ayan123 Posted September 9, 2008 Share Posted September 9, 2008 Hi All, I have a website say www.abc.com and I have RSS feeds on this website which I allow a webmaster to get the code so that he can put the code on his website and generate content on his site. The feed code which I provide him has a php class and a reference variable which point to the feed file on www.abc.com. Eg $getfeed="http://www.abc.com/feed.php; he can use the code and generate the content from abc.com to his website. Now my question is , Can some one attack my website. through such feed file or any other means? FYI, I am not giving any database access of www.abc.com to the user, however the feed file, which he uses has a db connection to abc.com and in turn generate the content from the database. Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/123353-is-the-attack-possible/ Share on other sites More sharing options...
btherl Posted September 9, 2008 Share Posted September 9, 2008 To be 100% sure I'd need to see the feed.php script. But if feed.php does not take any user arguments, it's most likely to be safe. Most problems come when you take data sent to you by the user and use it in the database queries. Just to confirm: feed.php is on your website, and is the only script which accesses the database The code the other webmaster gets accesses feed.php and does not have any direct access to the database Is that right? Link to comment https://forums.phpfreaks.com/topic/123353-is-the-attack-possible/#findComment-637140 Share on other sites More sharing options...
ayan123 Posted September 9, 2008 Author Share Posted September 9, 2008 Thanks for the quick reply. The feed.php file which the webmaster uses on his website does not directly connect to the database. However in this feed file there is a variable say $feedfile="www.abc.com/feedfile.php", so the feedfile.php on abc.com access the database. My fear is, if the user modifies the variable $feedfile to something else and inject some code in my abc.com site? Thanks Link to comment https://forums.phpfreaks.com/topic/123353-is-the-attack-possible/#findComment-637184 Share on other sites More sharing options...
btherl Posted September 9, 2008 Share Posted September 9, 2008 I think it's quite unlikely. If feedfile.php has no arguments, then there is nothing the user can pass in. An exception may be register_globals, so you must check that it is OFF. You can check by making a script that does this: phpinfo(); That will display your full php configuration, including register_globals. As long as register_globals is off, I can't imagine any way to attack your script. You might want to check that nothing can happen if the user puts one of your other php scripts in place of feedfile.php Link to comment https://forums.phpfreaks.com/topic/123353-is-the-attack-possible/#findComment-637204 Share on other sites More sharing options...
ayan123 Posted September 9, 2008 Author Share Posted September 9, 2008 Thanks for your help. I will give it a try Link to comment https://forums.phpfreaks.com/topic/123353-is-the-attack-possible/#findComment-637216 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.