Paging Murray

Murray, Thiery,

I really don't know what the exact issue is. The company had some firm come
in and audit it's IT setup. Something to do with Sarbanes Oxley compliance
and the use of includes was deemed a potential security issue. That's all I
know. Whether it's a red herring or not is anybody's guess.

mark

Quote:

Except when you work for a company that considers use of includes a
potential security risk. Therefore bars their use.

Includes can be ASP files... What kind of "risk" does the company worry
about?

Thierry

Mark Morse wrote:
Hmm - I read those TN's and didn't see that. Is it the one I
usually post?

It's really old. Pre UD I think. Perhaps conventional wisdom has
changed since then. Still, to this day, I see far greater numbers of
sites using root rather than document relative links.

My guess is that they were referring to the *file* directive, and that's
what IIS6 addresses.

Thierry

Mark Morse wrote:

Quote:

Murray, Thiery,

I really don't know what the exact issue is. The company had some
firm come in and audit it's IT setup. Something to do with Sarbanes
Oxley compliance and the use of includes was deemed a potential
security issue. That's all I know. Whether it's a red herring or not
is anybody's guess.

mark

Thierry:

So - what does the "virtual" directive do then?

--
Murray --- ICQ 71997575
Team Macromedia Volunteer for Dreamweaver MX
(If you *MUST* email me, don't LAUGH when you do so!)
==================
news://forums.macromedia.com/macromedia.dreamweaver - THE BEST WAY TO GET
ANSWERS
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"Thierry Koblentz" <thierry (AT) 212Utah (DOT) invalid> wrote

Quote:

My guess is that they were referring to the *file* directive, and that's
what IIS6 addresses.

Thierry

Mark Morse wrote:
Murray, Thiery,

I really don't know what the exact issue is. The company had some
firm come in and audit it's IT setup. Something to do with Sarbanes
Oxley compliance and the use of includes was deemed a potential
security issue. That's all I know. Whether it's a red herring or not
is anybody's guess.

mark

With "virtual", there is no way to "map" (I'm not sure that the good english
word though) the *folders/files* hierarchy because it doesn't deal with the
"files system".
With that directive there is only one point of entry: the root level (for
the server point of view).
I hope I made myself clear

Thierry

Murray *TMM* wrote:

Quote:

Thierry:

So - what does the "virtual" directive do then?

OK - that's what I thought. So using virtual, I could, indeed select
include files that are above the containing file's location, just not
outside the site's root. Right?

--
Murray --- ICQ 71997575
Team Macromedia Volunteer for Dreamweaver MX
(If you *MUST* email me, don't LAUGH when you do so!)
==================
news://forums.macromedia.com/macromedia.dreamweaver - THE BEST WAY TO GET
ANSWERS
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================

"Thierry Koblentz" <thierry (AT) 212Utah (DOT) invalid> wrote

Quote:

With "virtual", there is no way to "map" (I'm not sure that the good
english
word though) the *folders/files* hierarchy because it doesn't deal with
the
"files system".
With that directive there is only one point of entry: the root level (for
the server point of view).
I hope I made myself clear

Thierry

Murray *TMM* wrote:
Thierry:

So - what does the "virtual" directive do then?

On Fri, 11 Jun 2004 12:26:15 -0700, "Thierry Koblentz"
<thierry (AT) 212Utah (DOT) invalid> wrote:

Quote:

Hi Murray,
No, as we discussed, it concerns directories *above* the file containing the
include.
It's to prevent people from accessing folders above the root (they could use
../../../).
That's gonna be a problem for a lot of folks when WHCs update their
software...

Thierry

Murray *TMM* wrote:
Thierry:

Isn't it to directories above the root?

And don't you just have to enable parent paths?

What about accessing a database that's stored outside of the site
root? My understanding was that it is far more secure to have the db
NOT within the site.

For example, the host I generally use has this structure for a given
website on their Windows servers:

/database
/logs
/www

That's what I see when I FTP. Any Access databases would reside in
/database, while all of the site files are in /www. I use DSN-less
connections -- all of which MUST have ../ in the path from the site
root (and multiples -- ../../ etc. -- from deeper within the site if
required).

Win
--
Win Day, Multimedia Developer
Words Plus
http://www.wordsplus.net
winday (AT) NOSPAMwordsplus (DOT) net

With virtual, you can select *any* files within the "virtual directoy".

For example the virtual directive in here:
www.mysite.com/dreamweaver/test/murray.shtml
will let you select any files seating below this level:
www.mysite.com/
It could be seating all the way up:
www.mysite.com/murray.inc

But it won't go any higher than that.

Thierry

Murray *TMM* wrote:

Quote:

OK - that's what I thought. So using virtual, I could, indeed select
include files that are above the containing file's location, just not
outside the site's root. Right?

Yes, it is better to have a DB outside of the root level.
The whole idea is to keep the site root as the last level up (on an
accessibility point of view).
To be able to get to a folder on the same level, you'd need to go one step
higher anyway.

It looks like most of the people misunderstand the difference between the 2
directives.
Virtual don't go any "higher" than "file"; it would be the opposite.

Thierry

Win Day wrote:

Quote:

On Fri, 11 Jun 2004 12:26:15 -0700, "Thierry Koblentz"
thierry (AT) 212Utah (DOT) invalid> wrote:
And don't you just have to enable parent paths?

What about accessing a database that's stored outside of the site
root? My understanding was that it is far more secure to have the db
NOT within the site.

For example, the host I generally use has this structure for a given
website on their Windows servers:

/database
/logs
/www

That's what I see when I FTP. Any Access databases would reside in
/database, while all of the site files are in /www. I use DSN-less
connections -- all of which MUST have ../ in the path from the site
root (and multiples -- ../../ etc. -- from deeper within the site if
required).

Win

Thierry,
I assume you are referring to an IIS server. Does this hold true for any
version of IIS? I thought you were supposed to use "file" instead of
"virtual" for IIS servers. Do you have to use .shtml or shtm extensions for
pages containing includes or is that an administrator preference?

Thanks
mark

Quote:

With virtual, you can select *any* files within the "virtual directoy".

For example the virtual directive in here:
www.mysite.com/dreamweaver/test/murray.shtml
will let you select any files seating below this level:
www.mysite.com/
It could be seating all the way up:
www.mysite.com/murray.inc

But it won't go any higher than that.

Thierry

Murray *TMM* wrote:
OK - that's what I thought. So using virtual, I could, indeed select
include files that are above the containing file's location, just not
outside the site's root. Right?

Hi Mark,
Yes, I'm talking about IIS.
Versions 6+ are supposed to kill the ability to use the *file* directive to
go "up" in the folders hierarchy.
regarding file vs virtual, I think that 99% of the time, virtual is a better
choice.
For the extension to use, it only depends how the server is set up. One can
have IIS parses *any* extension he/she wants.

Thierry

Mark Morse wrote:

Quote:

Thierry,
I assume you are referring to an IIS server. Does this hold true for
any version of IIS? I thought you were supposed to use "file" instead
of "virtual" for IIS servers. Do you have to use .shtml or shtm
extensions for pages containing includes or is that an administrator
preference?

Thanks
mark