Hello again,
Just wondering about something. Given that it's easy enough for a web-user to see the path of db.cgi (i.e. just doing a search for example), then for anyone familiar with DBMan then they would also know that a .cfg file existed too. Although the rest of the files I could put into some other obscure directory, then it would really not be of much use, since once the user knew the path of the .cfg then they could just type the full pathname of the .cfg and then get the path to the other files, including the password file. (because the .cfg would be listed as text in the browser). Is there some way around this that I don't know about ? Is it possible to get db.cgi to look for a .cfg with a different name to the database name or for it to look in a different directory to where db.cgi is? Or is it possible for it not to be displayed as text? I'm currently working on a second database for DBMan, so any mod would need to handle multiple databases. Would it be possible to do a mini-mod in db.cgi to add a web-master defined extra character to the .cfg or something - now I'm rambling, but am a little concerned that someone with DBMan knowledge could gain unauthorised acccess to things that I don't want them to.
Hope someone can suggest something.

Many thanks,
Dave (BigGeorge - or whoever I am)

It's ok now - I managed to do a tiny little mod of my own in db.cgi to get around the potential problem.

Many thanks anyway,
Dave

Hi,

I am also very interested in this.
Do you think it would be possible for you to tell me the MOD you used.

Thank You

Hi,

Well, if security *is* a problem, I don't see why you couldn't move the data files either below document root or into a password protected directory (cgi files can read from/write to a .htaccess protected directory). I think Alex just made it that way for convenience. So rather than using something like:


You could (and please correct me if I'm wrong) have something like this:


There are other options of course. You could bar the server from viewing .cfg files, like this (in your server configuration file, or a .htaccess file in the dir):

<Files .cfg>
Order allow,deny
Allow from none
Deny from all
</Files>

Or you could chmod the files to be readable by the webserver but NOT by world. However permissions were never my strong point, as any reg'lars will know...

There's a few suggestions anyway,
adam

Wow, so many comments. Well, as JPD said, servers are all set up differently anyway, so it wouldn't necessarily be a problem on every server. I was surprised that it passed it as text to the browser, but I guess that if it can happen for me then it could for someone else too.

Chmodding a directory to 711 will mean that the directory can only be viewed by the owner - but still accessible to browsers via the web. This means that if someone found a way to get onto your server then they still wouldn't be able to ls the directories. The chmod is not recursive.

The thing with .htaccess I'm interested in, because that would seem the proper way to do it - I did play with password protecting directories etc, but ran into trouble with getting SSI to work at the same time.

Chmodding the .cfg to whatever doesn't seem to work for me - I tried several different chmods but db.cgi couldn't find it, so gave up on that - (of course that doesn't mean it's not possible - just that I'm not a Unix supremo). I even asked my web-host - but their chmod ideas didn't work either.

If Dahamsta could give me some more info about setting up .htaccess then that would be great. I did set one up originally, so that both .html and .shtml would be parsed by the server for SSI, but only under guidance from the web-host, so I don't really have any idea about how to go about that.

Meanwhile, then what I got to work for me, and to work for multiple databases using the same db.cgi was just to change the line in db.cgi which says :

require "$db_setup.cfg"; # Database Definition File

to

require "$db_setup.cfgXYZ"; # Database Definition File

and then to change the extension of the various .cfg files to .cfgXYZ as well. (where XYZ is whatever I want). This is a bit of a hamfisted way of going about things admittedly, but it does work for me.

Well, thanks for all the comments, and if someone could give some more info on .htaccess then that would be good, or if anyone else can emulate the same problem then that would be interesting too.

Many Thanks,
Dave

Hi Dave/BigGeorge/Huh?

Do you mean setting up a password protected directory?

I would advise taking a look at bignosebird.com and browsing the Apache and Includes sections. The guy writes nice, easy to follow tutorials. If you have trouble with it though, please don't hesitate to post again.

adam

Thanks Adam, I'll take a look. Thanks for all of your comments.

Dave

I suppose different servers have different setups, but I know that you can't read my .cfg file from a browser -- or any file that's in the cgi-bin. Give it a try at
http://www.jpdeni.com/cgi-bin/dbman/default.cfg

That's why I'm always saying to people that they need to copy their .cfg file to a web-accessible directory if they want me to look at it to help them debug. (I've typed it so many times, I can do it with my eyes closed! )

Try accessing your .cfg file that is in the cgi-bin and see what happens. If you do get a listing of the file, then you should be worried about security.


------------------
JPD

Big george How did you use the SSI with
DbMAN >
OK On my server in order to view SSI i have to add extention .shtml but i want to run web adverts (advertising scripts)within the dbman (Search display ETC.)Do you or any 1 know how??/

Hi Classic,
Sorry to be confusing - what I actually meant was that after I'd played with permissions and passwords etc, then SSI (independent of DBMan) didn't work.

Virtually the whole of my site uses SSI, so it was important for me to get DBMan to do a similar thing. As I'm sure you already discovered, then you can't put SSI into DBMan output, as the server wont parse the cgi output, and your SSI tags will just remain as tags. However, all is not lost. (I'll come back to this bit).

You mentioned that you have to add (s)html in order to process SSI - that's purely a server set up - it can be done. The company that hosts my site, by default, only processes SSI on shtml pages, but it can be changed. What I had to do was to create an .htaccess file (see previous responses) as per the info they gave me, and hey-presto - now both html and shtml pages will process SSI properly. So, bottom line for that part is that you should speak to your hosting company - I'm sure they'll tell you how to do it.

As for running advertising scripts etc, then that shouldn't be a problem. I include banners and icons and all sorts of stuff in DBMan output, and output different things on conditional statements (which I think is what you want to do).

As an example then I include SSI footers on each page on my site, so similarly want to do the same in DBMan. In SSI then I just put the tag into the page to a cgi program, which then calls a named routine in a .pl file. In DBMan then I effectively do the same, but without calling the cgi program - all I do is to call the named routine in the .pl. Of course, to use the routine then DBMan needs to know about it, so you'll need to put a "require" statement somewhere handy - I put it at the top of the .cfg file under the path names etc. Next thing to do is to call the routine from your html.pl file - thats easy anough too. Here's an example:

<title>$html_title: Error! Unknown Action.</title>
|;&menus; print qq|
<TABLE WIDTH="100% BGCOLOR="#FFFFFF"><TR><TD>
......etc, etc.

then I have a routine in html.pl called "sub menus" which looks like this:

sub menus {
# ---------------------------------------------
# Print the top and side menus using routine contained in topside.pl

&topsidemenus;
print qq|
<TD VALIGN=TOP ALIGN=CENTER>|
}

where topside.pl is the file that we defined in the "require" statement that we put into the .cfg. "topsidemenus" is a routine within that file, that prints out whatever I want, and then returns to the rest of the routine in html.pl.

Hope that makes at least a little sense . (please tell me if it doesn't, 'cos I'm not an expert or anything, and there may be better ways of doing things that I don't know about)

Good Luck,
Big George.