Everything is validated before it is included. The
file name on the command line is really just a
variable stating what file I want included. I don't
include what I get from the command line. 

PHP is also installed in "safe mode"  which from what
I understand requires the hacker to . . . 

a) put the file they wish to include into my space on
the web server. (or replace the contents of one of my
existing files)

b) add a new option to my validation routine
so that their file is loaded.

I'm assuming that if they have the ability to put
stuff in my web server directory space, I'm screwed
anyway.

But if anybody sees anything I'm missing, I'd be
grateful for any warnings. One trouble area I can see
is giving away the name of the file I'm including . .
. I assume the less information you give out, the
safer you are. I should have used another variable
value, but at the time I figured it would be just
another value I would need to remember.

I admit I'm grateful for "php safe mode". Having done
a bit of programming, it's easy enough to figure
things out in PHP. Unfortunately not having any web
programming experience, it's really easy to do create
things that can get you into a lot of trouble. I'm
always grateful for any security warnings and
information.

Thanks,

Rita Mikusch

List:     php-general
Subject:  Re: [PHP] PHP and Log Analyzers
From:     "1LT John W. Holmes"
<[EMAIL PROTECTED]>
Date:     2002-05-01 19:20:27
[Download message RAW]

If you know what is good for you, you will stop this
method that your using
and come up with a better one. You are open to so many
attacks, it's
unbelievable. I really, really, hope you have a solid
validation routine for
the files your including.

How about using method='post' for your forms. Then the
variables won't show
up in the URL.

---John Holmes...

----- Original Message -----
From: "Fearless Froggie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 01, 2002 2:04 PM
Subject: [PHP] PHP and Log Analyzers


> Because of the way I'm including files and passing
> variables on the url I'm finding it difficult to get
> the information I need from my log analyzer (I'm
using
> an older version of Web Trends). I thought I'd email
> the list and see if anybody else has had the same
> problem and has found a solution.
>
> On my website I have one main file that I use...
>
> 1) to bring in dynamic information from the database
> (I just add the article id information to the url .
.
> . ie, "index.php3?article_id=12&category_id=44")
>
> 2) or to include php files or html files. I just add
> the name of the html or php file to the url . . .
ie,
> "index.php3?file_name=a_php_form.php3".
>
> That way I only need to update "index.php3" anytime
> the layout of the site changes.
>
> The log analyser will count
> "index.php3?article_id=12&category_id=44" as a
> separate page than
> "index.php3?file_name=a_php_form.php3" which is
great
> -- they are separate content areas afterall.
>
> The problem is that in some cases I am also passing
> form information on the URL .... for example
>
"index.php3?file_name=a_php_form.php3&name=bob&street=broadway".
> Now when I run the log analyzer it will list
>
"index.php3?file_name=a_php_form.php3&name=bob&street=broadway"
> as a separate page than
>
"index.php3?file_name=a_php_form.php3&name=judy&street=mainstreet".
> Ooops that's a problem cause they are the same
content
> area and now I'm ending up with 5 zillion separate
> scores in the log analyzer for them. I could use a
> cookie to save that form information, but I'm hoping
> to avoid it.
>
> It would be nice if there were a log analyzer
> available that you could just type part of a url
into,
> for example "index.php3?file_name=a_php_form.php3",
> and then get a score for any url containing that
> phrase. Or perhaps a program that would parse the
log
> file into IP Address / Date / Time / HTTP Request.
> Then I could play around with it in a spreadsheet
> program.
>
> I'm sure one day down the road I'll be looking back
at
> this problem and realize I missed something really
> obvious, but for now does anybody have any bright
> ideas?
>
> Rita Mikusch
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to