Can someone please show me around the place?

software development

#1

Hi :smiley:

I’m new here, but I have fiddled around with a little code here and there and I have a passing familiarty with Linux and Apache, PHP, CSS, Javascript, Perl, Python, Bash, all that good stuff. But my only experience to date has been on my own machine running my own servers, so this is a little different since obviously I can’t play around with DreamHost’s apache.conf file (nor would I want to), so I have a question or 2. I don’t want to bug the Help Chat operators unnecessarily any more than I already have ( ;D ) so if anyone here can throw me an answer off the top of their head from their own experience that’d be just fantastic.

Now, usually I keep all my scripts and CGI programs in a separate directory tree than the one my Web site actually resides in. For instance, if my Web site is at /var/www/ (common enough I guess), then usually I put some lines in Apache’s configuration file to tell it 1) that the string “cgi-bin” as a directory in any URL should actually point to some innocuous directory like /etc/apache2/cgi-bin/ or wherever, as long as it’s not within the publicly accesible /var/www/ heirarchy and 2) certain file extensions should be executed by the shell as scripts or programs. Since my ftp account has access to the directory containing my Web site I assume I can make a similar divergent path up there and put scripts in it. Can this be accomplished within a .htaccess file or some such mechanism on DreamHost? If I compile a program written in C++ and put it in that cgi-bin directory will it run (or attempt to)?

Despite my best efforts, I’ve never been able to link a Javascript .js file to an HTML file this way. Javascript and (if memory serves) CSS files have always had to reside within my www folder for some reason I’ve never pinned down exactly because once I can see it ain’t working I usually just go with whatever works and move on with my life. Is that the case here as well?


#2

Try looking for tutorials instead of asking people to tutor you. A lot of basic concepts have already been explained before.

For example, see Client Side vs. Server Side

On the DreamHost shared servers, executables do not have to reside in a CGI directory. CGI can be stored in any web-accessible directory and executed by the web server software given the file has the right permissions.


#3

The point to keeping CGI programs out of a Web-accesiblle directory, as I’m sure you all know already, is to provide some minimal level of security by preventing potential attackers from simply downloading your code and looking it at it to discover, for instance, the secret key your Web site uses to communicate with the Google ReCaptcha script or the e-mail address that you want to tell DreamHost’s formmail script to send information entered by a user into a form. If you just put that e-mail address in the invisible input control named “recipient” then any spider crawling through your site is virtually guaranteed to find it and, as the DreamHost article on the topic clearly states, said e-mail address will be “assaulted with spam.” To avoid this, it seems to me like one could simply set the “value” property of the invisible “recipient” input control with a Javascript function that runs when the page loads. However, in order to avoid getting spammed through the form itself I’d like to incorporate a Captcha. To use recaptcha with formmail on the same form is less than straightforward but it seems to me that a Javascript function specified as the “action” property of the form itself should be able to issue the proper “GET” request to the recaptcha script from Google by allocating an XMLHTTPRequest object with the proper values (including the secret key supplied by Google for identification purposes), check the result and, if the captcha was completed successfully, then allocate another XMLHTTPRequest object using a FormData object constructed using the form in question as the parameter to its constructor (after setting the “recipient” property of said form to the desired e-mail address), issue a “POST” request to DreamHost’s formmail script, and shortly receive some information entered into a form by a genuinely human user in the Inbox of the specified e-mail account. This will of course require the secret Google key AND the e-mail address to be visible to anyone who has access to the file containing the Javascript function. Sure, you can break these sort of things up into smaller strings and use Javascript’s ‘+’ operator to just concatenate smaller substrings of the string you wish to conceal (“fuzzy” + “@” + “example.com”), and that would probably fool most robots, but it wouldn’t fool a human for very long at all now, would it? So it seems to me … and I’m pretty sure I didn’t make this idea up, but read it in some book about Apache, PHP and MySQL … that a better way to conceal sensitive information like that and, you know, the username and password your PHP or other scripts will need to get into your MySQL database … stuff like that … is to have files with that sort of information in them OUTSIDE of your Web-accessible directories.

So to rephrase my question as simply as possible so as to avoid the impression that I’m looking for someone to hold my hand and guide me through the whole process of getting a form going …

Can I designate a specific path starting one level above my Web site directory (my home directory, in other words) to be recognized by the DreamHost server as containing scripts to be executed without tinkering around with the apache.conf file (since I obviously can’t do that anyway)? And, specifically, if I try that trick will it work for Javascript files?

Now I don’t want anyone to feel like they have to go miles out of their way to uncover the answer to this question just for me. I’ve been poking through the help files and other documentation, this forum, the F.A.Q.‘s and everything else I can find but I can only read so fast. If someone just happens to know the answer off the top of their head though and feels inclined to post a simple answer to a simple question I won’t even mind a bit if they want to poke their snobbish little tongue out at me and call me a noob all freakin’ day. Anyone who doesn’t know the answer, however, is cordially invited not to be a condescending prick and post links to 3rd grade tutorials that really have nothing to do with the question at hand. :slight_smile:


#4

That’s actually not a concern here. With our standard site configuration, requesting a CGI script will always attempt to run it. The contents of the script will not be output.

That being said, this won’t work for Javascript files; those must be downloaded and run by the browser. You’ll need a “real” CGI script (e.g, PHP, Perl, Python…) to handle this.


#5

Thank you so much, Andrew. That was very helpful and I appreciate it. :slight_smile:


#6

What’s really amusing about the whole “secret key” thing for Google’s stupid reCaptcha script is that they say to keep it a secret, then have it return a JSON object knowing full well the same rules concerning Javascript concealment (that it’s impossible) that we’ve just discussed. So if I really want to keep it a secret I have to use a REAL programming language. I suppose about the sneakiest thing would be to store it as a string constant in a compiled program written in C/C++ or whatever, in non-contiguous bytes so that a simple text-based examination of the executable file won’t be enough to determine what it is, then store that as a CGI program outside the Web-accessible directory of your site. Which I might just do with my e-mail address but screw Google and their stupid key. :slight_smile: