Suzanne — Fri, 05 Sep 2003 00:44:08 +0000

*poke*

no slapping, but that was a bad one, lol...

doublehelix — Thu, 04 Sep 2003 20:30:24 +0000

Shouldn't that be perls of server-side scripting? Nyuk, nyuk, nyuk.

...bleh, would somebody please slap me for actually typing in that lame joke.

JeevesBond — Thu, 04 Sep 2003 11:55:49 +0000

That's very true Suzanne...I've never experienced any flaming on this forum.

Thanks for sharing that knowledge...Not being too experienced at SSI I could have made a big mistake! Any other pearls of server side scripting knowledge I should know about?

Suzanne — Wed, 03 Sep 2003 21:13:51 +0000

lol, no flaming here. information is power.

doublehelix — Wed, 03 Sep 2003 20:29:47 +0000

Quote: Originally posted by Suzanne
Well form security is a whole other issue, eh?

Whoo-Hooo... a flame war over SSIs instead of Flash!

Well, I think security is an issue that ALWAYS needs to be considered and planned for. Yes, they may not be able to edit the server-side scripts (although every host I've ever used for a serious site has included it's own cgi-bin), but they still need to understand the issues involved with them.

The bidownside of SSIs is they can be instantly deadly from a security standpoint if they are coupled with forms. People need to know that when they are making decision as to whether to use them or not. At the very least, maybe they'll then have the sense to drop a .htaccess file shutting of SSI in a directory where they've isolated any pages with forms.

Anyhoo... don't really want to beat a dead horse. I just think known security concerns should always be aired to help decisions be fully informed.

Suzanne — Tue, 02 Sep 2003 21:26:24 +0000

Well form security is a whole other issue, eh?

Nothing wrong with discussing potential security issues, but lets actually give people something they can use. If they are hosted, as most are, they will not be able to edit the file in the first place to determine the situation.

That's why templates are so useful, though they take up more space on the server and take more time to administer, they avoid most of the security issues that are inherent in using ANY server-side processing language.

doublehelix — Tue, 02 Sep 2003 20:40:08 +0000

Suzanne,

The problem is people not realizing that, unless explicitly shut off, executables are allowed in SSIs and then having a form on the page. Good luck untainting a comments field -- if your the one writing the script rather than somebody using a canned script.

What you don't know will clobber you every time... the mere fact that this thread never discussed the security issues of SSIs is exactly why danger lies in their use.

Good point about search engines getting flummoxed by .js files though.

Suzanne — Tue, 02 Sep 2003 20:10:37 +0000

Well, that's sort of an extreme reaction -- the issue is that when you allow exec includes, there is a security hole, but you don't use exec to include static files, nor even SSI scripted files...

In order for SSI includes to be a risk, a number of things must hold true, including that the person wanting to take advantage knows how to get through -- because the documents are parsed on the server, this information should not be viewable through viewsource in the browser.

Regardless, .js files are worse. They are not only user concerns for being able to navigate the site, they will severely damage your search engine results, as they will not go traipsing through .js files.

SSI through Apache, using PHP, et cetera, do have issues, the largest of which is CPU usage, not security risk.

If you want to use templates and minimize CPU usage, you can use DW, or use an approximation by making your own PHP interface that will do the same job. Basically it will allow you to access php files on the server, but will save them as .html files so they appear to be static and will not be parsed when visited by spiders and users.

doublehelix — Tue, 02 Sep 2003 18:24:32 +0000

Eh, I realise I am late to this thread, but SSIs do have some security concerns you should be aware of. A brief introductory discussion of these issues is covered HERE.

I prefer to have my header, footer, and whatever else templates be .js files for that reason. Course, the downside of that strategy is that some people turn scripting off in their browsers.

Brooke — Sat, 02 Aug 2003 01:28:20 +0000

Okay - that advice all sounds great. Thank you all!