Graham Anderson wrote:
my htaccess file for the folder containing the php script was not
set properly
What does that mean? Are you telling us that /home/siren/includes/ is
within document root? If it's not, do you link to it from within
document root?
Do not store includes within document
No... Even Worse...and much stupider ;)
The php folder I was using for the test project [within the document
root] did not have ANY htaccess protection
He just opened up the folder in the browser.
That folder had an old version of my 'crucial_smil_functions.php' script
He got access to that
On 14 Oct 2005, at 04:48, David Robley wrote:
That is incorrect. mysql_real_escape_string is a php function, not
mysql.
Mostly true: mysql_real_escape_string is a php function, but it's
provided by the mysql extension as part of the mysql client libraries
(which explains the name). It
David Robley wrote:
Ben wrote:
snip
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your
situation.
That is incorrect. mysql_real_escape_string is a php function, not mysql.
Actually, it's both. And yes,
Marcus Bointon wrote:
On 14 Oct 2005, at 04:48, David Robley wrote:
That is incorrect. mysql_real_escape_string is a php function, not
mysql.
Mostly true: mysql_real_escape_string is a php function, but it's
provided by the mysql extension as part of the mysql client libraries
(which
John Nichel wrote:
David Robley wrote:
Ben wrote:
snip
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your
situation.
That is incorrect. mysql_real_escape_string is a php function, not mysql.
Actually,
Ben wrote:
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your
situation.
At least it requires a connection to mysql. I had an error, when using
it without any connection opened before, that
On Thu, October 13, 2005 4:05 pm, Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
Several obvious options:
1. Get an account on the machine, and write another PHP script to read
it.
2. Find some other script on the machine that will
On Fri, October 14, 2005 8:20 am, John Nichel wrote:
David Robley wrote:
Ben wrote:
snip
My understanding is that mysql_real_escape_string will only work
while
you are connected to mysql. Not sure if that is the case in your
situation.
That is incorrect. mysql_real_escape_string is a php
Many thanks for everyone's advice :)
It is appreciated
Is this a bit better ?
In my 'cleaner' function, I amended the script to:
function cleanser( $value )
{
return mysql_real_escape_string( trim( escapeshellcmd($value ) )) ;
}
Instead of mysql_real_escape_string, I could use
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
require_once(/home/siren/includes/fonovisa.inc);
the 'encrypt' functions are MCRYPT_RIJNDAEL_256
He was able
Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
require_once(/home/siren/includes/fonovisa.inc);
the 'encrypt' functions are
Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
er. why don't you [EMAIL PROTECTED]#(%*[EMAIL PROTECTED](_*^#()% % er ask
him.
all of my crucial function were called by:
On Thu, 2005-10-13 at 17:05, Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
Ummm, the obvious thing to do is ask your friend how he did it, then
we'll tell you how to prevent
Ok, I just heard back from him and feel like an idiot
my htaccess file for the folder containing the php script was not
set properly
guess at this point, I'll take all of the advice you guys gave and
implement it :)
g
On Oct 13, 2005, at 2:21 PM, Robert Cummings wrote:
On Thu,
Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and
mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero
concerning security.
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
// decrypt and santize
Graham Anderson said the following on 10/13/05 15:31:
Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and
mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero
concerning security.
if( isset($_REQUEST['cmd']) OR
Ben wrote:
Graham Anderson said the following on 10/13/05 15:31:
Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and
mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero
concerning security.
if(
18 matches
Mail list logo