How Google works. Finding words with additional operators

What is a guest book?

Of course, here we are talking about the most typical guest book. First of all, this is a system that provides the user with the ability to enter text, select an assessment of a particular site, and also to specify their own data (name, e-mail, http, etc.). It is also a system for presenting data entered by various users, with the ability to navigate, send emails to the authors of the messages. There are also variations with different settings and with the control of normative vocabulary.

What do we need

Of course, it is assumed that the reader is familiar with the basics of ASP and SQL programming (familiarity with the first parts of this article will be quite enough for this). In addition, we need Microsoft SQL Server 7.0 or 2000, some HTML or text editor (I recommend using Macromedia Dreamweaver UltraDev 4.0) and a little patience.

Creating and preparing a database

To organize the storage of data entered by users, you need one table where you can create fields for storing the user's name, his email address, country of residence, site address, IP address, site user rating value on a five-point scale, etc.:

In order to easily integrate the system into existing sites, it is recommended to plan another table for storing color and other settings. This will allow you to change the specified settings in the future without changing the corresponding parameters in the source texts of the guestbook application modules.

Run the Data Sources ODBC Configurator - Start->Settings->Control Panel->Administrative Tools->Data Sources ODBC.
Go to the System DSN tab and create a new data source by clicking on Add…
In the list of drivers that appears, select the database driver - Microsoft SQL Server and click Next.
In the Data Source Name line, specify the name of your database (in the described example, Gustbook is the name by which you will refer to it in the future).
In the Server line, specify the server to which the connection will be made, and click Next.
Select the authentication mode With SQL Server…, set the username and password to connect to the SQL server; define the protocol for communication with the server (button Client Configuration - TCP/IP) and click Next twice, then click Finish.
You will see statistics about the actions taken, and you can use the Test Data Source button to check the data source.
As a result, you will see a line in the list of data sources in your system.

Now that the database is ready, you can proceed directly to creating a guest book.

Integration of the system into a ready-made website

It is clear that the guestbook itself does not make sense. Judge for yourself: who needs a site designed solely to collect the opinions of readers. After all, in order to collect opinions about something, you must first present this something to their judgment. Therefore, it is necessary to pay special attention to the issues related to the simplification of embedding the system into ready-made sites.

In particular, to make it easier to customize the system for the characteristic features of a particular site, it is recommended (as mentioned above) to create a special table to store all these preferences in order to enter certain values specific to your site into it. The obvious advantage of this approach is that in order to embed the system into an already finished site, you do not need to make changes in the source code of the modules, you only need to change the settings in the corresponding database table.

Imagine an example of the implementation of such a table: .

As you can see, there are fields for storing information about the name and password for accessing the system setup mode, about the colors of the main background of the user message, the top and bottom frames (Mid_Color, Top_Color, Bot_Color fields, respectively), about the color and size of the header of the form used for entering user data (Form_Color and FormTitleSize fields, respectively), about the color, size and style of the font of the text of the message itself, information fields, as well as the guestbook pages themselves (fields MessageFontColor, MessageFontSize, MessageFontFace, InfoFontColor, InfoFontSize, InfoFontFace, PageFontColor, PageFontSize and PageFontFace respectively), switch fields to enable the automatic sending of notifications of new messages by e-mail to the responsible person (for example, the manager or site administrator), fields for storing the e-mail address of the responsible person, the text of the message with thanks for the message left by the user, with the list are not allowed x words and a switch for their filtering mode (if the latter is enabled, then the words in the list of invalid words will be automatically replaced in the message text with asterisks and thus control over the normativeness of the website text vocabulary will be exercised).

The development of the guest book integration system implies the organization of a Web interface for setting all the parameters we have considered (fields of the administration table).

Integration of the system into an already finished site in its pure form can create some difficulties both in the perception of the source text and in the future, if, for example, you need to temporarily disable the guest book on a particular site. Therefore, we will try to develop a system in such a way that its integration into a finished site is not difficult. To do this, it is necessary to form an independent module of the system and include it in the text of the main site where necessary. So, for example, the text of your website page might look like this:

ASP on a silver platter (Part - 15) – Guestbook … …

As you can see, in the first case, the directive to include a page with a guest book () is indicated in the right place, and in the second case, the page of the original site is presented simply in the form of three sequentially included elements: the beginning, the guestbook page, and the end. Using this or that way of organizing the structure of your site's page is a matter of taste and depends both on the structure of the original site and on the degree of its complexity.

Guestbook main page (Guest.asp file)

The presented application will have only one page, which will serve both for displaying user messages, and for navigating and entering new messages. Depending on the values of the key parameters, one or another action will be performed, and the page will be in one state or another. First of all, you will need to develop that part of it, which will display user messages and which will contain links to the part that serves to add new messages.

First, let's write a few functions for working with strings:

The function to replace an empty string with a space and a single quote with a double one:<% Function ChkString(string) If string = "" then string = " " ChkString = Replace(string, """, """") End Function %>
The function of checking the vocabulary of the message text for normativity. If words match words from the list of invalid words, replace them with asterisks:<% Function ChkBadWords(String2) strBadWords = objRec2("BadWords") bwords = split(strBadWords, "|") For i = 0 to ubound(bwords) String2 = Replace(String2, bwords(i), string(len(bwords(i)),"*"), 1,-1,1) Next ChkBadWords = String2 end function %>
The function of formatting the text entered by the user. If necessary (if there is a corresponding flag in the database), the text will be checked (filtered) for normativity:<% Function FormatStr(String) on Error resume next String = Server.HTMLEncode(String) String2 = Replace(String, CHR(13), "") String2 = Replace(String, CHR(10) & CHR(10), "
") String2 = Replace(String, CHR(10), "
") If objRec2("BadOn") = True then String2 = ChkBadWords(String2) End if FormatStr = String2 End Function %>
Field check function:<% Function ValidateField(sFieldValue, sFieldType) Valid = True Select Case LCase(sFieldType) Case "name" If Len(sFieldValue) = 0 Then Valid = False Case "message" If Len(sFieldValue) = 0 Then Valid = False End Select ValidateField = Valid End Function %>
The procedure for adding new messages (pay attention to how the IP address of the computer from which the message was sent is calculated):

<% Sub Update strSql = "insert into Messages (Name, Country, Email, URL,IP,Message,Rating) values ("" strSql = StrSql & ChkString(Request.Form("name")) & "", "" strSql = StrSql & ChkString(Request.Form("Country")) & "", "" strSql = StrSql & ChkString(Request.Form("email")) & "", "" strSql = StrSql & ChkString(Request.Form("URL")) & "", "" strSql = StrSql & Request.ServerVariables("REMOTE_ADDR") & "", "" strSql = StrSql & ChkString(Request.Form("Message")) & "", "" strSql = StrSql & ChkString(Request.Form("Rating")) & "")" objConn.Execute (StrSql) %>

After that, the parameters of colors, sizes, design fonts are extracted and applied from the corresponding table:

"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("FormTitleSize")%>">Thank you for your entry in our guestbook!

"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> Click here to view your entry

Now, send an email to the manager or administrator notifying you of a new guestbook entry, if necessary:

<% If Not(Request.Form("email"))="" AND objRec2("AutoEmail")=True then Name = Request.Form("name") Email = Request.Form("email") sFrom = objRec2("YourEmail") sTo=Email sSubject = "Спасибо, Ваша запись в нашей гостевой книге принята!" sMessage = "Дорогой(ая) " & Name & vbcrlf _ & vbcrlf _ & objRec2("ThankMessage") & vbcrlf _ & vbcrlf _ & vbcrlf Set objNewMail = CreateObject("CDONTS.NewMail") objNewMail.Send sFrom, sTo, sSubject, sMessage Set objNewMail = Nothing End If If objRec2("YouEmail")=True then Name = Request.Form("name") Home_Page = Request.Form("url") Email = Request.Form("email") Message = Request.Form("message") Country = Request.Form("Country") Address = Request.ServerVariables("REMOTE_ADDR") Rating = Request.Form("Rating") If Rating ="0" then Rating="No Rating" End If sFrom = objRec2("YourEmail") sTo= objRec2("YourEmail") sSubject = "Новое сообщение" sMessage = "Привет," & vbcrlf _ & "Новое сообщение поступило в гостевую книгу" & vbcrlf _ & vbcrlf _ & ":" & vbcrlf _ & vbcrlf _ & Message & vbcrlf _ & vbcrlf _ & "Детали сообщения:" & vbcrlf _ & "Ваше имя: " & Name & vbcrlf _ & "Email: " & Email & vbcrlf _ & "URL: " & Home_Page & vbcrlf _ & "Страна: " & Country & vbcrlf _ & "Рейтинг: " & Rating & vbcrlf _ & "Адрес: " & Address Set objNewMail = CreateObject("CDONTS.NewMail") objNewMail.Send sFrom, sTo, sSubject, sMessage Set objNewMail = Nothing End If End Sub %>

Form for entering new values

It is also advisable to involve in the procedure the display of a form used to add new messages (note that the form is closed on itself, that is, the module that contains it serves as a reaction to it):

<% Sub ShowForm(Sign) %>

"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("FormTitleSize")%>"> Leave an entry in our guest book ">^* Indicates fields that must be remembered
colspan=2> "color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> Your name: ^*
"size=30>	<% If dictFields(LCase("name")) Then Response.Write "You must enter a name " Else Response.Write " " End If %>
colspan=2> "color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> Email:
"size=30>
colspan=2> "color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> URL:
"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> http:// "size=30>
colspan=2> "color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> The country:
"size=30>
"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> How do you rate our website?
"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%> ">Your comments: ^*
<%= Request.Form("Message") %>
"color="red" size="-2"><% If dictFields(LCase("message")) Then Response.Write "Вы не ввели сообщение " Else Response.Write " " End If %>

<% End Sub %>

This is followed by the main function to display a fixed number of user messages (the value retrieved from the administrative settings table):

<% Sub Show NumPerPage=INT(objRec2("NumPerPage")) If Request.QueryString("page") = "" Then iPageCurrent = 1 Else iPageCurrent = CInt(Request.QueryString("page")) End If Set objRec = Server.CreateObject ("ADODB.Recordset") StrSql = "SELECT * FROM Messages ORDER BY ID DESC;" objRec.PageSize = NumPerPage objRec.CacheSize = NumPerPage objRec.Open StrSql,objConn,3,1,&H0001 iPages = objRec.PageCount TotalRows = objRec.RecordCount If iPageCurrent >iPages Then iPageCurrent = iPages If iPageCurrent< 1 Then iPageCurrent = 1 If iPages = 0 Then Response.Write "Не найденно записей!" Else ObjRec.AbsolutePage = iPageCurrent %>

"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> Total in the book <%=TotalRows%> entries on <%=iPages%> page(s)

<% iRecordsShown = 0 Do While iRecordsShown < NumPerPage And Not objRec.EOF Rating = ObjRec("Rating") If IsNull(Rating) or Rating="0" then Rating = "nr" Else Rating = ObjRec("Rating") End If If IsNull(ObjRec("URL")) then Link = "Не указан URL" Else Link = "http://" & ObjRec("URL") & "" End If Email = FormatStr(ObjRec("Email")) Name = FormatStr(ObjRec("Name")) %>

"> "color="<%=objRec2("InfoFontColor")%>"size="<%=objRec2("InfoFontSize")%>"><%=ObjRec("DateID") %>		"> "color="<%=objRec2("InfoFontColor")%>"size="<%=objRec2("InfoFontSize")%>">Site rating: .gif" height="14" width="65">
"> "color="<%=objRec2("MessageFontColor")%>"size="<%=objRec2("MessageFontSize")%>"><%=FormatStr(ObjRec("Message"))%>
"> "color="<%=objRec2("InfoFontColor")%>"size="<%=objRec2("InfoFontSize")%>"> <% If IsEmpty(Email) or Email=" " then Response.Write Name Else Response.Write "" & Name End If %>	"> "color="<%=objRec2("InfoFontColor")%>"size="<%=objRec2("InfoFontSize")%>"><%=FormatStr(ObjRec("Country")) %> IP:<%= ObjRec("IP") %>	"> "color="<%=objRec2("InfoFontColor")%>"size="<%=objRec2("InfoFontSize")%>"> <%=Link%>

<% iRecordsShown = iRecordsShown + 1 objRec.MoveNext Loop if iPages >1 then %>

"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>"> Pages: <% For I = 1 To iPages If I = iPageCurrent Then Response.Write ""&I&"" Else Response.Write " "&I&"" End If Next Response.Write "" Else Response.Write " " End If End If objRec.Close Set objRec = Nothing End Sub %>

Pay attention to how the link to view the next page with such a “portion” of messages is formed and implemented:

Response.Write" "&I&" "

As you can see, the page number is passed to it as the value of the page parameter, and subsequently, if this value is not equal to 1, the display of messages does not start from the first message, but from the one that will be the first one on the page with the corresponding number specified in the parameter:

<% NumPerPage=INT(objRec2("NumPerPage")) If Request.QueryString("page") = "" Then iPageCurrent = 1 Else iPageCurrent = CInt(Request.QueryString("page")) End If %>The source text of the module itself follows, in which the connection to the database is made and records are retrieved (in the described example, this will be the only record) from the Admin administrative settings table:<% Set objConn = Server.CreateObject ("ADODB.Connection") objConn.Open StrConn Set objRec2 = Server.CreateObject ("ADODB.Recordset") ConfigSql = "SELECT * FROM Admin;" objRec2.Open ConfigSql,objConn,0,1,&H0001 %>

Then you can style the title and main tags of the HTML page:

ASP on a silver platter part 15 - DIY guest book

"color="<%=objRec2("PageFontColor")%>"size="<%=objRec2("PageFontSize")%>">

View guest book | Leave an entry in the guest book

And finally, the main loop for processing your main and only asp page of the module will look like this:

<% select case Request.QueryString("mode") case "post" Dim Field Dim dictFields Set dictFields = Server.CreateObject("Scripting.Dictionary") For Each Field in Request.Form If ValidateField(Request.Form(Field), Field) = False Then dictFields.Add LCase(Field), True End If Next If Request.Form.Count <>0 And dictFields.Count = 0 Then Call Update Else If Request.Form.Count<>0 Then End If ShowForm("Sign") End If case "show" Call Show case Else Call Show End Select %>

Only two cases are considered here, corresponding to two functions of our Web application: adding a new entry to the guestbook (the value of the mode parameter = “post”) and viewing guestbook messages (the value of the parameter mode = “show”).

<% objRec2.Close Set objRec2 = Nothing s objConn.Close Set objConn = Nothing Response.Write "

" %>

Conclusion

We considered one more functional component of the site, and immediately made it portable. The result of this was a rather complex source code in terms of perception. Although a large number of parameters retrieved from the administrative table made it somewhat more difficult to understand the source code of the module, however, using them once and for all will save you from having to edit the code when they change. The system developed by us is quite acceptable in use, and thanks to the modularity of its implementation and the approach to its implementation in existing sites described in the article, it can be used as a guest book on a site of almost any degree of complexity.

Of course, the Web interface for editing, adding and deleting administrative settings (schemes) should also be considered, but this will take a lot of time, and therefore the author will try to cover it in one of the following parts of this article.

ComputerPress 11 "2001

Registration of controls is carried out by the @Register directive, which allows you to use user controls and server controls in the HTML code of the page using a special syntax (declarative custom server control syntax). Based on the analysis of these directives, the page parser can associate tags with given types and, when creating a page, embed controls already as containers of custom types - branches of the page's control tree.

Directives must precede the first use of the declared tags, more often they are placed at the beginning of the page and in the case of registering several controls, in sites with a modular structure, the number of such declarations can occupy a large number of lines. When you change the location of controls, you have to look for lines that require changes in the code of all pages and user controls on which they are registered, which is rather inconvenient.

The article describes a method that simplifies the registration of controls.

For the registration directives, we will use a plain text file in which we will collect all the @ Register directives. Since virtual paths can be used to declare user controls, and only namespaces are specified for server controls, we can collect all the links we need in this file, and the links to the ascx files will be correct for any folder in the project. Here is what this file looks like in one of the projects:

<%@ Register TagPrefix="ch" Namespace="ControlsSharp.HtmlControls" Assembly="ControlsSharp"%>

<%@ Register TagPrefix="cw" Namespace="ControlsSharp.WebControls" Assembly="ControlsSharp"%>

<%@ Register TagPrefix="c" Namespace="ControlsSharp.CustomControls" Assembly="ControlsSharp"%>

<%@ Register TagPrefix="b" Namespace="ControlsBasic.CustomControls" Assembly="ControlsBasic"%>

<%@ Register TagPrefix="cu" TagName="bottommenu" Src="~/UserControls/Menu/cu_menu_bottom.ascx" %>

<%@ Register TagPrefix="cu" TagName="leftmenu" Src="~/UserControls/Menu/cu_menu_left.ascx" %>

<%@ Register TagPrefix="cu" TagName="topmenu" Src="~/UserControls/Menu/cu_menu_top.ascx" %>

Let's name the file register.inc and place it in the /inc folder of our web project.

This file will contain all the links we need, we will add or change the registration of a user or server control in it.

Now the created file needs to be somehow included in the page code. We do this with the SSI (server side includes) #include directive. This directive allows you to include static and dynamic files in the page code, processing them based on IIS mapping, i.e. specifying an asp or aspx file as the source will cause the file to be processed by the appropriate process and copy the results of this processing to the output page. In ASP, the #include directive was very widely used and allowed for the modularization of the site. With the advent of ASP.NET, it has become more convenient to do this in other ways, for example, using user controls. Future versions of ASP.NET will implement modularity using master pages. In general, the #include directive lost its meaning and was kept mainly for backward compatibility and to simplify the migration of ASP projects to .Net.

Since we have a simple text file, no processing will be done, and before any dynamic content is executed, the entire contents of the file will be copied into the page code. Those. adding our register.inc file to the top of the page, for example, is almost the same as writing all the @Register directives there.

In order not to depend on the physical location of the file, we again use the virtual path syntax and add the following line to the aspx file code:

Make sure everything works, if not, correct the wrong paths.

It remains to carry out one more operation. Now, if you try to get the /inc/register.inc file from the link in your browser, you can easily do it. IIS puts it in your hands, as well as in the hands of an attacker, completely free, although it contains the paths of the physical structure of your site.

To prevent this from happening, we use the capabilities of the synchronous HttpForbiddenHandler handler, which allows us to protect files of a certain type from being issued at the request of the user. This approach is convenient and is often used, for example, to protect MS Access database files used in a project. In order for files with the *.inc extension to be protected using this handler, you need to tell IIS that these files will be processed by the ASP.NET process, in other words, configure IIS to map to files of this type.

For a detailed description of the configuration process for IIS, see HOW TO: Use ASP.NET to Protect File Types (http://support.microsoft.com/kb/815152/EN-US/). We need to create a mapping only for *.inc files. After completing the steps described there, all requests for files with this extension will be processed by the ASP.NET process, and you will have to edit the web.config file as follows:

That's it, now when trying to get the /inc/register.inc file via a direct link, the user will receive error B.

In order not to register aspnet_isapi.dll, for example, your provider does not want to do this, you can use the SSI ability to specify files of any type and cheat by using an extension of one of the types already mapped in IIS by default for a file with @Register directives. *.cs or *.vb extensions will be convenient for this. These files contain source code and are usually not copied to the server. If you suddenly made a mistake and copied them, you won’t be able to get them at the request from the browser - when you try to do this, the user will receive an error B. This happens because for files of this type, mapping in IIS is configured by default and the corresponding extension is already registered in the section machine.config file. In Visual Studio, in order for the compiler not to give you an error message, put an extension that the compiler is not interested in: in C# projects it is *.vb, in VB projects it is *.cs.
Conclusion

The described method allows you to register controls in one place for the entire project. Subsequent modification of this file requires less effort than if you had to do it in the usual way. Try using SSI #include inside the files you insert - this allows you to organize a kind of hierarchy and inheritance, which can be convenient for large projects

Every ASP.NET developer needs to be familiar with Page Directives. If you are a beginner and you want to learn about the Page Directives then you can read this article.

So the first question is about Page Directives.

What is a Page Directive?

Basically Page Directives are commands. These commands are used by the compiler when the page is compiled.

How to use the directives in an ASP.NET page

It is not difficult to add a directive to an ASP.NET page. It is simple to add directives to an ASP.NET page. You can write directives in the following format:

<%@%>

See the directive format, it starts with "<%@" and ends with "%>". The best way is to put the directive at the top of your page. But you can put a directive anywhere in a page. One more thing, you can put more than one attribute in a single directive.

Here is the full list of directives:

@Page
@Master
@Control
@Import
@Implements
@Register
@Assembly
@MasterType
@Output Cache
@PreviousPageType
@Reference

Let's discuss something about each directive.

When you want to specify the attributes for an ASP.NET page then you need to use @Page Directive. As you know, an ASP.NET page is a very important part of ASP.NET, so this directive is commonly used in ASP.NET.

<%@Page Language="C#" AutoEventWIreup="false" CodeFile="Default.aspx.cs" Inherits="_Default"%>

Now you have some information about @Page Directives. The @Master Directive is quite similar to the @Page Directive. The only difference is that the @master directive is for Master pages. You need to note that, while using the @Master Directive you define the template page's property. Then any content page can inherit all the properties defined in the Master Page. But there are some properties that are only available in a Master Page.

<%@Master Language="C#" AutoEventWIreup="false" CodeFile="MasterPage1.master.cs" Inherits="MasterPage"%>

@Control

@Control builds ASP.NET user controls. When you use the directive you define the properties to be inherited by the user controls and theses values are assigned to the user controls

<%@Control Language="C#" Explicit="True" CodeFile="WebUserControl.ascx.cs" Inherits="WebUserControl" %>

As you know you need to define namespaces in your .cs class before using a C# or VB class. So the @Import Directive imports namespaces. This directive supports just a single attribute "namespace" and this attribute takes a string value that specifies the namespace to be imported. One thing you need to note is that the @Import Directive cannot contain more than one attribute/value pair. But you can use multiple lines.

<%@Import Namespace="System.Data"%>

@Implements

The @Implements Directive gets the ASP.NET pages to implement .Net framework interfaces. This directive only supports a single attribute interface.

<%@Implements Interface="System.Web.UI.IValidator"%>

@Register

When you create a user control and you drag that user control onto your page then you will see the @Register directive. This directive registers your user control on the page so that the control can be accessed by the page.

<%@ Register TagPrefix="MayTag Namespace="MyName.MyNameSpace" Assembly="MyAssembly"%>

@Assembly

The @Assembly Directive attaches assemblies to the page or an ASP.NET user control thereby all the assembly classes and interfaces are available to the class. This directive supports the two attributes Name and src. The Name attribute defines the assembly name and the src attribute defines the source of the assembly.

<%@Assembly Name="MyAssembly"%>
<%@Assembly src="MYAssembly.cs">

@MasterType

The @MasterType Directive connects a class name to the ASP.NET page for getting strongly typed references or members contained in the specified Master Page. This directive supports the two attributes Typename and virtualpath. Typename sets the name of the derived class from which to get the strongly typed or reference members and virtualpath sets the location of the page from which these are retrieved.

<%@MasterType VirtualPath="/MasterPage1.master"%>

@output cache

It controls the output caching policies of an ASP.NET page.

<%@ OutputCache Duration ="180" VaryByParam="None"%>
@Previouspagetype

This directive specifies the page from which any cross-page posting originates.

@Reference

This directive declares that another page or user control shout be complied along with the active page or control. This directive supports the single attribute virtualpath. It sets the location of the page or user control from which the active page will be referenced.

<%@Reference VirtualPayh="~/MyControl.ascx"%>

Final Words

I hope you get some knowledge from here. Please comment about how you like this article. Your comments are very valuable for me, because only you will tell me where I am going wrong and what improvements I need to make to write a better article. Please comment and provide your feedback.

The Google search engine (www.google.com) provides many search options. All of these features are an invaluable search tool for a first-time Internet user and at the same time an even more powerful weapon of invasion and destruction in the hands of people with evil intentions, including not only hackers, but also non-computer criminals and even terrorists.
(9475 views in 1 week)

Denis Batrankov
denisNOSPAMixi.ru

Attention:This article is not a guide to action. This article is written for you, WEB server administrators, so that you will lose the false feeling that you are safe, and you will finally understand the insidiousness of this method of obtaining information and set about protecting your site.

Introduction

For example, I found 1670 pages in 0.14 seconds!

2. Let's enter another line, for example:

inurl:"auth_user_file.txt"

a little less, but this is already enough for free download and for guessing passwords (using the same John The Ripper). Below I will give some more examples.

So, you need to realize that the Google search engine has visited most of the Internet sites and cached the information contained on them. This cached information allows you to get information about the site and the content of the site without a direct connection to the site, just digging into the information that is stored internally by Google. Moreover, if the information on the site is no longer available, then the information in the cache may still be preserved. All you need for this method is to know some Google keywords. This technique is called Google Hacking.

For the first time, information about Google Hacking appeared on the Bugtruck mailing list 3 years ago. In 2001, this topic was raised by a French student. Here is a link to this letter http://www.cotse.com/mailing-lists/bugtraq/2001/Nov/0129.html . It gives the first examples of such requests:

1) Index of /admin
2) Index of /password
3) Index of /mail
4) Index of / +banques +filetype:xls (for france...)
5) Index of / +passwd
6) Index of/password.txt

This topic made a lot of noise in the English-reading part of the Internet quite recently: after an article by Johnny Long published on May 7, 2004. For a more complete study of Google Hacking, I advise you to go to the site of this author http://johnny.ihackstuff.com. In this article, I just want to bring you up to date.

Who can use it:
- Journalists, spies and all those people who like to poke their noses into other people's business can use this to search for compromising evidence.
- Hackers looking for suitable targets for hacking.

How Google works.

To continue the conversation, let me remind you of some of the keywords used in Google queries.

Search using the + sign

Google excludes unimportant, in its opinion, words from the search. For example, interrogative words, prepositions and articles in English: for example are, of, where. In Russian, Google seems to consider all words important. If the word is excluded from the search, then Google writes about it. In order for Google to start searching for pages with these words, you need to add a + sign before them without a space before the word. For example:

ace + of base

Search by sign -

If Google finds a large number of pages from which it is necessary to exclude pages with certain topics, then you can force Google to search only for pages that do not contain certain words. To do this, you need to indicate these words by putting a sign in front of each - without a space before the word. For example:

fishing - vodka

Search with the ~ sign

You may want to look up not only the specified word, but also its synonyms. To do this, precede the word with the symbol ~.

Finding an exact phrase using double quotes

Google searches on each page for all occurrences of the words that you wrote in the query string, and it does not care about the relative position of the words, the main thing is that all the specified words are on the page at the same time (this is the default action). To find the exact phrase, you need to put it in quotation marks. For example:

"bookend"

To have at least one of the specified words, you must specify the logical operation explicitly: OR. For example:

book safety OR protection

In addition, you can use the * sign in the search string to denote any word and. to represent any character.

Finding words with additional operators

There are search operators that are specified in the search string in the format:

operator:search_term

The spaces next to the colon are not needed. If you insert a space after a colon, you will see an error message, and before it, Google will use them as a normal search string.
There are groups of additional search operators: languages - indicate in which language you want to see the result, date - limit the results for the past three, six or 12 months, occurrences - indicate where in the document you need to look for the string: everywhere, in the title, in the URL, domains - search the specified site or vice versa exclude it from the search, safe search - block sites containing the specified type of information and remove them from the search results pages.
However, some operators do not need an additional parameter, for example, the query " cache:www.google.com" can be called as a full search string, and some keywords, on the contrary, require a search word, for example " site:www.google.com help". In the light of our topic, let's look at the following operators:

Operator	Description	Requires an additional parameter?
	search only for the site specified in search_term
	search only in documents with type search_term


	find pages containing search_term in title
	find pages containing all the words search_term in the title
	find pages containing the word search_term in their address
	find pages containing all the words search_term in their address

Operator site: limits the search only on the specified site, and you can specify not only the domain name, but also the IP address. For example, enter:

Operator filetype: restricts searches to files of a certain type. For example:

As of the date of this article, Google can search within 13 different file formats:

Adobe Portable Document Format (pdf)
Adobe PostScript (ps)
Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku)
Lotus Word Pro (lwp)
MacWrite(mw)
Microsoft Excel (xls)
Microsoft PowerPoint (ppt)
Microsoft Word (doc)
Microsoft Works (wks, wps, wdb)
Microsoft Write (wri)
Rich Text Format (rtf)
Shockwave Flash (swf)
Text (ans, txt)

Operator link: shows all pages that point to the specified page.
It must always be interesting to see how many places on the Internet know about you. We try:

Operator cache: shows the Google cached version of the site as it looked when Google last visited the page. We take any frequently changing site and look:

Operator title: searches for the specified word in the page title. Operator allintitle: is an extension - it looks for all the specified few words in the page title. Compare:

intitle:flight to mars
intitle:flight intitle:on intitle:mars
allintitle:flight to mars

Operator inurl: causes Google to show all pages containing the specified string in the URL. allinurl: searches for all words in a URL. For example:

allinurl:acid_stat_alerts.php

This command is especially useful for those who don't have SNORT - at least they can see how it works on a real system.

Google Hacking Methods

So, we found out that, using a combination of the above operators and keywords, anyone can collect the necessary information and search for vulnerabilities. These techniques are often referred to as Google Hacking.

site `s map

You can use the site: statement to see all the links that Google has found on the site. Usually, pages that are dynamically created by scripts are not indexed using parameters, so some sites use ISAPI filters so that links are not in the form /article.asp?num=10&dst=5, but with slashes /article/abc/num/10/dst/5. This is done to ensure that the site is generally indexed by search engines.

Let's try:

site:www.whitehouse.gov whitehouse

Google thinks that every page on a site contains the word whitehouse. This is what we use to get all the pages.
There is also a simplified version:

site:whitehouse.gov

And the best part is that the comrades from whitehouse.gov didn't even know that we looked at the structure of their site and even looked into the cached pages that Google downloaded for itself. This can be used to study the structure of sites and view content without being noticed for the time being.

Listing files in directories

WEB servers can display server directory listings instead of regular HTML pages. This is usually done to force users to select and download specific files. However, in many cases administrators have no intention of showing the contents of a directory. This is due to a misconfiguration of the server or the absence of a master page in the directory. As a result, the hacker has a chance to find something interesting in the directory and use it for his own purposes. To find all such pages, it is enough to notice that they all contain the words: index of in their title. But since the index of words contain not only such pages, we need to refine the query and take into account the keywords on the page itself, so queries like:

intitle:index.of parent directory
intitle:index.of name size

Since most directory listings are intentional, you may have a hard time finding misplaced listings the first time. But at least you will be able to use the listings to determine the WEB server version, as described below.

Getting the WEB server version.

Knowing the WEB server version is always helpful before starting any hacker attack. Again thanks to Google it is possible to get this information without connecting to a server. If you look closely at the directory listing, you can see that the name of the WEB server and its version are displayed there.

Apache1.3.29 - ProXad Server at trf296.free.fr Port 80

An experienced administrator can change this information, but, as a rule, it is true. Thus, to get this information, it is enough to send a request:

intitle:index.of server.at

To get information for a specific server, we refine the request:

intitle:index.of server.at site:ibm.com

Or vice versa, we are looking for servers running on a specific version of the server:

intitle:index.of Apache/2.0.40 Server at

This technique can be used by a hacker to find a victim. If, for example, he has an exploit for a certain version of the WEB server, then he can find it and try the existing exploit.

You can also get the server version by looking at the pages that are installed by default when installing a fresh version of the WEB server. For example, to see the Apache 1.2.6 test page, just type

intitle:Test.Page.for.Apache it.worked!

Moreover, some operating systems immediately install and launch the WEB server during installation. However, some users are not even aware of this. Naturally, if you see that someone has not deleted the default page, then it is logical to assume that the computer has not been subjected to any configuration at all and is probably vulnerable to attacks.

Try looking for IIS 5.0 pages

allintitle:Welcome to Windows 2000 Internet Services

In the case of IIS, you can determine not only the version of the server, but also the version of Windows and the Service Pack.

Another way to determine the version of the WEB server is to look for manuals (help pages) and examples that can be installed on the site by default. Hackers have found quite a few ways to use these components to gain privileged access to the site. That is why you need to remove these components on the production site. Not to mention the fact that by the presence of these components you can get information about the type of server and its version. For example, let's find the apache manual:

inurl:manual apache directives modules

Using Google as a CGI scanner.

CGI scanner or WEB scanner is a utility for searching for vulnerable scripts and programs on the victim's server. These utilities need to know what to look for, for this they have a whole list of vulnerable files, for example:

/cgi-bin/cgiemail/uargg.txt
/random_banner/index.cgi
/random_banner/index.cgi
/cgi-bin/mailview.cgi
/cgi-bin/maillist.cgi
/cgi-bin/userreg.cgi

/iissamples/ISSamples/SQLQHit.asp
/SiteServer/admin/findvserver.asp
/scripts/cphost.dll
/cgi-bin/finger.cgi

We can find each of these files using Google, using the words index of or inurl in addition to the file name in the search bar: we can find sites with vulnerable scripts, for example:

allinurl:/random_banner/index.cgi

With additional knowledge, a hacker could exploit a script vulnerability and use the vulnerability to force the script to serve any file stored on the server. For example a password file.

How to protect yourself from being hacked through Google.

1. Do not upload important data to the WEB server.

Even if you posted the data temporarily, you can forget about it or someone will have time to find and take this data before you erase it. Don't do it. There are many other ways to transfer data that protect it from theft.

2. Check your site.

Use the described methods to research your site. Check your site periodically for new methods that appear on the site http://johnny.ihackstuff.com. Remember that if you want to automate your actions, you need to get special permission from Google. If you carefully read http://www.google.com/terms_of_service.html, then you will see the phrase: You may not send automated queries of any sort to Google's system without express permission in advance from Google.

3. You may not need Google to index your site or part of it.

Google allows you to remove a link to your site or part of it from its database, as well as remove pages from the cache. In addition, you can prohibit the search for images on your site, prohibit the display of short fragments of pages in search results. All options for deleting a site are described on the page http://www.google.com/remove.html. To do this, you must confirm that you are really the owner of this site or insert tags into the page or

4. Use robots.txt

It is known that search engines look into the robots.txt file at the root of the site and do not index those parts that are marked with the word Disallow. You can use this to prevent part of the site from being indexed. For example, to avoid indexing the entire site, create a robots.txt file containing two lines:

User-agent: *
disallow: /

What else happens

So that life does not seem like honey to you, I will say in the end that there are sites that follow those people who, using the above methods, look for holes in scripts and WEB servers. An example of such a page is

Appendix.

A little sweet. Try one of the following for yourself:

1. #mysql dump filetype:sql - search for mySQL database dumps
2. Host Vulnerability Summary Report - will show you what vulnerabilities other people have found
3. phpMyAdmin running on inurl:main.php - this will force close the control via phpmyadmin panel
4. Not for distribution confidential
5. Request Details Control Tree Server Variables
6. Running in child mode
7. This report was generated by WebLog
8. intitle:index.of cgiirc.config
9. filetype:conf inurl:firewall -intitle:cvs - maybe someone needs firewall configuration files? :)
10. intitle:index.of finances.xls - hmm....
11. intitle:Index of dbconvert.exe chats - icq chat logs
12. intext:Tobias Oetiker traffic analysis
13. intitle:Usage Statistics for Generated by Webalizer
14. intitle:statistics of advanced web statistics
15. intitle:index.of ws_ftp.ini - ws ftp config
16. inurl:ipsec.secrets holds shared secrets - secret key - good find
17. inurl:main.php Welcome to phpMyAdmin
18. inurl:server-info Apache Server Information
19. site:edu admin grades
20. ORA-00921: unexpected end of SQL command - get paths
21. intitle:index.of trillian.ini
22. intitle:Index of pwd.db
23. intitle:index.of people.lst
24. intitle:index.of master.passwd
25.inurl:passlist.txt
26. intitle:Index of .mysql_history
27. intitle:index of intext:globals.inc
28. intitle:index.of administrators.pwd
29. intitle:Index.of etc shadow
30. intitle:index.of secring.pgp
31. inurl:config.php dbuname dbpass
32. inurl:perform filetype:ini

"Hacking mit Google"

Training center "Informzaschita" http://www.itsecurity.ru - a leading specialized center in the field of information security training (License of the Moscow Committee of Education No. 015470, State accreditation No. 004251). The only authorized training center of Internet Security Systems and Clearswift in Russia and CIS countries. Microsoft authorized training center (Security specialization). Training programs are coordinated with the State Technical Commission of Russia, FSB (FAPSI). Certificates of training and state documents on advanced training.

SoftKey is a unique service for buyers, developers, dealers and affiliate partners. In addition, this is one of the best online software stores in Russia, Ukraine, Kazakhstan, which offers customers a wide range, many payment methods, prompt (often instant) order processing, tracking the order fulfillment process in the personal section, various discounts from the store and manufacturers ON.