[FX.php List] Security Concerns with FileMaker Website

Stephen Knight stephen at fmwebschool.com
Wed Jan 24 08:49:32 MST 2007 

Hi,

Sessions are actually far from being faultproof - if you do not have a login
but do require a session to proceed then the bot can easily carry your
session through. For example the use of cURL is very popular in recent bots
and curl includes a one line option to turn on a "cookie jar" which will
collect and pass along any session cookies that you assigned to it on one
page to the next. It might stop some older less intellegent bots but these
days it is very easy to pass along cookies - and I would not be surprised if
within a year or two we will start seeing full blown JS enabled bots which
will parse the JS on the current pages in order to extract obfuscated data.



In Kindness
Stephen K Knight
http://www.fmwebschool.com
800.353.7950 / 386.453.5843
FMWebschool, we bring the web to life 
FX.PHP PHP XML MySQL CDML ASP

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund Gusland
Thorsen
Sent: Wednesday, January 24, 2007 10:29 AM
To: FX.php Discussion List
Subject: Re: [FX.php List] Security Concerns with FileMaker Website

I assume you do something like this:

<?
session_start();
include_once( $_SERVER['DOCUMENT_ROOT'] . "/projectkey.php" ); if( $key1 !=
$key2 ) {
        header( "Location: /index.php?status=log_on" );
        exit;
}

ggt667

On 1/24/07, Jonathan Schwartz <jonathan at eschwartz.com> wrote:
>
>
> I have also noticed the bots because I am logging every arrival to my 
> fx.php pages for development and customer support resaons.
>
>
> In my solutions, I am using sessions. Without a current session, the 
> page never gets past the session check on line 3.  The "user" is 
> redirected to the start page to either log in or to start the process
(whatever it is).
>
>
> So, the bot might hit the page, but never sees data.
>
>
> Works for me, but YMMV.
>
>
> Hope that helps.
>
>
> Jonathan
>
>
>
>
>
>
>
> Hello everyone,
> In the past hour, I've done some analysis of various logs and emails, 
> and I've come to a chilling realization that I've never had before 
> about bots harvesting information from websites -- I knew it happened, 
> but I never knew the scope of the problem until tonight -- and this is a
low traffic website!
>
>
> So, I have a website which contains a public listing of email 
> addresses and websites from a FileMaker database.  I want to stop 
> unknown bots from crawling the site.  All of the data comes out of 
> FileMaker, nicely formatted as links for the end user's clicking 
> convenience.  I have a solution to fix email addresses from being 
> harvested, but I was wondering if anyone knows of a way to prevent 
> website addresses from being harvested, but still clickable as a
hyperlink.
>
>
> I thought maybe a PHP redirect link, like redirect.php?id=16 where 
> redirect puts a user at the website listed in record 16, but once the 
> PHP is all said and done, we're still at the linked website, so that 
> doesn't really prevent anything from being harvested.
>
>
> Is there a way to maybe detect is a link was actually clicked by a 
> person, and not just passed through by an automated bot?  PHP is 
> preferable for such a solution -- JavaScript is too easy to turn off.  
> Or, is there a way to specify that only bots from places like Google, 
> Live, and Yahoo are allowed to crawl the site?
>
>
> Hopefully my predicament is clear.  I need to solve this ASAP...
>
>
> --Ed
> ---------------------
> http://www.edwardford.net
>
>
>
>
>
>  _______________________________________________
>  FX.php_List mailing list
>  FX.php_List at mail.iviking.org
>  http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
>  --
>
>
>
> Jonathan Schwartz
> FileMaker 8 Certified  Developer
> Associate Member, FileMaker Solutions Alliance Schwartz & Company 
> jonathan at eschwartz.com http://www.eschwartz.com http://www.exit445.com
> 415-381-1852
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list