I hope I am in the right forum for this, if not please accept my appologies.

This is mainly a php question but the first part is just some background.

Ok so here is the problem I have a server running 2008 server with xampp installed, I have it all configured and running fairly well, I think, but it keeps stopping apache, it works for sometimes an hour, sometimes 2 days, but always stops the apache service at some stage, I have installed it as a service and through the services section told it that it must auto restart the service on 1st and 2nd failure, if on third failure then it must restart the entire server, but it seems to ignore all that and just go down and then not do anything it just stays down untill I manually restart it.

After much frustration I have pinpointed the problem to being that some people are manually changing my query strings for some odd reason, so example from the home page there is a drop down list that uses $_POST to send 2 variables to the next page. Once the new page is open it looks like this http://www.server.com/results.php. this results page has a whole bunch of results from the mysql query, these are links that will take yuou to the relevant data on another page, using $_GET, so the next url looks like this http://www.server.com/endresult.php?custid=150&loc=2, now this seems to work ok but people keep changing it to odd things such as http://www.server.com/endresult.php?...t+Your+Request

after something like this my server dies. So my question is
A: What is this odd url doing.
B: Is there a way of using $_POST on a link without a form.
C: Is there a third party app that can restart apache when it goes down properly.

Okay firstly GARNEGEE i wrote a long descriptive reply to this and my little brother just wouldnt leave me alone so i closed the wrong flippin windows and lost it!!!!

okay rant over.. here we go again.

OOKAY.

First off XAMPP while it is a fantastic software which i use and love, it is designed to be insecure for the testing enviorment. it says this explicitly in its documentation and if it is going as a proper live server should be secured properly.

Mysql: the mysql root password should have a long complicated password and you shouildnt really use it create your own account and only give it the actions it requires.

what you described looked like injection but i cannot see how it would shut down the server, but then again i didnt really read it.

unless you are using the $_GET['custid'] or $_REQUEST['custid'] this shoudlnt effect your script if you are using request DONT never use it always use get or post.

also ALWAYS use mysql_real_escape_string() on inputs which will even touch your database, this cleans them of all characters which can inject things into your code, if you want more info there is a very detauiled and well written thread on this site which explains it very well.

bottom line of it bad people can make your database do alsorts of things you dont want it to including deleting all its contents, over writing passwords etc etc and if if unprotected root even shutting down the server!

so be careful
also add as much validation as possible to user input if it isnt what was expected ignore it, and/or scrap all inputs and make user restart.

if you still have problems i will be happy to take a look at your script and try to help you fix any security holes

hope this helps, Rep apprieciated
Dan

Hi dansgalaxy, thanks for the info, but just to clarify I am using $_GET['custid'] within my scripts, maybe you could take a look at the site so you can see the problem and what I am going on about if you would not mind terribly the address is http://www.higuide.co.za/
Use the dropdowns to select a location then the next to select a Category, now submit that to the next page, thats fine cause it uses $_POST['loc'id] and $_POST['cat_id'] to take the variables to the results page.

The results page uses a select statement to say

Code:

SELECT DISTINCT tci.custid, tci.custname, tci.locid, tci.catid
FROM tblcustomerinformation tci, tbllocations loc, tblcategory cat
WHERE (tci.locid = loc.locid AND
tci.locid = $_POST['loc_id']) AND 
(tci.catid = cat.catid AND 
tci.catid = $_POST['cat_id'])
ORDER BY tci.custname ASC

Now this gives me a list of all the customers that match that criteria so i have made a loop to get through all the results, the next problem I have is that each one of the customer names in the loop needs to be an ahref link to that customers custid, this is where it went so badly cause I was forced to use $_GET instead of what I prefer $_POST and this is why. My link code looks something like this.

PHP Code:

<?php do { ?>
<p>
     <a href="/higuide_adverts.php?CustID=<?php echo      $row_rs_loc_id_cat_id['CustID']; ?>&amp;alnk=zero&amp;loc=<?php echo $_POST['loc_id']; ?>">
<strong><?php echo $row_rs_loc_id_cat_id['CompanyName']; ?></strong></a></p>
<?php } while ($row_rs_loc_id_cat_id = mysql_fetch_assoc($rs_loc_id_cat_id)); ?>

When this link is clicked on it goes to the /higuide_adverts.php page and this page uses $_GET['CustID'] and $_GET['alnk'] and $_GET[loc'] to get the correct data from the mysql database, something like this.

Code:

SELECT tal.CustID, tal.CompanyName, tal.Email
FROM tbladvertiserlocation tal
WHERE tal.CustID = $_GET['CustID'] AND tal.loc = $_GET['loc']

So tell me if im right in saying that if there is a way that I could make the links use $_POST instead of $_GET most of this problem should be fixed I hope, could you tell me a way to do that.
and should I deinstall xampp and install apache and php and mysql on their own, and then configure them all. cause in the xampp docs I read that it was not made for a production environment but I thought that was only if you did not perform their initial security fixes, but that must have been a misunderstanding.

Thanks for all the help m8

As mentioned providing you sanitise your $_GET data ( http://uk3.php.net/mysql_real_escape_string is probably the most important) you shouldn't have a problem. Sounds like you have other issues causing shut-down.

You can submit links as $_POST although its not best practice. You can pass your variables as hidden fields and use the link to submit the form using javascript. Without Js you would need a submit button.

HTML Code:

 <form id="form1" name="form1" method="post" action="/higuide_adverts.php">
   
<a href="#" onclick="document.form1.submit();">Heathwood</a>
  
    <input name="CustID" type="hidden" id="CustID" value="108" />
  <input name="loc" type="hidden" id="loc" value="1" />
  </form>

Thanks Maxxximus for the work around on $_POST I will try that out.

Do you have any thoughts on if I should uninstall xampp and reinstall using the vendor applications rather

Another quick question before I begin trying to convert my site to use POST instead of GET, this is to do with search engines, right now my site has a robots.txt file that only has disallow entries to stop the search engines going to certain pages or folders, then in each .php page I also have meta tags like this

Code:

 
<meta name="robots" content="noarchive" />
<meta name="robots" content="noindex" />

I also have a higuideurllist.txt file that has all the pages that I would like the search engins to look at for Yahoo. Like this

Code:

http://www.higuide.co.za/
http://www.higuide.co.za/our_sitemap.php
http://www.higuide.co.za/higuide_adv...p?Identifier=2
http://www.higuide.co.za/higuide_adv...=100&alnk=zero

Lastly I have a higuidesitemap.xml for Google that also has only pages that I would like indexed by Google, like this

Code:

 
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="gss.xsl"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.google.com/schemas/sitemap/0.84 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<!--#Generated by SOFTplus GSiteCrawler v1.20 rev. 273 by SOFTplus Entwicklungen GmbH, http://johannesmueller.com/gs/, http://www.softplus.net/ -->
<url><loc>http://www.higuide.co.za/</loc><lastmod>2007-09-06T21:12:50+00:00</lastmod><changefreq>daily</changefreq><priority>1.00</priority></url>
<url><loc>http://www.higuide.co.za/our_sitemap.php</loc><lastmod>2007-09-06T21:12:50+00:00</lastmod><changefreq>daily</changefreq><priority>1.00</priority></url>
<url><loc>http://www.higuide.co.za/higuide_advertisers_section.php?Identifier=2</loc><lastmod>2007-08-30T12:17:47+00:00</lastmod><changefreq>daily</changefreq><priority>0.50</priority></url>
<url><loc>http://www.higuide.co.za/higuide_adverts.php?CustID=100&alnk=zero</loc><lastmod>2007-08-30T12:17:52+00:00</lastmod><changefreq>daily</changefreq><priority>0.50</priority></url>

Sorry one last thing I also have an accessable sitemap.php page that anyone can see, this lists every clients page that I have.

The question I have is that if I am passing variables to the next pages using POST as opposed to GET that means that instead of my urls all being different, they are all the same, and therefore how do I give them to the search engines.

Please help, maybe it's simple and I am just stooopid or somtin, huh

genrally it seems that it is better to install them all sepratly but i have not experience of this because i havnt had to and dont want to be fidling

XAMPP should be fine as long as you ensure its tweaked up the control thing has a security thing which tells you when the bits are secure.

Ok just had a look at the link you are talking about, i would suggest you put the custid into a session instead of using the get or post method once its done its alot easier and more secure. and i think its easier for userr and you to still use the get method for the results link thing, but just make sure it uses mysql_real_escape_string() to stop it messing with the database.

If you need more help feel free to pm me or email me and hopefully i can help

Rep apprieciated
Dan

sorry only just seen last post, it seems like you have done all you can all you need is the content and the search engines themselves should do all the rest

Thanks for all the help guys, i really do appreciate it, all I still am confused with is the search engine thing, should I post it into a different part of the forum

In this situation you really should be sticking with $_GET . Your URLs are not displaying secure info and there is no lasting effect on the Database - its just simple SELECT from.

The $_GET method has its uses as data is bound to the URL and can therefore be bookmarked and crawled.

Security should always be a priority but I can't see an issue here.

Quote:

Originally Posted by scorpioserve

Thanks for all the help guys, i really do appreciate it, all I still am confused with is the search engine thing, should I post it into a different part of the forum

Okay i think i jsut got what you ment!

Do you mean that you are worried that

page.php?page=contact will only read as page.php and wont get the content which is shown because of ?page=contact

if so you can use mod_rewrite which means you can use urls like page/contact (whcih in real life is page.php?page=contact)

but its a pain to do to be honest and Google does still index the pages which use the ?page=some type og URLS but aparently it does it slower than normal urls at least thats what i have been told, personally i wouldnt worry it seems you are SE aware and i would guess it is fine.

in my opinion only really for things like blogs or forums is mod_rewrite worth it and even then its intergrated with the software

Dan