Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.software.testing > #111

Re: monitoring IP address calls of a PHP application

From The Natural Philosopher <tnp@invalid.invalid>
Newsgroups comp.lang.php, comp.software.testing
Subject Re: monitoring IP address calls of a PHP application
Date 2011-08-09 13:50 +0100
Organization albasani.net
Message-ID <j1rafd$em9$1@news.albasani.net> (permalink)
References <b0df5b47-ed75-48d0-9c50-1f9d02194c8a@l37g2000yqd.googlegroups.com> <j1r6at$97s$1@dont-email.me>

Cross-posted to 2 groups.

Show all headers | View raw

Bill B wrote:
> On 8/9/2011 2:00 AM, E.Sajad wrote:
>> So I'm trying to protect myself by somehow verifying that their
>> delivered application:
>>
>> 1. Does not connect to/use/call any other web services or connect to
>> other IP addresses (or servers) other than Google [note: the
>> application extracts some info from Google search results]
>> 2. Does not connect to any databases other than the one on the local
>> server
>> 3. Does not use any third-party libraries that I might have to pay for
>> in the future.
>> 4. Does not contain files that, although they need to be editable (for
>> future modification, such as XML configuration files), have been
>> converted into binary or non-editable or non-readable format.
> 
> <snip>
> 
>> I believe if I can somehow monitor all the IP addresses that the
>> application calls (connects to) in
>> real time, I'll be able to check if it's referencing any web services
>> or sources other than Google as well as other than my own database.
>> This alone will solve concerns number 1 and 2.  But I don't even know
>> how to do this!  Should I install a monitoring application on my
>> virtual dedicated server that would run in the background?  What
>> application(s) do you folks recommend?
> 
> <snip>
> 
> Practically speaking, if the person who did the coding is in fact 
> devious (I'm not assuming so but looking at worst case) it would be easy 
> to write code that would activate #1 and #2 at some point in the future. 
> That the code does neither now may be of little comfort.
> 
> Bill B
Its php ffs

phpinfo will reveal if any extraneous libs are linked in.
A grep of its source code for any system() type calls will reveal if odd 
ode is being invoked.

Ditto a code walk for any database open calls or CURL will check for 
access to where it may or may not access.

If its beyond the OP, I suggest a paid contract to another contractor to 
'find the bugs, and indentify the rubbish'

Set a thief to catch a thief.

Back to comp.software.testing | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Re: monitoring IP address calls of a PHP application Bill B <me@privacy.net> - 2011-08-09 07:40 -0400
  Re: monitoring IP address calls of a PHP application The Natural Philosopher <tnp@invalid.invalid> - 2011-08-09 13:50 +0100
    Re: monitoring IP address calls of a PHP application Bill B <me@privacy.net> - 2011-08-09 09:30 -0400

csiph-web