Search found 29 matches

by bulgin
Thu Jun 25, 2009 1:32 pm
Forum: PHP - Security
Topic: Need guru eyes to check for security holes here
Replies: 4
Views: 915

Re: Need guru eyes to check for security holes here

Thanks for you help. Only site owner can alter it.
by bulgin
Thu Jun 25, 2009 1:10 pm
Forum: PHP - Security
Topic: Need guru eyes to check for security holes here
Replies: 4
Views: 915

Re: Need guru eyes to check for security holes here

Who has the power to manipulate 'access1_alert_email_address' field? That value is set by a web page interface and running apache2 as www-data pid and the field can only be set and changed by www-data. I hope that answers the question. Of course, on the server which only has two users, root and www...
by bulgin
Thu Jun 25, 2009 11:22 am
Forum: PHP - Security
Topic: Need guru eyes to check for security holes here
Replies: 4
Views: 915

Need guru eyes to check for security holes here

We will soon be implementing an internal auditing mechanism which uses email alerts for certain events. I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed. I am particularly keen on knowing if the last...
by bulgin
Mon Mar 23, 2009 7:34 pm
Forum: Databases
Topic: deterine time spread between records, take action
Replies: 2
Views: 313

deterine time spread between records, take action

I have an application that I'm building that examines apache logs (which are logged to a MySQL database). There are certain strings that the MySQL database is on the alert for (specially crafted URLs). If MySQL sees one of these specially crafted URLs, it is supposed to send out an email alert to an...
by bulgin
Thu Mar 19, 2009 3:12 pm
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Re: Preventing posting of data with Tamper Data

That is enormously helpful and I thank you.

Beginners need to learn too, you know.

Thanks!
by bulgin
Thu Mar 19, 2009 2:52 pm
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Re: Preventing posting of data with Tamper Data

thank you. thank you. thank you. Now I have something I can chew on. Let's see, the part about not putting them in the update statement if you didn't intend the user to update them makes total sense. Can you give me a simple example, though on the php syntax for "shielding the implementations o...
by bulgin
Thu Mar 19, 2009 1:04 pm
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Re: Preventing posting of data with Tamper Data

Let me paint this picture and perhaps it will be more clear what I would like to do (and this is just an example): If I go to somebank.com and login and bring up their form and fill it in and submit it all the while using tamper data to view the submission process, there are NO FIELD names listed in...
by bulgin
Thu Mar 19, 2009 10:22 am
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Re: Preventing posting of data with Tamper Data

Have you ever actually used 'Tamper Data' or something equivalent? It's rather clear what I'm referring to. The fields, their actual names not the human-friendly field name used in the form -- those placeholders used in something like MySQL or equivalent to hold user input values -- are revealed to ...
by bulgin
Thu Mar 19, 2009 9:53 am
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Re: Preventing posting of data with Tamper Data

Understood. But if the person behind the client cannot SEE the names of the fields they are less likely to know WHAT to send, n'est pa?

You are telling me there is no way to hide from the eyeballs of the user the name of fields that a tool like Tamper Data reveals?
by bulgin
Thu Mar 19, 2009 9:38 am
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Re: Preventing posting of data with Tamper Data

thanks for your reply. I think you know what I would like to do - stop a user who is using Tamper Data or equivalent from being able to see the values being passed to the browser. In some cases in this application the person using Tamper Data (okay it's lame, but people use it hack stuff) can see th...
by bulgin
Wed Mar 18, 2009 11:02 pm
Forum: PHP - Security
Topic: Preventing posting of data with Tamper Data
Replies: 15
Views: 7147

Preventing posting of data with Tamper Data

I have just spent much time constructing an application only to find out that if I use Tamper Data I can forge input values to the database for fields that were supposed to be 'read only'. What is the general methodology for preventing a user from inputting values through a tool like 'Tamper Data'? ...
by bulgin
Sun Mar 01, 2009 6:01 pm
Forum: PHP - Code
Topic: difficulty with distinct parameter
Replies: 2
Views: 104

Re: difficulty with distinct parameter

DISTINCT applies across all the columns that you want returned, not just the first column in your select list; otherwise SQL can't know which values to return for the other columns. Which of the four returned results do you actually want? Thank you. I thought that was my problem. I want distinct re...
by bulgin
Sun Mar 01, 2009 5:12 pm
Forum: PHP - Code
Topic: difficulty with distinct parameter
Replies: 2
Views: 104

difficulty with distinct parameter

I have the following bit of code: SELECT distinct request_uri , sent_or_not_sent, id FROM web3_access_log where sent_or_not_sent = '0' and the result set are 4 when I had hoped it would be just 1. There are 4 records with the same request_uri but I only want returned 1 instance of that. In the above...
by bulgin
Thu Feb 19, 2009 10:45 am
Forum: PHP - Code
Topic: Request code to compare times and send message
Replies: 1
Views: 126

Request code to compare times and send message

I have the following code which works nicely sending out an email. I need to wrap the whole thing in an if statement that will compare the web3_access_logs.time_stamp which is an integer and displays epoch time, with the current time and if the difference is greater than 1 hour, send out the email, ...
by bulgin
Mon Feb 16, 2009 10:29 am
Forum: PHP - Code
Topic: my substring() function does not work
Replies: 2
Views: 205

Re: my substring() function does not work

It turns out that the following snippet of code worked. I don't know what you are talking about, tasairis, I'm only trying to compare and join two tables with file names, not retrieve or work on the actual file: SELECT substring( web2_access_log.request_uri,2 ), cust.file_names, cust.email_addresses...