Search found 29 matches
- Thu Jun 25, 2009 1:32 pm
- Forum: PHP - Security
- Topic: Need guru eyes to check for security holes here
- Replies: 4
- Views: 915
Re: Need guru eyes to check for security holes here
Thanks for you help. Only site owner can alter it.
- Thu Jun 25, 2009 1:10 pm
- Forum: PHP - Security
- Topic: Need guru eyes to check for security holes here
- Replies: 4
- Views: 915
Re: Need guru eyes to check for security holes here
Who has the power to manipulate 'access1_alert_email_address' field? That value is set by a web page interface and running apache2 as www-data pid and the field can only be set and changed by www-data. I hope that answers the question. Of course, on the server which only has two users, root and www...
- Thu Jun 25, 2009 11:22 am
- Forum: PHP - Security
- Topic: Need guru eyes to check for security holes here
- Replies: 4
- Views: 915
Need guru eyes to check for security holes here
We will soon be implementing an internal auditing mechanism which uses email alerts for certain events. I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed. I am particularly keen on knowing if the last...
- Mon Mar 23, 2009 7:34 pm
- Forum: Databases
- Topic: deterine time spread between records, take action
- Replies: 2
- Views: 313
deterine time spread between records, take action
I have an application that I'm building that examines apache logs (which are logged to a MySQL database). There are certain strings that the MySQL database is on the alert for (specially crafted URLs). If MySQL sees one of these specially crafted URLs, it is supposed to send out an email alert to an...
- Thu Mar 19, 2009 3:12 pm
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Re: Preventing posting of data with Tamper Data
That is enormously helpful and I thank you.
Beginners need to learn too, you know.
Thanks!
Beginners need to learn too, you know.
Thanks!
- Thu Mar 19, 2009 2:52 pm
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Re: Preventing posting of data with Tamper Data
thank you. thank you. thank you. Now I have something I can chew on. Let's see, the part about not putting them in the update statement if you didn't intend the user to update them makes total sense. Can you give me a simple example, though on the php syntax for "shielding the implementations o...
- Thu Mar 19, 2009 1:04 pm
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Re: Preventing posting of data with Tamper Data
Let me paint this picture and perhaps it will be more clear what I would like to do (and this is just an example): If I go to somebank.com and login and bring up their form and fill it in and submit it all the while using tamper data to view the submission process, there are NO FIELD names listed in...
- Thu Mar 19, 2009 10:22 am
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Re: Preventing posting of data with Tamper Data
Have you ever actually used 'Tamper Data' or something equivalent? It's rather clear what I'm referring to. The fields, their actual names not the human-friendly field name used in the form -- those placeholders used in something like MySQL or equivalent to hold user input values -- are revealed to ...
- Thu Mar 19, 2009 9:53 am
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Re: Preventing posting of data with Tamper Data
Understood. But if the person behind the client cannot SEE the names of the fields they are less likely to know WHAT to send, n'est pa?
You are telling me there is no way to hide from the eyeballs of the user the name of fields that a tool like Tamper Data reveals?
You are telling me there is no way to hide from the eyeballs of the user the name of fields that a tool like Tamper Data reveals?
- Thu Mar 19, 2009 9:38 am
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Re: Preventing posting of data with Tamper Data
thanks for your reply. I think you know what I would like to do - stop a user who is using Tamper Data or equivalent from being able to see the values being passed to the browser. In some cases in this application the person using Tamper Data (okay it's lame, but people use it hack stuff) can see th...
- Wed Mar 18, 2009 11:02 pm
- Forum: PHP - Security
- Topic: Preventing posting of data with Tamper Data
- Replies: 15
- Views: 7147
Preventing posting of data with Tamper Data
I have just spent much time constructing an application only to find out that if I use Tamper Data I can forge input values to the database for fields that were supposed to be 'read only'. What is the general methodology for preventing a user from inputting values through a tool like 'Tamper Data'? ...
- Sun Mar 01, 2009 6:01 pm
- Forum: PHP - Code
- Topic: difficulty with distinct parameter
- Replies: 2
- Views: 104
Re: difficulty with distinct parameter
DISTINCT applies across all the columns that you want returned, not just the first column in your select list; otherwise SQL can't know which values to return for the other columns. Which of the four returned results do you actually want? Thank you. I thought that was my problem. I want distinct re...
- Sun Mar 01, 2009 5:12 pm
- Forum: PHP - Code
- Topic: difficulty with distinct parameter
- Replies: 2
- Views: 104
difficulty with distinct parameter
I have the following bit of code: SELECT distinct request_uri , sent_or_not_sent, id FROM web3_access_log where sent_or_not_sent = '0' and the result set are 4 when I had hoped it would be just 1. There are 4 records with the same request_uri but I only want returned 1 instance of that. In the above...
- Thu Feb 19, 2009 10:45 am
- Forum: PHP - Code
- Topic: Request code to compare times and send message
- Replies: 1
- Views: 126
Request code to compare times and send message
I have the following code which works nicely sending out an email. I need to wrap the whole thing in an if statement that will compare the web3_access_logs.time_stamp which is an integer and displays epoch time, with the current time and if the difference is greater than 1 hour, send out the email, ...
- Mon Feb 16, 2009 10:29 am
- Forum: PHP - Code
- Topic: my substring() function does not work
- Replies: 2
- Views: 205
Re: my substring() function does not work
It turns out that the following snippet of code worked. I don't know what you are talking about, tasairis, I'm only trying to compare and join two tables with file names, not retrieve or work on the actual file: SELECT substring( web2_access_log.request_uri,2 ), cust.file_names, cust.email_addresses...