09-24-2008
That's a cross-site scripting vulnerability at its finest. Are you asking how to prevent this on a design level? Never trust user-supplied data.
It's not clear what values for p you want to continue to allow, but the basic principle should be "deny everything except a well-known set" and so a simple implementation would be to default to accueil.html unless p is one from a small set of other pages you want to allow. (A simple but, on the face of it, reasonably safe generalization would be to only allow values for p which do not contain any slash, encoded or otherwise. But "encoded or otherwise" can constitute a large security hole, too. Are you sure you know all the ways a slash could end up as the result of URL parsing?)
6 More Discussions You Might Find Interesting
1. IP Networking
Hello all.
This is my first post and thank you for your forum.
Here is my question.
I have a simple setup at home and I was capturing some data with wireshark.
Data between a workstation and the web server, requesting a page.
Simple enough.
Now when I open wireshark, I apply the TCP... (4 Replies)
Discussion started by: squaresphere
4 Replies
2. Shell Programming and Scripting
hi
am senthil
am developing a software to send and receive SMS using HTTP connection
first of all am forming a URL and sending that URL to a remote server using my Client Program
i send that url through Socket(using Send() Function)
if i send more than one URL one by one using the same... (4 Replies)
Discussion started by: senkerth
4 Replies
3. Programming
Hi all,
Need a help in PHP scripting.
Am automating a process in web page. The process is
1. i have to open that web page using the user credentials (Username and password).
2. select a drop down and click submit button.
3. Then check for the status of the page.
Please help me how to... (1 Reply)
Discussion started by: vidhyaS
1 Replies
4. Web Development
Hypertext Transfer Protocol -- HTTP/1.1 for Reference - HTTP Headers
10 Status Code Definitions
Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response. (1 Reply)
Discussion started by: Neo
1 Replies
5. Solaris
Hi,
I need to disable HTTPD debugging method in one server. I added the entry 'TraceEnable off' in /etc/apache/httpd.conf.
I restart httpd for the changes to take effect, however I realize now that httpd is actually 'disabled'.
When I try to enable httpd, it shows the status as being in... (1 Reply)
Discussion started by: anaigini45
1 Replies
6. Shell Programming and Scripting
Hi,
I'm trying to write a script to determine the time gap between HTTP PUT and HTTP DELETE requests in the HTTP Servers access log.
Normally client will do HTTP PUT to push content e.g. file_1.txt and 21 seconds later it will do HTTP DELETE, but sometimes the time varies causing some issues... (3 Replies)
Discussion started by: Juha
3 Replies
LEARN ABOUT PHP
mssql_get_last_message
MSSQL_GET_LAST_MESSAGE(3) MSSQL_GET_LAST_MESSAGE(3)
mssql_get_last_message - Returns the last message from the server
SYNOPSIS
string mssql_get_last_message (void )
DESCRIPTION
Gets the last message from the MS-SQL server
PARAMETERS
This function has no parameters.
RETURN VALUES
Returns last error message from server, or an empty string if no error messages are returned from MSSQL.
EXAMPLES
Example #1
mssql_get_last_message(3) example
<?php
// Connect to MSSQL and select the database
mssql_connect('KALLESPCSQLEXPRESS', 'sa', 'phpfi');
mssql_select_db('php');
// Make a query that will fail
$query = @mssql_query('SELECT * FROM [php].[dbo].[not-found]');
if (!$query) {
// The query has failed, print a nice error message
// using mssql_get_last_message()
die('MSSQL error: ' . mssql_get_last_message());
}
?>
The above example will output something similar to:
MSSQL error: Invalid object name 'php.dbo.not-found'.
SEE ALSO
mssql_min_error_severity(3), mssql_min_message_severity(3).
PHP Documentation Group MSSQL_GET_LAST_MESSAGE(3)