No... Even Worse...and much stupider ;)
The php folder I was using for the test project [within the document
root] did not have ANY htaccess protection
He just opened up the folder in the browser.
That folder had an old version of my 'crucial_smil_functions.php' script
He got access to that
Graham Anderson wrote:
my htaccess file for the folder containing the php script was not
set properly
What does that mean? Are you telling us that /home/siren/includes/ is
within document root? If it's not, do you link to it from within
document root?
Do not store includes within document r
Many thanks for everyone's advice :)
It is appreciated
Is this a bit better ?
In my 'cleaner' function, I amended the script to:
function cleanser( $value )
{
return mysql_real_escape_string( trim( escapeshellcmd($value ) )) ;
}
Instead of mysql_real_escape_string, I could use addslashes()
On Fri, October 14, 2005 8:20 am, John Nichel wrote:
> David Robley wrote:
>> Ben wrote:
>
>>>My understanding is that mysql_real_escape_string will only work
>>> while
>>>you are connected to mysql. Not sure if that is the case in your
>>>situation.
>>
>>
>> That is incorrect. mysql_real_escape_
On Thu, October 13, 2005 4:05 pm, Graham Anderson wrote:
> How does a hacker get access to your scripts located outside the web
> folder?
Several obvious options:
1. Get an account on the machine, and write another PHP script to read
it.
2. Find some other script on the machine that will cheerfu
Ben wrote:
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your
situation.
At least it requires a connection to mysql. I had an error, when using
it without any connection opened before, that mysql_real_escape
John Nichel wrote:
> David Robley wrote:
>> Ben wrote:
>
>>>My understanding is that mysql_real_escape_string will only work while
>>>you are connected to mysql. Not sure if that is the case in your
>>>situation.
>>
>>
>> That is incorrect. mysql_real_escape_string is a php function, not mysql
Marcus Bointon wrote:
On 14 Oct 2005, at 04:48, David Robley wrote:
That is incorrect. mysql_real_escape_string is a php function, not
mysql.
Mostly true: mysql_real_escape_string is a php function, but it's
provided by the mysql extension as part of the mysql client libraries
(which ex
David Robley wrote:
Ben wrote:
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your
situation.
That is incorrect. mysql_real_escape_string is a php function, not mysql.
Actually, it's both. And yes, you *
On 14 Oct 2005, at 04:48, David Robley wrote:
That is incorrect. mysql_real_escape_string is a php function, not
mysql.
Mostly true: mysql_real_escape_string is a php function, but it's
provided by the mysql extension as part of the mysql client libraries
(which explains the name). It doe
Ben wrote:
> Graham Anderson said the following on 10/13/05 15:31:
>> Is this a bit better ?
>> As directed, I 'sanitized' all user input variables with trim and
>> mysql_real_escape_string.
>>
>> thanks for everyone's patience as I am starting at ground zero
>> concerning security.
>>
>>
>> if
Graham Anderson said the following on 10/13/05 15:31:
Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and
mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero
concerning security.
if( isset($_REQUEST['cmd']) OR isse
Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and
mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero
concerning security.
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
// decrypt and santize var
Ok, I just heard back from him and feel like an idiot
my htaccess file for the folder containing the php script was not
set properly
guess at this point, I'll take all of the advice you guys gave and
implement it :)
g
On Oct 13, 2005, at 2:21 PM, Robert Cummings wrote:
On Thu, 2005-10
On Thu, 2005-10-13 at 17:05, Graham Anderson wrote:
> How does a hacker get access to your scripts located outside the web
> folder?
> I asked a friend to hack my php script within the web folder...
Ummm, the obvious thing to do is ask your friend how he did it, then
we'll tell you how to preven
Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
er. why don't you [EMAIL PROTECTED]&#(%*&[EMAIL PROTECTED](_*^#()% % er ask
him.
all of my crucial function were called by
Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_RIJNDAEL_256
He was abl
18 matches
Mail list logo
