What about, like I said, using a POST method on your forms?

---John Holmes...

----- Original Message ----- 
From: "Fearless Froggie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 01, 2002 3:51 PM
Subject: Re: [PHP] PHP and Log Analyzers


> Everything is validated before it is included. The
> file name on the command line is really just a
> variable stating what file I want included. I don't
> include what I get from the command line. 
> 
> PHP is also installed in "safe mode"  which from what
> I understand requires the hacker to . . . 
> 
> a) put the file they wish to include into my space on
> the web server. (or replace the contents of one of my
> existing files)
> 
> b) add a new option to my validation routine
> so that their file is loaded.
> 
> I'm assuming that if they have the ability to put
> stuff in my web server directory space, I'm screwed
> anyway.
> 
> But if anybody sees anything I'm missing, I'd be
> grateful for any warnings. One trouble area I can see
> is giving away the name of the file I'm including . .
> . I assume the less information you give out, the
> safer you are. I should have used another variable
> value, but at the time I figured it would be just
> another value I would need to remember.
> 
> I admit I'm grateful for "php safe mode". Having done
> a bit of programming, it's easy enough to figure
> things out in PHP. Unfortunately not having any web
> programming experience, it's really easy to do create
> things that can get you into a lot of trouble. I'm
> always grateful for any security warnings and
> information.
> 
> Thanks,
> 
> Rita Mikusch
> 
> List:     php-general
> Subject:  Re: [PHP] PHP and Log Analyzers
> From:     "1LT John W. Holmes"
> <[EMAIL PROTECTED]>
> Date:     2002-05-01 19:20:27
> [Download message RAW]
> 
> If you know what is good for you, you will stop this
> method that your using
> and come up with a better one. You are open to so many
> attacks, it's
> unbelievable. I really, really, hope you have a solid
> validation routine for
> the files your including.
> 
> How about using method='post' for your forms. Then the
> variables won't show
> up in the URL.
> 
> ---John Holmes...
> 
> ----- Original Message -----
> From: "Fearless Froggie" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, May 01, 2002 2:04 PM
> Subject: [PHP] PHP and Log Analyzers
> 
> 
> > Because of the way I'm including files and passing
> > variables on the url I'm finding it difficult to get
> > the information I need from my log analyzer (I'm
> using
> > an older version of Web Trends). I thought I'd email
> > the list and see if anybody else has had the same
> > problem and has found a solution.
> >
> > On my website I have one main file that I use...
> >
> > 1) to bring in dynamic information from the database
> > (I just add the article id information to the url .
> .
> > . ie, "index.php3?article_id=12&category_id=44")
> >
> > 2) or to include php files or html files. I just add
> > the name of the html or php file to the url . . .
> ie,
> > "index.php3?file_name=a_php_form.php3".
> >
> > That way I only need to update "index.php3" anytime
> > the layout of the site changes.
> >
> > The log analyser will count
> > "index.php3?article_id=12&category_id=44" as a
> > separate page than
> > "index.php3?file_name=a_php_form.php3" which is
> great
> > -- they are separate content areas afterall.
> >
> > The problem is that in some cases I am also passing
> > form information on the URL .... for example
> >
> "index.php3?file_name=a_php_form.php3&name=bob&street=broadway".
> > Now when I run the log analyzer it will list
> >
> "index.php3?file_name=a_php_form.php3&name=bob&street=broadway"
> > as a separate page than
> >
> "index.php3?file_name=a_php_form.php3&name=judy&street=mainstreet".
> > Ooops that's a problem cause they are the same
> content
> > area and now I'm ending up with 5 zillion separate
> > scores in the log analyzer for them. I could use a
> > cookie to save that form information, but I'm hoping
> > to avoid it.
> >
> > It would be nice if there were a log analyzer
> > available that you could just type part of a url
> into,
> > for example "index.php3?file_name=a_php_form.php3",
> > and then get a score for any url containing that
> > phrase. Or perhaps a program that would parse the
> log
> > file into IP Address / Date / Time / HTTP Request.
> > Then I could play around with it in a spreadsheet
> > program.
> >
> > I'm sure one day down the road I'll be looking back
> at
> > this problem and realize I missed something really
> > obvious, but for now does anybody have any bright
> > ideas?
> >
> > Rita Mikusch
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Health - your guide to health and wellness
> > http://health.yahoo.com
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to