Hi Rob, ----- Original Message ----- From: <[EMAIL PROTECTED]> > Hello Bob, > You didn't mention what you want to do with this url. There > are security issues that are diffferent on different platforms, different > configurations and different versions of PHP. What platform and version of > PHP are you running and is PHP running in a cgi shell or wrapper? > > See the following for a quick review of what may be helpful. > > http://php.net/manual/en/function.parse-url.php > http://php.net/manual/en/function.dirname.php > http://php.net/manual/en/function.basename.php > http://php.net/manual/en/function.pathinfo.php > http://php.net/manual/en/function.realpath.php > > If you are just parsing the user submitted url to output as a link or src in > HTML then there are no real issues except that it may not be valid and > result in an error404. If your script is accessing a file on the server then > you have huge security issues especially if your script is running with your > user ownership rights. For example Apache will not server the file > ".htaccess" to a browser but will offer it to a PHP script running with your > ownership permissions. Also consider this url > http://yourdomasin.com//../../.htaccess
Thanks for all the info. The url's have already been passed to one of my custom 401, 403, 404, 410 error routines. The 404 & 410, I give a full standard page with header graphics, and recommend they use the links, the standard "stay on my site" stuff. Look at the homepage, sitemap, search function etc. All the error routines call an include file, that decides whether to record it and/or display a full page, or give just some basic text. Because all my pages have the file extension .php (a big mistake, but too late to change now) I get automated stuff trying various variables, hoping for a way in. I don't use GET at all now, and use error_reporting(E_ALL); for development, and error_reporting(0); for the live version. As the one's trying stuff like java=true and various other things are getting a full graphic page and using up my bandwidth allowance which is a miserly 10gigs, I want them to just get some basic text: echo "<p style='font:13px sans-serif'>Request: $uri<br /><br />"; echo "Dear visitor,<br />"; echo "I'm sorry, your request contained certain characters that I don't allow.<br />"; echo "If you mistyped the address, please <a href='/'>click here</a> to view the site.<br />"; echo "Thank you.</p>"; exit; As you'll notice, I'm being very polite, as I once wasn't and showed a graphic of someone mooning, then an automated system hit my site every 30 seconds for over 2 weeks before they gave up, and I'm on a shared server. My tip: never antagonize them. Some of them are trying every page, and I have over 700. I've cured the image hot-linking totally now, thanks to help from this group. Then, I found they were hot-linking to some of my MP3 wartime speeches, which I've put into Flash and now in protected folders. It's a never ending battle, but it's been a great learning curve, and my site is just a hobby :-) Regards, Bob. Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/php-list/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
