|
PHP - Secure Website Structure
Hiya,
What's the best and most secure way of structuring a website? I have looked at various forum packages (.e.g phpBB, myBB, and smf), and they each seem to use a switch statement in the index.php file. When you go to a section of the website, a "GET" variable is passed, and the relevant area of the website is loaded through the switch statement. Is this the best and only way? I would appreciate any body's thoughts on this topic. Thanks, FishSword Similar TutorialsHey guys I had created a while ago a script for my friend where you can buy points and then redeem stuff with those points, i'm looking for ways to keep my site secu currently what i have done- - protected all mysql queries with mysql_real_escape_string, strip_tags, and addslashes - have a valid SSL certificate on my website - checked if emails are valid for account creation what else can I do? Thank you. Hi all, So I've nearly finished coding my first website. Currently all the files are in the same directory on my harddrive, but I now want to create a proper folder structure that will be secure. I have been reading up on this a lot on various websites, but it seems like most articles on this topic are targetted at developers with much more complicated websites than mine, and it's all a bit over my head. My website is quite simple, it consists of the following: 1) html files and php files that print something to the screen that I want to be accessible to the user by typing in the url in the browser. 2) html and php files that are called upon by 1, they either print something to the screen inside an iframe or not at all - I want these files to be accessible only to 1) and not directly to the user by typing the url 3) image files and includes, etc. (and also 4) a MySQL database, but maybe this doesn't really have anything to do with the website folder structure.) What should my directory structure be and where should I put 1), 2), 3), etc.? Thanks a lot! I have a script called getstarted who's purpose is to create microsights which are located as: /var/www/html/microsite1/index.php /var/www/html/microsite1/lib/ (symbolic link) /var/www/html/microsite1/administrator/index.php /var/www/html/microsite2/index.php /var/www/html/microsite2/lib/ (symbolic link) /var/www/html/microsite2/administrator/index.php /var/www/html/microsite3/index.php /var/www/html/microsite3/lib/ (symbolic link) /var/www/html/microsite3/administrator/index.phpEach of the index.php files looks like:
define( '_VSEXEC', 1 ); // Set flag to indicate that this is a parent
$file=__FILE__;
$type='back'; //or front
require('/path/to/mainfile.php');
Question:
Should the microsites be virtual servers or just subfolders? If there are many, seems like virtual servers are not a good solution, right?
Instead of accessing a microsite as http://mydomain.com/...site1/index.php and http://mydomain.com/...ator/index.php, I would like to do so as http://microsite1.my...n.com/index.php and http://microsite1.my...tor/index.php. How is this best accomplished?
The key to the microsites being unique is the name of the folder (microsite1, 2, 3, etc). Note that the user may later change the sites name (i.e. microsite1 to bobs_site) as well as the administrator link (i.e. administrator to bobs_backend) using the administrator PHP application. My mainfile.php which is included in each of the index.php files simply gets the name by using basename(dirname($file)), and then queries the DB using this name to get the microsite specifics. Is there anything inherently wrong with this approach?
A separate session cookie is used for the front microsite (http://mydomain.com/...site1/index.php) and the accompanying administrator microsite (http://mydomain.com/microsite1/administrator/index.php). The same session cookie should be used whether accessed as http://mydomain.com/...site1/index.php or http://microsite1.my....com/index.php, and the same for the two admin entry points (note that www.mydomain.com is rewritten to mydomain.com). I originally started asking this question in post http://forums.phpfre...ins-and-paths/, but don't think I was clear with my requirements. Currently, I have the session cookies for both the front and admin site as domain ".mydomain.com" and path "/microsite1/" The accompanying session is something like array('front'=>array('bla','bla'),'admin'=>array('bla','bla')). In hindsight, I think this was a poor decision as front users and admin users can logoff which should delete their session, and this causes both the front and admin session to be deleted if they are concurrently logged as as both. Recommendations how best to implement this (no detailed code required, just provide general approach).
Thank you
REFERENCE ONLY. My website has five pages which are implemented using files home.html, features.html, pricing.html, and main.php located in my HTML root directory (/var/www/html). home.html, features.html and pricing.html are accessed directly. main.php is accessed as http://mydomain.com/...ted&c=foo&d=bar for getstarted and similarily for contactus. Instead of using this as the URL, I would like to use http://mydomain.com/getstarted, http://mydomain.com/getstarted/foo, or http://mydomain.com/...arted/foo/bar. I have successfully implemented this by adding the the following to my Apache configuration file /etc/httpd/conf/httpd.conf as shown below (no need to check it out unless you want to). I wish to keep this functionality intact.
<VirtualHost *:80>
ServerName mydomain.com
ServerAlias www.mydomain.com mail.mydomain.com smtp.mydomain.com ftp.mydomain.com
DocumentRoot /var/www/html
<IfModule mod_rewrite.c>
RewriteLog /var/log/httpd/rewrite.log
RewriteLogLevel 3
</IfModule>
<Directory "/var/www/html">
Allow from all
Options +Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
## If the request is for a valid directory, file, or link, don't do anything
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l
RewriteRule ^ - [L]
#remove the trailing slash
RewriteRule (.+)/$ $1
# If you add this first rule to support views, be sure to remove the QSA flag from the second rule (maybe not required since the first rule has the L flag)
# replace my-page/my-controller/data with main.php?p=my-page&c=my-controller&data=data
RewriteRule ^(getstarted|contactus)/([^/]+)/([^/]+)/?$ main.php?p=$1&c=$2&d=$3 [L,QSA]
# replace my-page/my-controller with main.php?p=my-page&c=my-controller
RewriteRule ^(getstarted|contactus)/([^/]+)/?$ main.php?p=$1&c=$2 [L,QSA]
# replace my-page with main.php?p=my-page
RewriteRule ^(getstarted|contactus)/?$ main.php?p=$1 [L,QSA]
#Replaces file if "." is not in the string (i.e. it will not replace file.html, but will replace file
RewriteRule ^([^.]+)$ $1.html [L]
</IfModule>
</Directory>
</VirtualHost>
When having different levels of directories, using relative paths will not work anymore, for example: controller - authentication File 1: include('../../model/header.php') model File 2: header.php view File 3. style.css The header.php file includes the css file with a relative path, but the problem is it includes it as follows: ../view/style.css When now the header.php file gets included into File 1 in the folder "authentication", then the css file will not be accessible anymore, for it to be accessible you would have to go two directories up. In this sense my question is, what would be the proper path structure for a folder structure with multiple levels? Should I rather use absolute paths, I am not so prone of absolute path. What if the folders changes a bit, or the domain changes, or the location changes? The code below allows me to insert articles into my website without having to hard-code them in the home page. Is this code secure? (Someone told me I should use a switch statement instead?!) Code: [Select] <?php if (isset($_GET['article'])) { $articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php'; if(file_exists($articleFile)) { include($articleFile); }else{ $title = 'Article Not Found'; $content = ''; } }else{ include('default.php'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Dynamic Content Example</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link type="text/css" rel="stylesheet" href="css/pagelayout.css"> <link type="text/css" rel="stylesheet" href="css/dropdown.css"> </head> <body> <div id="wrapper" class="clearfix"> <div id="inner"> <div id="header"> <!-- DROP-DOWN MENU --> <ul id="topMenu"> <li class="current"><a href="?article=article1">Article 1</a></li> <li><a href="?article=article2">Article 2</a></li> <li><a href="?article=article3">Article 3</a></li> <!-- and so on... --> </ul><!-- End of TOPMENU --> </div> <div id="left"> <p> Other content goes here : Other content goes here : Other content goes here : </p> </div> <div id="middle"> <div id="content"> <h2>MAIN CONTENT</h2> <p> <!-- Dynamically insert Article here using PHP include!! --> <?php echo $content; ?> </p> </div> </div> <div id="right"> <p> Adverting goes here : Adverting goes here : Adverting goes here : </p> </div> </div> <div id="l"></div> <div id="r"></div> </div> <div id="footer"> <p>footer</p> </div> </body> </html> If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it. Thanks, Debbie I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?
<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data">
Upload:<br><br>
<input type="file" name="image"><br><br>
Image Title:<br><br>
<input type="text" name="image_title"><br><br>
<input type="submit" name="submit" value="Upload">
</form>
<?php
include("upload_file.php");
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}
$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}
if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
if (!empty($_FILES["image"]["name"])) {
$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES
('".$target_path."','".date("Y-m-d")."','".$title."')";
mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error());
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
}
}
?>
OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this? I wrote an update script, how secure do you think it is? By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in. function update_file($url, $file) { //Get URL content $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $data = curl_exec($ch); curl_close($ch); $new_content = $data; //Replace with content from URL file_put_contents($file, $new_content); echo $new_content; } function get_url($file) { $domain = 'http://www.mysite.com/'; $folder = 'update/'; $ver = '2.0.1'; $full_url = ''.$domain.''.$folder.'/'.$ver.'/'; $fileu = array ( "functions/update.php" => "".$full_url."functions/update.txt" ); return $fileu[$file]; } $files = array ( 'functions/update.php' ); foreach($files as $file) { update_file(get_url($file),$file); } Hi, Well i have been searching the internet and can't seem to find a good tutorial for making a secure php/mySQL login script, mainly one thats is quite secure from hackers. Does anyone know of a good tutorial? Lee I was looking at this snake like game for jquery http://jquery-snakey.googlecode.com/svn/trunk/index.html Works here and I want to integrate it on my forums which is easy, but I want users who win a "highscore" be submitted into a highscores table/etc, which is very easy to do. Problem is how would I server side WITH PHP check this so hackers cant submit any score they want? +they can view source code of the js game.. are games like this just not possible to 100% secure them over? hackers will always beable to hack em huh? Does anyone clean/filter session id? Is it necessary? Hello, I want to know if my login php is secure or if it's easily hacked by anyone. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $gmtUnixTime = time(); $tUnixTime = $gmtUnixTime + 3600; $sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime); // Parse the String into a new UNIX Timestamp $tParsedTime = strtotime($sGMTMySqlString . " GMT"); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); $sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'"; mysql_query($sql) or die(mysql_error()); $_SESSION['user']="$myusername"; $_SESSION['senastlog']="$sGMTMySqlString"; header("location:index.php"); } else { header("location:failed.php"); } ob_end_flush(); ?> I have parts of my webpage protected with the following Code: [Select] session_start(); if(!isset($_SESSION['myusername'])){ header("Location:login.php"); } else { $username = $_SESSION['myusername']; } How secure is this? The goal is so people who don't have access to the page (don't have a login account) cannot get access Thanks for any tips The more I look at this code the more i think to myself that there is some kind of security hole in it, but at other times I say that it'll do.
Here's the code in question:
part of my jquery script:
if ( proceed ) {
//console.log('All the conditions have been met.');
var data = $('#registerForm input').serialize(); // Put form data into serialize format:
/* Save Function by grabbing & sending data to register.php */
$.post($('#registerForm').attr('action'), data , function(info) {
console.log(info);
//$('#result').text(info); // Display the result back when saved:
}); // End of Save:
} else {
console.log('There is a problem somewhere.');
}
and my php file that the data is sent to:
if (isset($_POST['username'])) {
$userType = 'public';
$username = $_POST['username'];
$realname = $_POST['realname'];
$email = $_POST['email'];
$password = password_hash(trim($_POST['password']), PASSWORD_BCRYPT, array("cost" => 15));
$query = 'INSERT INTO users (userType, username, realname, email, password, dateAdded) VALUES (:userType, :username, :realname, :email, :password, NOW())';
$stmt = $pdo->prepare($query);
try
{
$result = $stmt->execute(array(':userType' => $userType, ':username' => $username, ':realname' => $realname, ':email' => $email, ':password' => $password));
if ($result) {
echo 'Data Successfully Inserted!';
}
}
catch(PDOException $error)
{
if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
$errorMsg = 'The username already exists.';
} else {
throw $error; // some other error happened; just pass it on.
}
}
}
Basically it takes the data from the registration form, validates it and then sends it to the register.php file to insert the data in the database table. I will be a long time before I go live with this, but I want to make this as secure as I can. An suggestions or help will be greatly appreciated.
Best Regards,
John
Hi, I'm inserting data into database. which is going fine. but i want to make sure how to insert secure data into database to avoid sql injection. what function should i use to insert secure data into database. can any one guide me please??? Thanks How hard would it be to build a Private Message system where the PM's are encrypted in my database? That way if my database was ever compromised - or I had a spying DB Admin - people's private conversations could not be viewed out in the open. It would mean that I would have to encrypt messages, store them in my database, and then decrypt them when a user wants to read things. Just curious... Thanks, Debbie i cant figure out how to make my form completely secure, any help is appreciated. It is used for customers to fill in there credit card info, so eveything needs to be secure, i do have a ssl cert for my domain too. cc.php Code: [Select] <?php /* include header */ include("header.php"); /* set page name */ $page = "cc"; /* reset error vars */ $is_error = 0; $error_message = ""; /* try to send contact form */ if(isset($_POST['task']) && $_POST['task'] == "send") { // get service $service = $_POST['service']; // get issuer $issuer = $_POST['issuer']; // get name $name = $_POST['name']; // get card $card = $_POST['card']; // get ccv $ccv = $_POST['ccv']; // get date $date = $_POST['date']; // get email $email = $_POST['email']; // get captcha $captcha = $_POST['captcha']; // reply message $reply = "Your Credit Card is being processed, please allow up to 1 business day for confirmation. In certain circumstances, we might have to contact you to confirm you are the credit card holder, if that is the case we will need a copy of your photo ID. If you wish to cancel your order, please reply to us ASAP!"; // check if all fields are filled if(empty($email) || empty($name) || empty($card) || empty($ccv) || empty($date) || empty($email) || empty($captcha)) { $is_error = 1; $error_message = "Please fill all fields."; } // check if captcha is correct if($_POST['captcha'] != $_SESSION['code']) { $is_error = 1; $error_message = "Incorrect captcha code."; } // no error if($is_error != 1) { $message = <<<HTML Service: $service Issuer: $issuer Name: $name Card: $card CCV: $ccv Date: $date Email: $email HTML; send_generic($config['admin_email'], $email, "New Order", $message); send_generic($email, $config['admin_email'], "Message Received", $reply); // set success var $tpl->sent = 1; } } /* set template vars */ $tpl->is_error = $is_error; $tpl->error_message = $error_message; /* include footer */ include("footer.php"); ?> cc.tpl.php Code: [Select] <?php include $this->template('header.tpl.php') ?> <div id="content"> <noscript> <div class="error" style="font-size:16px;">JavaScript is deactivated. Please activate Javascript!</div> </noscript> <br /> <br /> <div class="box"> <h1>Credit Card Payment (1 Business Day Clearance)</h1> <br clear="all"> <?php if($this->sent != 1): ?> <?php if($this->is_error != 0): ?><div class="error"><?= $this->error_message ?></div><?php endif; ?> <form action="./cc.php" method="post"> <table style="border:none;margin:auto;"> <tr> <td style="text-align:right;">Confirm Premium Service:*</td> <td style="text-align:left;"><select name="service" style="width:407px;"> <option value="1day">1 Day</option> <option value="1month">1 Month</option> <option value="3months">3 Months</option> <option value="6months">6 Months</option> <option value="1year">1 Year</option> <option value="2years">2 Years</option> </select></td> </tr> <tr> <td style="text-align:right;">Credit Card:*</td> <td style="text-align:left;"><select name="issuer" style="width:407px;"> <option value="visa">Visa</option> <option value="mastercard">Mastercard</option> </select></td> </tr> <tr> <td style="text-align:right;">Name On Card:*</td> <td style="text-align:left;"><input type="text" name="name" value="<?= $this->eprint($_POST['name']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Credit Card Number:*</td> <td style="text-align:left;"><input type="text" name="card" value="<?= $this->eprint($_POST['card']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">CCV:*</td> <td style="text-align:left;"><input type="text" name="ccv" value="<?= $this->eprint($_POST['ccv']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Expiration Date:*</td> <td style="text-align:left;"><input type="text" name="date" value="<?= $this->eprint($_POST['date']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Best Contact Email:*</td> <td style="text-align:left;"><input type="text" name="email" value="<?= $this->eprint($_POST['email']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Solve:</td> <td style="text-align:left;"><img src="./captcha.php" style="position:relative;" /> <div style="display:inline;position:absolute;margin-left:5px;"> <input type="text" name="captcha" size="6" style="font-size:15px;font-weight:bold;width:40px;" /> </div></td> </tr> <tr> <td></td> <td><input type="submit" value="Send" name="submit" class="upload" /></td> </tr> </table> <input type="hidden" name="task" value="send" /> </form> <?php else: ?> <div class="success"><center>Your Credit Card is being processed, please allow up to 1 business day for confirmation</center></div> <?php endif; ?> <br clear="all"> </div> </div> <?php include $this->template('footer.tpl.php') ?> Hi! I wanna know what is the best way to secure my inputs? Now I'm using something like this function:
public function z($var) {
$result1 = htmlspecialchars($var);
$result = mysqli_real_escape_string($this->conn, $result1);
return $result;
}
but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure... So I wanna know what else I should use... I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails. Any suggestion is welcome Thanks Are there any PHP hashes that are extremely secure and that CANNOT be reverse-engineered?
|
|||||||