php, coldfusion and general web development waffle

faceless · admin Joined: 25 Apr 2006

ah right, well it sounds like you will have to rewrite things then - but I'm sure there's an easy way to convert your code without having to do it manually

luke · Joined: 11 Feb 2007 Location: by the sea

yeah its pretty simple to fix, i've already fixed the site that was hacked apart from two pages which are a bit different from everything else

looks like they used a tool called Havij http://itsecteam.com/products/havij-advanced-sql-injection/

i can see how they exploited the site to run a query, but i'm not sure how they managed to view the results from the queries Confused

luke · Joined: 11 Feb 2007 Location: by the sea

i got a problem with a site ... again!

this site has a page which is accessible from another site, and only from that other site

up until now i've been checking the http referrer, if the referrer is valid i display the page

the problem is the boss ( who i'm trying to win some work from! ) of this other site has some software or setup thats not sending the http referrer. and looking through the logs, it does happen now and then. googling the problem, there is an option in ie, or settings you can change in other browsers or privacy or security software that prevents the http referrer being sent, and its recommended not to rely on it for anything important.

so now i can't use that to validate the request, how can i?!

i've googled and i can't find anything, but there must be a way ...

faceless · admin Joined: 25 Apr 2006

a cookie? I've never really used them myself, but it sounds like it should do the trick

luke · Joined: 11 Feb 2007 Location: by the sea

no it won't work, i did actually say the other week i had a fix for it, and i'd based that around the idea of checking for the existence of their members cookie - not realising that for security reasons you can't check cookies from one site set by another site!

i've been thinking about this for a while now, and i can't think of a solution. without the http referrer, and not being able to check for the existence of a cookie set by the other site, i just don't know how it can be done - but i'm going to have to come up with some blag as to why i said i had a fix!

faceless · admin Joined: 25 Apr 2006

Could you do it inside a protected frame like I do with some pages here? If the page isn't loaded inside the frame the redirect makes any browser go to where it should be.

Put this in the HEAD and it works.

luke · Joined: 11 Feb 2007 Location: by the sea

sorry for the delay, had some trouble with a site this week, and i'm getting ready to move all the sites to a new server

it could possibly work in a way - and it might have to - but i don't think it would be the best or a very secure way of doing it.

at the moment, this other site has a link to say www.mysite.com/for-their-members-page/ and if the http referrer is http://www.theirsite.com/members/ i know its a valid request from their site from within their members area which they have had to sign into

i know the http referrer can be faked, but you know - even nasa can be hacked Laughing

i guess to do your solution, instead of them clicking to go to www.mysite.com/for-their-members-page/ they'd click to go to another page on their site like http://www.theirsite.com/members/mysite-frameset/, that if they was logged in would set up a frameset, which would load my page from my site, which would then run the javascript to check it was inside the frameset set by their members area ... its kinda messy and can be broken, but it might be the best solution at the moment!

thinking about it, i might use this as a fall-back - if the http referrer doesn't exist in the existing check, jump automatically back to their site to run the frameset which will only run if their member cookie exists. thanks Smile

the blag i'm going to say for why i said i had a proper solution is that if they give me the work i bid for, and they moved their site over to my server, i can run sql queries from either site on the other sites database to either check that the ip is logged in and valid, or to get the content from the other site while being able to check for their members cookie - all server side so it can't be broken.

luke · Joined: 11 Feb 2007 Location: by the sea

i just wanted to say, fuck linux and its case sensitive nonsense! even on table names!! crazed

Brown Sauce · Joined: 07 Jan 2007

http://www.linuxquestions.org/questions/linux-general-1/why-is-linux-case-sensitive-125995/

it has it's advantages.

luke · Joined: 11 Feb 2007 Location: by the sea

yeah i can see that, i was kinda pissed off when i wrote that!

i'm in the process of moving everything to a new linux server; i started testing the sites and all the sql was failing. in my local databases, and my code, all table names are called something like tblDocuments, tblPages etc - although up until now case has never mattered - but somewhere along the way from my local machine to the old server to this new server, mysql has made all the table names lower case, so i had to rename every table for every site to match the code.

do you use linux much?

i've got an old desktop machine that i'd like to set up with linux, apache, mysql and coldfusion. i see you can get xampp for linux so i'll just use that, but do you know a decent and easy to set up version of linux?

anyone have any experience of virtualbox? https://www.virtualbox.org/ http://en.wikipedia.org/wiki/VirtualBox

looks like i could install and run linux from my windows desktop

Brown Sauce · Joined: 07 Jan 2007

I use linux every day. I gave up with xammp it was too slow, and really I needed the terminal. Windows is too complicated, and all the useful info revolves around linux. Most of my stuff is drupal and php, so needs linux.

I also have a vps, it is ubuntu and I can easily ssh to it from the virtualbox on windows. It makes life a lot easier.

it's free, and there is so much info about installing the lamp stack for instance that it's so easy to do.

if you need tuts about any of it let me know. i have gigs of the shit. Smile

take a look at squqs.com tell me what you think ..

luke · Joined: 11 Feb 2007 Location: by the sea

thanks sauce, i think i'm going to try ubuntu through the virtual box first. i've never had trouble with xampp being slow, coldfusion has always run fine on it - even on my old computer. i'll see what its like running on linux through virtual box from windows though!

is there some sort of weird difference with sorting folders/files by name on linux?

on one site a few members can upload cd's/dvd's via ftp, and my code goes through the folders/files displaying the info so other members can download

on windows, i just set the sort by folder name, and then by filename

on linux, no matter what i do - the order is totally random!

maybe its a bug with coldfusion on linux, but i googled the problem and noone else seems to have it

luke · Joined: 11 Feb 2007 Location: by the sea

scrap that, fixed it Smile

in linux, its just a simple sort by 'name', whereas windows i had to sort by 'directory' and 'file'

luke · Joined: 11 Feb 2007 Location: by the sea

i was wondering if anyone has any ideas whats going on here ...

these are files/folders uploaded from a dvd to a linux server

on some filenames, what were spaces have been changed to some strange character, but not always - and sometimes a single file can contain a normal space and the strange character instead of the space?

in the ftp they look normal - no weird characters. but when i grab them through my code, they come back like this. if i rename via ftp and delete what looks in the ftp like a space, and replace with a space, they come back fine Confused

these strange characters are messing with my system!

faceless · admin Joined: 25 Apr 2006

I think that's the reason files from the scene always have.fullstops.between.words - I'd say to try at the server software forum.