But it sounds like she's specifically trying to count the incidence of various query parameters. If they were POSTed in, that data wouldn't be recorded in the log and she'd have to create a whole separate mechanism for tracking them.
miguel On Wed, 1 May 2002, 1LT John W. Holmes wrote: > What about, like I said, using a POST method on your forms? > > ---John Holmes... > > ----- Original Message ----- > From: "Fearless Froggie" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 01, 2002 3:51 PM > Subject: Re: [PHP] PHP and Log Analyzers > > > > Everything is validated before it is included. The > > file name on the command line is really just a > > variable stating what file I want included. I don't > > include what I get from the command line. > > > > PHP is also installed in "safe mode" which from what > > I understand requires the hacker to . . . > > > > a) put the file they wish to include into my space on > > the web server. (or replace the contents of one of my > > existing files) > > > > b) add a new option to my validation routine > > so that their file is loaded. > > > > I'm assuming that if they have the ability to put > > stuff in my web server directory space, I'm screwed > > anyway. > > > > But if anybody sees anything I'm missing, I'd be > > grateful for any warnings. One trouble area I can see > > is giving away the name of the file I'm including . . > > . I assume the less information you give out, the > > safer you are. I should have used another variable > > value, but at the time I figured it would be just > > another value I would need to remember. > > > > I admit I'm grateful for "php safe mode". Having done > > a bit of programming, it's easy enough to figure > > things out in PHP. Unfortunately not having any web > > programming experience, it's really easy to do create > > things that can get you into a lot of trouble. I'm > > always grateful for any security warnings and > > information. > > > > Thanks, > > > > Rita Mikusch > > > > List: php-general > > Subject: Re: [PHP] PHP and Log Analyzers > > From: "1LT John W. Holmes" > > <[EMAIL PROTECTED]> > > Date: 2002-05-01 19:20:27 > > [Download message RAW] > > > > If you know what is good for you, you will stop this > > method that your using > > and come up with a better one. You are open to so many > > attacks, it's > > unbelievable. I really, really, hope you have a solid > > validation routine for > > the files your including. > > > > How about using method='post' for your forms. Then the > > variables won't show > > up in the URL. > > > > ---John Holmes... > > > > ----- Original Message ----- > > From: "Fearless Froggie" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, May 01, 2002 2:04 PM > > Subject: [PHP] PHP and Log Analyzers > > > > > > > Because of the way I'm including files and passing > > > variables on the url I'm finding it difficult to get > > > the information I need from my log analyzer (I'm > > using > > > an older version of Web Trends). I thought I'd email > > > the list and see if anybody else has had the same > > > problem and has found a solution. > > > > > > On my website I have one main file that I use... > > > > > > 1) to bring in dynamic information from the database > > > (I just add the article id information to the url . > > . > > > . ie, "index.php3?article_id=12&category_id=44") > > > > > > 2) or to include php files or html files. I just add > > > the name of the html or php file to the url . . . > > ie, > > > "index.php3?file_name=a_php_form.php3". > > > > > > That way I only need to update "index.php3" anytime > > > the layout of the site changes. > > > > > > The log analyser will count > > > "index.php3?article_id=12&category_id=44" as a > > > separate page than > > > "index.php3?file_name=a_php_form.php3" which is > > great > > > -- they are separate content areas afterall. > > > > > > The problem is that in some cases I am also passing > > > form information on the URL .... for example > > > > > "index.php3?file_name=a_php_form.php3&name=bob&street=broadway". > > > Now when I run the log analyzer it will list > > > > > "index.php3?file_name=a_php_form.php3&name=bob&street=broadway" > > > as a separate page than > > > > > "index.php3?file_name=a_php_form.php3&name=judy&street=mainstreet". > > > Ooops that's a problem cause they are the same > > content > > > area and now I'm ending up with 5 zillion separate > > > scores in the log analyzer for them. I could use a > > > cookie to save that form information, but I'm hoping > > > to avoid it. > > > > > > It would be nice if there were a log analyzer > > > available that you could just type part of a url > > into, > > > for example "index.php3?file_name=a_php_form.php3", > > > and then get a score for any url containing that > > > phrase. Or perhaps a program that would parse the > > log > > > file into IP Address / Date / Time / HTTP Request. > > > Then I could play around with it in a spreadsheet > > > program. > > > > > > I'm sure one day down the road I'll be looking back > > at > > > this problem and realize I missed something really > > > obvious, but for now does anybody have any bright > > > ideas? > > > > > > Rita Mikusch > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Health - your guide to health and wellness > > > http://health.yahoo.com > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Health - your guide to health and wellness > > http://health.yahoo.com > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
