Re: (nrd) CGI frontend for mySQL

This might be just my paranoia, but if I were you, I wouldn't let anyone but you have access to it.

use DBI;

print "Content-type: text/html\n\n";

if($ENV{REMOTE_ADDR} ne '127.0.0.1'){ #your IP
       exit;
}
[download]

Of course, if you don't have a static IP, you can't do this.

John J Reiser
newrisedesigns.com

Comment on Re: (nrd) CGI frontend for mySQL Download Code

Replies are listed 'Best First'.
Re: Re: (nrd) CGI frontend for mySQL by jonadab (Parson) on Feb 28, 2003 at 18:29 UTC
Of course, if you don't have a static IP, you can't do this. You can, it's just more involved. First, you have to signup for dynamic DNS service (e.g., with dyndns), then set up your system to automatically update that whenever your IP changes. Then the script has to resolve your dynamic DNS into its current IP and compare that against `$ENV{REMOTE_ADDR}`. This opens up in theory a window for someone who has your IP after your connection dies and is terminated and before you reconnect and update your dynamic DNS record. In practice, if you don't have a static IP that probably means you get your IP via DHCP from your ISP, so that a potential attacker would not only have to use your same ISP but also would not have any way to arrange to have your IP right after you disconnect; the most he could do (without 0wning your ISP's DHCP server at least) would be to monitor your dynamic DNS address via ping to know when you disconnect, and immediately redial just hoping to get the IP you just released. After enough tries he might get it, in theory. But that's less risk than an easily-guessed password. `for(unpack("C*",'GGGG?GGGG?O__\?WccW?{GCw?Wcc{?Wcc~?Wcc{?~cc' .'W?')){$j=$_-63;++$a;for$p(0..7){$h[$p][$a]=$j%2;$j/=2}}for$ p(0..7){for$a(1..45){$_=($h[$p-1][$a])?'#':' ';print}print$/}` [download]	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: (nrd) CGI frontend for mySQL
by jonadab (Parson) on Feb 28, 2003 at 18:29 UTC

Of course, if you don't have a static IP, you can't do this.

You can, it's just more involved. First, you have to signup for dynamic DNS service (e.g., with dyndns), then set up your system to automatically update that whenever your IP changes. Then the script has to resolve your dynamic DNS into its current IP and compare that against $ENV{REMOTE_ADDR}. This opens up in theory a window for someone who has your IP after your connection dies and is terminated and before you reconnect and update your dynamic DNS record. In practice, if you don't have a static IP that probably means you get your IP via DHCP from your ISP, so that a potential attacker would not only have to use your same ISP but also would not have any way to arrange to have your IP right after you disconnect; the most he could do (without 0wning your ISP's DHCP server at least) would be to monitor your dynamic DNS address via ping to know when you disconnect, and immediately redial just hoping to get the IP you just released. After enough tries he might get it, in theory. But that's less risk than an easily-guessed password.

for(unpack("C*",'GGGG?GGGG?O__\?WccW?{GCw?Wcc{?Wcc~?Wcc{?~cc'
.'W?')){$j=$_-63;++$a;for$p(0..7){$h[$p][$a]=$j%2;$j/=2}}for$
p(0..7){for$a(1..45){$_=($h[$p-1][$a])?'#':' ';print}print$/}
[download]

[reply]
[d/l]
[select]

In Section Cool Uses for Perl