Page 1 of 1

Hide pages from users and search engines

Posted: Sat Jan 17, 2009 2:46 am
by sebaro
Hi

My site is just a php file, index.php.
The site pages are made using GET, ?action=page.

Code: Select all

 
$action = $_GET['action'];
if(isset($action)) {
    if ($action == 'admin') {
        admin('admin');
    }
...
function admin($page) {
    if ($page == 'admin') {
           echo "<form action='?action=admin' method='post'>";
...
 
I don't want 'mysite.com/?action=admin' to be seen by users and search engines.
User can't see it unless they guess that page, but search engines found it (live.com).

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 6:32 am
by jaoudestudios
Use html meta tag to stop bots indexing that page.

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 8:02 am
by sebaro
My site is only a file/page: index.php
so the meta tags are for the entire site.

To browse the site, users use
mysite.com/index.php?action=showpage1
mysite.com/index.php?action=showpage2
etc
which only change the page content, not a whole html page

Code: Select all

 
<html>
<head></head>
<body>
mysite.com/index.php?action=showpage1
mysite.com/index.php?action=showpage2
<?php
$content = $_GET['action'];
if ($content == "showpage1") {
   echo "page1";
}
...
?>
</body>
</html>
 

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 8:21 am
by kaisellgren
Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 9:11 am
by sebaro
kaisellgren wrote:Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
The admin page is in a form action.

mysite.com/?action=admin contains the form:

<form action=mysite.com/?action=admin>
</form>

but this form is shown only when opening the admin link

so how did live.com found it?

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 9:46 am
by kaisellgren
sebaro wrote:
kaisellgren wrote:Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
The admin page is in a form action.

mysite.com/?action=admin contains the form:

<form action=mysite.com/?action=admin>
</form>

but this form is shown only when opening the admin link

so how did live.com found it?
You output it somewhere. There is some place you did not find, because the search engine bot crawls your page and reads entire contents you output. If you have the admin page outputted anywhere it's being taken by the bot.

Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt :) -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to :twisted:

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 10:52 am
by sebaro
kaisellgren wrote: Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt :) -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to :twisted:
That's why I don't use robots.txt to prevent indexing.
kaisellgren wrote: If you have the admin page outputted anywhere it's being taken by the bot.
The admin page/link is not outputted anywhere, only on the admin page
mysite.com/?action=admin. So you have to know this link, or have access to the php source code to see it.
When I built the sitemap using an online sitemap creator, it didn't find my admin link/page.
But live.com somehow did.

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 11:13 am
by kaisellgren
sebaro wrote:
kaisellgren wrote: Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt :) -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to :twisted:
That's why I don't use robots.txt to prevent indexing.
kaisellgren wrote: If you have the admin page outputted anywhere it's being taken by the bot.
The admin page/link is not outputted anywhere, only on the admin page
mysite.com/?action=admin. So you have to know this link, or have access to the php source code to see it.
When I built the sitemap using an online sitemap creator, it didn't find my admin link/page.
But live.com somehow did.
Maybe it does not reveal it anymore, but it used to. Other than that, I can't really point out anything since I do not even have your script.

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 11:43 am
by sebaro
kaisellgren wrote: Maybe it does not reveal it anymore, but it used to. Other than that, I can't really point out anything since I do not even have your script.
OK, Thanks.

My script is simple, like this:

Code: Select all

 
<html>
<head></head>
<body>
<?php
 
function content($cont) {
    if ($cont == "viewpage1") {
        echo "page1";
    }
    elseif ($cont == "viewpage2") {
        echo "page2";
    }
    ...
}
 
function admin($page) {
    if ($page == "admin_users") {
        $postuser = $_POST['user'];
        $query = "";
        $result = mysql_query($query);
        echo "<form action='?action=admin_users' method='post'>";
        ...
        echo "</form>";
    }
    if ($page == "admin_comments") {
        $postcomm = $_POST['comm'];
        $query = "";
        $result = mysql_query($query);
        echo "<form action='?action=admin_comments' method='post'>";
        ...
        echo "</form>";
    }
}
 
$action = $_GET['action'];
if(isset($action)) {
    if ($action == 'admin_users') {
        admin('adm_users');
    }
    elseif ($action == 'admin_comments') {
        admin('adm_comments');
    }
    elseif ($action == 'viewpage1') {
        content('viewpage1');   
    }
    elseif ($action == 'viewpage2') {
        content('viewpage2');   
    }
    ... 
?>
</body>
</html>
 

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 11:48 am
by kaisellgren
You should have protection that prevents third parties from getting into your admin system. Hiding it alone is not considered safe.

Re: Hide pages from users and search engines

Posted: Sat Jan 17, 2009 1:44 pm
by Burrito
Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.

Re: Hide pages from users and search engines

Posted: Sun Jan 18, 2009 2:26 am
by sebaro
kaisellgren wrote:You should have protection that prevents third parties from getting into your admin system. Hiding it alone is not considered safe.
Of course, the admin page is password protected.

Re: Hide pages from users and search engines

Posted: Sun Jan 18, 2009 2:30 am
by sebaro
Burrito wrote:Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
The admin page asks for admin user & password.
But I don't want users or search engines to know this page.
I think is safer.

Re: Hide pages from users and search engines

Posted: Sun Jan 18, 2009 8:10 am
by kaisellgren
sebaro wrote:
Burrito wrote:Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
The admin page asks for admin user & password.
But I don't want users or search engines to know this page.
I think is safer.
Make your site safe, do not try to hide it. Many vulnerabilities will give the information (location) to the attacker.