free source search engine (simple) ## comments?

[Robin]

[snip discussion about how his script can compromise his site]

true, they'd still have to guess the password though

Robin, you are not *listening*.
I was telling you: your search script gave me the password.

look at your blog if you need proof:
http://www.infusedlight.net/robin/blogger.pl

What did you search for? And how? See most recent post. Also, check out the
search script now, it only gives the titles for html pages -
www.infusedlight.net/robin
Later,
-Robin

 

[Joe Smith]

it is a consequence of your habit of keeping securty related files
in your web directory. in the same directory where your
'search engine' is reading. do you see the implications of that ?

Yes, Robin, take gnari's advice.

When laying out a web site that will display text (possibly malicious text)
submitted by users, you should be using at least four distinct directories.

DOCUMENT_ROOT = Top level directory holding HTML files.
Files in it or below are accessable via URL.

cgi-bin = An alias pointing to a directory outside of DOCUMENT_ROOT.
Executables only: no HTML, no images, no password files.

config+auth = Passwords and such, in a directory outside of DOCUMENT_ROOT.
Updated by webmaster, and carefully written CGI programs.
Must not be accessable directly via URL.

upload+blogs = Place for data submitted by users. Having writable
files directly accessable via URL is not recommended.
Should be outside DOCUMENT_ROOT, preferrably stored as
as records in a database.

-Joe