trouble. I'm always grateful for any security warnings and information. Thanks, Rita Mikusch List: php-general Subject: Re: [PHP] PHP and Log Analyzers From: "1LT John W. Holmes" <[EMAIL PROTECTED]> Date: 2002-05-01 19:20:27 [Download message RAW] If you know what is good for you, you will stop this method that your using and come up with a better one. You are open to so many attacks, it's unbelievable. I really, really, hope you have a solid validation routine for the files your including. How about using method='post' for your forms. Then the variables won't show up in the URL. ---John Holmes... ----- Original Message ----- From: "Fearless Froggie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 01, 2002 2:04 PM Subject: [PHP] PHP and Log Analyzers > Because of the way I'm including files and passing > variables on the url I'm finding it difficult to get > the information I need from my log analyzer (I'm using > an older version of Web Trends). I thought I'd email > the list and see if anybody else has had the same > problem and has found a solution. > > On my website I have one main file that I use... > > 1) to bring in dynamic information from the database > (I just add the article id information to the url . . > . ie, "index.php3?article_id=12&category_id=44") > > 2) or to include php files or html files. I just add > the name of the html or php file to the url . . . ie, > "index.php3?file_name=a_php_form.php3". > > That way I only need to update "index.php3" anytime > the layout of the site changes. > > The log analyser will count > "index.php3?article_id=12&category_id=44" as a > separate page than > "index.php3?file_name=a_php_form.php3" which is great > -- they are separate content areas afterall. > > The problem is that in some cases I am also passing > form information on the URL .... for example > "index.php3?file_name=a_php_form.php3&name=bob&street=broadway". > Now when I run the log analyzer it will list > "index.php3?file_name=a_php_form.php3&name=bob&street=broadway" > as a separate page than > "index.php3?file_name=a_php_form.php3&name=judy&street=mainstreet". > Ooops that's a problem cause they are the same content > area and now I'm ending up with 5 zillion separate > scores in the log analyzer for them. I could use a > cookie to save that form information, but I'm hoping > to avoid it. > > It would be nice if there were a log analyzer > available that you could just type part of a url into, > for example "index.php3?file_name=a_php_form.php3", > and then get a score for any url containing that > phrase. Or perhaps a program that would parse the log > file into IP Address / Date / Time / HTTP Request. > Then I could play around with it in a spreadsheet > program. > > I'm sure one day down the road I'll be looking back at > this problem and realize I missed something really > obvious, but for now does anybody have any bright > ideas? > > Rita Mikusch > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - your guide to health and wellness > http://health.yahoo.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
