Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
$action = $_GET['action'];
if(isset($action)) {
if ($action == 'admin') {
admin('admin');
}
...
function admin($page) {
if ($page == 'admin') {
echo "<form action='?action=admin' method='post'>";
...
I don't want 'mysite.com/?action=admin' to be seen by users and search engines.
User can't see it unless they guess that page, but search engines found it (live.com).
My site is only a file/page: index.php
so the meta tags are for the entire site.
To browse the site, users use
mysite.com/index.php?action=showpage1
mysite.com/index.php?action=showpage2
etc
which only change the page content, not a whole html page
Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
kaisellgren wrote:Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
The admin page is in a form action.
mysite.com/?action=admin contains the form:
<form action=mysite.com/?action=admin>
</form>
but this form is shown only when opening the admin link
kaisellgren wrote:Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
The admin page is in a form action.
mysite.com/?action=admin contains the form:
<form action=mysite.com/?action=admin>
</form>
but this form is shown only when opening the admin link
so how did live.com found it?
You output it somewhere. There is some place you did not find, because the search engine bot crawls your page and reads entire contents you output. If you have the admin page outputted anywhere it's being taken by the bot.
Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to
kaisellgren wrote:
Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to
That's why I don't use robots.txt to prevent indexing.
kaisellgren wrote:
If you have the admin page outputted anywhere it's being taken by the bot.
The admin page/link is not outputted anywhere, only on the admin page
mysite.com/?action=admin. So you have to know this link, or have access to the php source code to see it.
When I built the sitemap using an online sitemap creator, it didn't find my admin link/page.
But live.com somehow did.
kaisellgren wrote:
Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to
That's why I don't use robots.txt to prevent indexing.
kaisellgren wrote:
If you have the admin page outputted anywhere it's being taken by the bot.
The admin page/link is not outputted anywhere, only on the admin page
mysite.com/?action=admin. So you have to know this link, or have access to the php source code to see it.
When I built the sitemap using an online sitemap creator, it didn't find my admin link/page.
But live.com somehow did.
Maybe it does not reveal it anymore, but it used to. Other than that, I can't really point out anything since I do not even have your script.
kaisellgren wrote:
Maybe it does not reveal it anymore, but it used to. Other than that, I can't really point out anything since I do not even have your script.
Burrito wrote:Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
The admin page asks for admin user & password.
But I don't want users or search engines to know this page.
I think is safer.
Burrito wrote:Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
The admin page asks for admin user & password.
But I don't want users or search engines to know this page.
I think is safer.
Make your site safe, do not try to hide it. Many vulnerabilities will give the information (location) to the attacker.