What about, like I said, using a POST method on your forms? ---John Holmes...
----- Original Message ----- From: "Fearless Froggie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 01, 2002 3:51 PM Subject: Re: [PHP] PHP and Log Analyzers > Everything is validated before it is included. The > file name on the command line is really just a > variable stating what file I want included. I don't > include what I get from the command line. > > PHP is also installed in "safe mode" which from what > I understand requires the hacker to . . . > > a) put the file they wish to include into my space on > the web server. (or replace the contents of one of my > existing files) > > b) add a new option to my validation routine > so that their file is loaded. > > I'm assuming that if they have the ability to put > stuff in my web server directory space, I'm screwed > anyway. > > But if anybody sees anything I'm missing, I'd be > grateful for any warnings. One trouble area I can see > is giving away the name of the file I'm including . . > . I assume the less information you give out, the > safer you are. I should have used another variable > value, but at the time I figured it would be just > another value I would need to remember. > > I admit I'm grateful for "php safe mode". Having done > a bit of programming, it's easy enough to figure > things out in PHP. Unfortunately not having any web > programming experience, it's really easy to do create > things that can get you into a lot of trouble. I'm > always grateful for any security warnings and > information. > > Thanks, > > Rita Mikusch > > List: php-general > Subject: Re: [PHP] PHP and Log Analyzers > From: "1LT John W. Holmes" > <[EMAIL PROTECTED]> > Date: 2002-05-01 19:20:27 > [Download message RAW] > > If you know what is good for you, you will stop this > method that your using > and come up with a better one. You are open to so many > attacks, it's > unbelievable. I really, really, hope you have a solid > validation routine for > the files your including. > > How about using method='post' for your forms. Then the > variables won't show > up in the URL. > > ---John Holmes... > > ----- Original Message ----- > From: "Fearless Froggie" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 01, 2002 2:04 PM > Subject: [PHP] PHP and Log Analyzers > > > > Because of the way I'm including files and passing > > variables on the url I'm finding it difficult to get > > the information I need from my log analyzer (I'm > using > > an older version of Web Trends). I thought I'd email > > the list and see if anybody else has had the same > > problem and has found a solution. > > > > On my website I have one main file that I use... > > > > 1) to bring in dynamic information from the database > > (I just add the article id information to the url . > . > > . ie, "index.php3?article_id=12&category_id=44") > > > > 2) or to include php files or html files. I just add > > the name of the html or php file to the url . . . > ie, > > "index.php3?file_name=a_php_form.php3". > > > > That way I only need to update "index.php3" anytime > > the layout of the site changes. > > > > The log analyser will count > > "index.php3?article_id=12&category_id=44" as a > > separate page than > > "index.php3?file_name=a_php_form.php3" which is > great > > -- they are separate content areas afterall. > > > > The problem is that in some cases I am also passing > > form information on the URL .... for example > > > "index.php3?file_name=a_php_form.php3&name=bob&street=broadway". > > Now when I run the log analyzer it will list > > > "index.php3?file_name=a_php_form.php3&name=bob&street=broadway" > > as a separate page than > > > "index.php3?file_name=a_php_form.php3&name=judy&street=mainstreet". > > Ooops that's a problem cause they are the same > content > > area and now I'm ending up with 5 zillion separate > > scores in the log analyzer for them. I could use a > > cookie to save that form information, but I'm hoping > > to avoid it. > > > > It would be nice if there were a log analyzer > > available that you could just type part of a url > into, > > for example "index.php3?file_name=a_php_form.php3", > > and then get a score for any url containing that > > phrase. Or perhaps a program that would parse the > log > > file into IP Address / Date / Time / HTTP Request. > > Then I could play around with it in a spreadsheet > > program. > > > > I'm sure one day down the road I'll be looking back > at > > this problem and realize I missed something really > > obvious, but for now does anybody have any bright > > ideas? > > > > Rita Mikusch > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Health - your guide to health and wellness > > http://health.yahoo.com > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - your guide to health and wellness > http://health.yahoo.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
