PHP - Fort Knox Web Form Security Help
Similar TutorialsI have a search going on: <?php $sql = "SELECT * FROM video WHERE MATCH(name,description,location,keywords) AGAINST('" . mysql_real_escape_string($_POST['searchfield']) . "' IN BOOLEAN MODE)"; ?> I have rows that contain either "fort worth" or "fort collins" for example. When I search "fort worth" it finds all the rows including the fort collins rows. That is expected as it contains "fort". The issue is "fort collins" is showing up before "fort worth" What can I do fix this? If I take out the "IN BOOLEAN MODE" part then it works, but breaks other parts of my search Hello, I have coded a contact form in PHP and I want to know, if according to you, it is secure! I am new in PHP, so I want some feedback from you. Moreover, I have also two problems based on the contact form. It is a bit complicated to explain, thus, I will break each of my problem one by one. FIRST:The first thing I want to know, is if my contact form secure according to you: The HTML with the PHP codes: Code: [Select] <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { //Assigning variables to elements $first = htmlentities($_POST['first']); $last = htmlentities($_POST['last']); $sub = htmlentities($_POST['subject']); $email = htmlentities($_POST['email']); $web = htmlentities($_POST['website']); $heard = htmlentities($_POST['heard']); $comment = htmlentities($_POST['message']); $cap = htmlentities($_POST['captcha']); //Declaring the email address with body content $to = 'alithebestofall2010@gmail.com'; $body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'"; //Validate the forms if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) { echo '<p class="error">Required fields must be filled!</p>'; header ('refresh= 3; url= index.php'); return false; } elseif (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) { echo '<p class="error">You cannot enter a number as either the first or last name!</p>'; return false; } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) { echo '<p class="error">Incorrect email address!</p>'; return false; } elseif (!($cap === '12')){ echo '<p class="error">Invalid captcha, try again!</p>'; return false; } else { mail ($to, $sub, $body); echo '<p class="success">Thank you for contacting us!</p>'; } } ?> <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post"> <p>Your first name: <span class="required">*</span></p> <p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p> <p>Your last name: <span class="required">*</span></p> <p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p> <p>Subject: <span class="required">*</span></p> <p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p> <p>Your email address: <span class="required">*</span></p> <p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p> <p>Website:</p> <p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p> <p>Where you have heard us?: <span class="required">*</span></p> <p><select name="heard"> <option>Internet</option> <option>Newspapers</option> <option>Friends or relatives</option> <option>Others</option> </select></p> <p>Your message: <span class="required">*</span></p> <p><textarea cols="75" rows="20" name="message"></textarea></p> <p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p> <p><input type="text" name="captcha" size="10"/></p> <p><input type="submit" name="submit" value="Send" class="button"/> <input type="reset" value="Reset" class="button"/></p> </form> SECOND PROBLEM:If a user has made a mistake, he gets the error message so that he can correct! However, when a mistake in the form occurs, all the data the user has entered are disappeared! I want the data to keep appearing so that the user does not start over again to fill the form. THIRD: When the erro message is displayed to notify the user that he made a mistake when submitting the form, the message is displaying on the top of the page. I want it to appear below each respective field. How to do that? In JQuery it is simple, but in PHP, I am confusing! i want to make a form that has a name, subject, email and comment input box... this is all done and working. the thing i am having trouble with is making the comment box not allow links in it. i thought it would be something like: if("comments" == "<a href=''></a>"){ echo "You have Entered the Wrong Information"; }else{ Insert Record Code.. } the "comments" name is the name of the comment text box. is this anywhere near what it should be ? I'm using the following to clean up input from my contact form, but I got header injection attacked anyway. What am I doing wrong? $trail_section_mile = strip_tags(stripslashes($trail_section_mile)) //this is repeated for several other fields, then: $email_message .= "Trail Section Mile Markers: ".clean_string($trail_section_mile)."\n"; //this is repeated for several other fields, then: /* see isInjected function below */ function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href","/n",""); return str_replace($bad,"",$string); } // send the mail Hi all, I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information. I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted? The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code! Thanks for the help. I have a simple contact form I did a while ago for a small company. They emailed me saying they are getting bits of spam mail from the site occasionally and would like to get it stopped if possible. This is how my form looks: Code: [Select] <form method="post" action="mailer.php"> <div class="form_left"> <p>Name:<br> <input type="text" name="name" size="24" autofocus="true" placeholder="Type Here" required="true" /></p> </div> <div class="form_right"> <p>Email:<br> <input type="email" name="email" size="24" placeholder="Type Here" required="true" /></p> </div> <div class="form_left"> <p>Company Name:<br /> <input type="text" name="company" size="24" placeholder="Type Here" required="true" /></p> </div> <div class="form_right"> <p>Phone Number:<br /> <input type="text" name="phone" size="24" placeholder="Type Here" required="true" /></p> </div> <div class="form_left"> <p>Your Message:<br /> <textarea rows="6" name="message" cols="55" placeholder="Type Here" ></textarea></p> </div> <p class="submit"><input type="submit" value="Send Mail" name="submit" /></p> </form> Code: [Select] <?php if(isset($_POST['submit'])) { // $to = "mail@mydomain.com"; $to = "mail@mydomain.com"; $subject = "Web Enquiry"; $name = $_POST['name']; $email = $_POST['email']; $company = $_POST['company']; $phone = $_POST['phone']; $message = $_POST['message']; if (strlen(trim($message)) > 0) { $body = "From: $name \n\n Email: $email \n \n Company: $company \n\n Phone Number: $phone \n\n Message: $message"; if (mail($to, $subject, $body)) { echo "<h3>Thanks! Your email has been sent <br />We will answer your enquiry as soon as possible.</h3>"; } else { echo 'Cannot sent mail'; } } else { echo "<h3>Error! <br />Please ensure that all fields are filled out correctly in order to email us.</h3>"; } } ?> Any help or pointers as to how I could add in a little security would be appreciated. Hi Guys I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail. For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail. My question is, do you think this is a security weakness? Many thanks Code: [Select] //http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/<script>/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } I know, csrf token is like a random string. Does every form need a csrf token? Does every form need to have a different csrf token or all forms have a same csrf token for one logged in user? When an user logged in, I set $_SESSION['key']=$useremail; is it ok to set email for a logged in session? Do I have to set or add another $_SESSION with csrf token? How does csrf token add security for form submission? After form submission, what would PHP do with the hidden input field or with the csrf token? I read ages ago (and checked to see if it's true, it was and given how it works, it must still be) the end user can alter the value of any form field, using Firebug or similar, before submitting it. Two things I've figured out today: 1) a form input doesn't need a value - doesn't even need the attribute - if you're only checking whether the POST var isset and the actual value isn't important 2) Although it appears not to matter in the example I'm working on now, if the script doesn't check what the value is, and potentially sanitise it, the user could submit the form with any value, true, false, malicious, idk... So my question is: is this one of the ways malicious bad things can happen and do I *have to* specify a value, not because the script won't work without it, it does, but because in the real world it opens a security door if I don't check for malicious script by saying "if value not as expected, script has to die". Having formulated the question properly and thought about it I can't imagine simply making a form, without obvious connections to anything important, could be a problem in the way I'm asking about but I asked it now so Edited by appobs, 03 July 2014 - 12:08 PM. Hi there, I'm in serious need to find a way to block people from a website I code for. The thing is, we have a jailing system, nice and simple, and IP/email ban system too. But with proxies, advertisers and repeated troublemakers keep coming back because we just get the new proxy IP each time and it's a losing battle. What I need is a way to ban them properly from the site, like somehow stopping the computer they use from accesing the site. someone once said you can use a cookie to stop a browser getting on the site, but I don't know how to set it up to give the cookies out upon login and find the one associated to an account we don't want (by "cookie" banning I guess?") and stop them from logging in. Hi everyone I'm kinda new to PHP and have a couple of questions; 1: How secure is PHP, is it very hackable? Are there things you recommend to make it more secure? 2: I am building a little employee system for staff at a friends company and they can view personal information when they login, as well as ordering stuff with online payment through WorldPay. What is therefore the best and most secure way of handling passwords, logins, data, insert statements etc. I basically want to make it as secure as possible and hopefully learn some new skills Any tips or help would be great Thanks hi php freaks I am using pdo as the driver for my new app the issue is I can't seem to find a clear answer. I want to sanise the vars that are coming into the database but pdo is suppose to fix all the issues. Is this true what other things do I need to watch for when using pdo they must have some flaws. Thanks Hi, I am looking to create a directory that can not be accessed using .htaccess and neither can files directly. But I want to make it so when you are signed into joomla you can access the files via a mp3 player on the sight. My mp3 extention is joomline player flplayer. And I heard that if I cange the name of the file in joomla fomr lovelove.com/audio/love/abc.mp3 to lovelove.com/audio/love/abc.php?name=abc and then that abc.php script (inside the script it checks if you are logged in) will retrieve the file name, and the joomline will play it it will work. is this possible? Also, if not what can I do for this to work? Right now my script is not working as the joomline looks up all the mp3 files as one big string. this is the abc.php which on my site its calld psp.php <?php define( '_JEXEC', 1 ); define( 'JPATH_BASE', realpath(dirname(__FILE__).'/../../' )); require_once ( JPATH_BASE .'/includes/defines.php' ); require_once ( JPATH_BASE .'/includes/framework.php' ); $mainframe =& JFactory::getApplication('site'); if( !empty( $_GET['name'] ) ) { // check if user is logged if(JFactory::getUser()->guest) { die( "ERROR: invalid song or you don't have permissions to download it." ); } else { $psp = preg_replace( '#[^-\w]#', '', $_GET['name'] ); $psp_file = "{$_SERVER['DOCUMENT_ROOT']}/audio/live/{$psp}.mp3"; if( file_exists( $psp_file ) ) { header( 'Cache-Control: public' ); header( 'Content-Description: File Transfer' ); header( "Content-Disposition: attachment; filename={$psp_file}" ); header( 'Content-Type: application/mp3' ); header( 'Content-Transfer-Encoding: binary' ); readfile( $psp_file ); exit; } } } ?>then I have joomline player jlplayer <?php /** * JoomLine mp3 player - Joomla mp3 player * * @version 1.5 * @package JoomLine mp3 player * @author Anton Voynov (anton@joomline.ru), Sergii Gaievskiy (shturman.kh@gmail.com) * @copyright (C) 2010 by Anton Voynov(http://www.joomline.ru) * @license GNU/GPL: http://www.gnu.org/copyleft/gpl.html * * If you fork this to create your own project, * please make a reference to JoomLine someplace in your code * and provide a link to http://www.joomline.ru **/ defined('_JEXEC') or die('Restricted access'); function ascii2hex($ascii, $reverse = false) { $hex = array(); for ($i = 0; $i < strlen($ascii); $i++) { $byte = strtoupper(dechex(ord($ascii{$i}))); $byte = str_repeat('0', 2 - strlen($byte)).$byte; $hex[] = $byte; } if ($reverse) $hex = array_reverse($hex); return implode(" ",$hex); } function read_frame (&$f, &$tagdata, $frame) { $pos = strpos($tagdata,$frame); if ( $pos !== FALSE) { // frame found. read length of this frame fseek($f, 10+$pos+4); $frame2len = hexdec(ascii2hex(fread($f,4))); if (($frame2len-1) > 0) { // read frame data fseek($f, 10+$pos+4+2+4+1); $data = trim(fread($f,$frame2len-1)); $hexfdata = ascii2hex($data); if ( substr($hexfdata,0,5) == 'FF FE' or substr($hexfdata,0,5) == 'FE FF' ) { $data = iconv("UCS-2","UTF-8",$data); } else { if (!preg_match('//u', $data)) { $data = iconv("cp1251", "UTF-8",$data); } } return $data; } else { return false; } } else { return false; } } function readmp3tag($file) { $f = fopen($file, 'rb'); rewind($f); fseek($f, -128, SEEK_END); $tmp = fread($f,128); if ($tmp[125] == Chr(0) and $tmp[126] != Chr(0)) { // ID3 v1.1 $format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a28COMMENT/x1/C1TRACK/C1GENRENO'; } else { // ID3 v1 $format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a30COMMENT/C1GENRENO'; } $id3v1tag = unpack($format, $tmp); // read tag length fseek($f, 8); $tmp = fread($f,2); $tmp = ascii2hex($tmp); $taglen= hexdec($tmp); $tagdata = ""; if ($taglen > 0) { //read tag data fseek($f, 10); $tagdata = fread($f,$taglen); } // find song title frame $title = read_frame ($f, $tagdata, "TIT2"); if (!$title) { if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['NAME'],0,1)) != '00' ) { $title = $id3v1tag['NAME']; } else { $title = explode(DS,$file); $title = $title[count($title)-1]; $title = explode('.',$title); $title=$title[0]; } if (!preg_match('//u', $title)) $title = iconv("cp1251", "UTF-8",$title); } $artist = read_frame ($f, $tagdata, "TPE1"); if (!$artist) { if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['ARTISTS'],0,1)) != '00') { $artist = $id3v1tag['ARTISTS']; } else { $artist = ""; } } if (!preg_match('//u', $artist)) $artist = iconv("cp1251", "UTF-8//TRANSLIT",$artist); $id3tag['NAME'] = $title; $id3tag['ARTIST'] = $artist; return $id3tag; } if (DS == "/") $dir = str_replace("\\",DS,$music_dir); else $dir = str_replace("/",DS,$music_dir); $dir = JPATH_ROOT.DS.$dir; if (!is_dir($dir)) { echo "Wrong dir in settings"; } else { $files = glob($dir.DS."*.{mp3,MP3}",GLOB_BRACE); if (count($files) > 0) { sort($files); $host = $base_uri; foreach ($files as $file) { $tags = readmp3tag($file); $file = explode (DS, $file); if ($server_utf8 == 1) { $fname = rawurlencode($file[count($file)-1]); } else { $fname = rawurlencode($file[count($file)-1]); } $fname = substr($fname, 0, -4); $file = $host."/".$music_dir."/psp.php?name=".$fname; echo $file; $artist = trim($tags['ARTIST']); $artist = $artist == "" ? "" : "{$tags['ARTIST']} - "; $playlist[] = '{name:"'.$artist.$tags['NAME'].'",mp3:"'.$file.'"}'; } } /* * //if(!window.jQuery) { document.write(unescape('<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js">%3C/script%3E')); document.write(unescape('<script type="text/javascript">jQuery.noConflict();%3C/script%3E')); //} * */ ?> <script type="text/javascript"> var myPlayList = [ <?php echo implode(",\n ",$playlist)."\n"; ?> ]; Array.prototype.find=function(v){ for (i=0;i<this.length;i++){ if (this[i]==v) return i; } return 0; } var plIndex = []; for (i=0;i<myPlayList.length;i++) { plIndex[i] = i; } <?php if ($shfl == 1) : ?> //shuffle function randOrd(){ return (Math.round(Math.random())-0.5); } plIndex.sort(randOrd); <?php endif; ?> function setCookie (name, value) { document.cookie = name + "=" + escape(value) + "; expires=Thu, 01-Jan-2055 00:00:01 GMT; path=/"; } function getCookie(name) { var cookie = " " + document.cookie; var search = " " + name + "="; var setStr = null; var offset = 0; var end = 0; if (cookie.length > 0) { offset = cookie.indexOf(search); if (offset != -1) { offset += search.length; end = cookie.indexOf(";", offset) if (end == -1) { end = cookie.length; } setStr = unescape(cookie.substring(offset, end)); } } return(setStr); } function changeShflStatus(el) { nowPlay = plIndex[playItem]; if (el.checked) { setCookie("jlp_shfl","shuffle"); plIndex.sort(randOrd); } else { setCookie("jlp_shfl","notshuffle"); plIndex.sort(); } playItem = plIndex.find(nowPlay); } </script> <script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js"></script> <script type="text/javascript">jQuery.noConflict();</script> <link href="<?=$base_uri?>/modules/mod_jlplayer/skin/skin.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jquery.jplayer.min.js"></script> <script type="text/javascript"> var playItem = 0; jQuery(function(){ var jpPlayTime = jQuery("#jplayer_play_time"); var jpTotalTime = jQuery("#jplayer_total_time"); var jlp_shfl = getCookie("jlp_shfl"); if (jlp_shfl == "shuffle") { document.getElementById('jlp_shfl').checked = true; } else if (jlp_shfl == "notshuffle") { document.getElementById('jlp_shfl').checked = false; } jsuri = baseuri+"/modules/mod_jlplayer/js/"; jQuery("#jquery_jplayer").jPlayer({ ready: function() { displayPlayList(); playListInit(enable_autoplay); // Parameter is a boolean for autoplay. }, errorAlerts:true, warningAlerts:true, swfPath: jsuri }) .jPlayer("onProgressChange", function(loadPercent, playedPercentRelative, playedPercentAbsolute, playedTime, totalTime) { jpPlayTime.text(jQuery.jPlayer.convertTime(playedTime)); jpTotalTime.text(jQuery.jPlayer.convertTime(totalTime)); }) .jPlayer("onSoundComplete", function() { playListNext(); }); jQuery("#jplayer_previous").click( function() { playListPrev(); return false; }); jQuery("#jplayer_next").click( function() { playListNext(); return false; }); }); function displayPlayList() { for (i=0; i < myPlayList.length; i++) { jQuery("#jplayer_playlist").append("<div id='jplayer_playlist_item_"+i+"'>"+ myPlayList[i].name +"</div>"); jQuery("#jplayer_playlist_item_"+i).data( "index", i ).click( function() { var index = jQuery(this).data("index"); if (plIndex[playItem] != index) { _index = plIndex.find(index); playListChange( _index, index ); } else { jQuery("#jquery_jplayer").jPlayer("play"); } }); } } function playListInit(autoplay) { if(autoplay) { playListChange(0, plIndex[0] ); } else { playListConfig(0, plIndex[0] ); } } function playListConfig(_index, index ) { jQuery("#jplayer_playlist_item_"+plIndex[playItem]).removeClass("jplayer_playlist_current"); jQuery("#jplayer_playlist_item_"+index).addClass("jplayer_playlist_current"); playItem = _index; jQuery("#jquery_jplayer").jPlayer("setFile", myPlayList[plIndex[playItem]].mp3); } function playListChange(_index, index ) { playListConfig(_index, index ); jQuery("#jquery_jplayer").jPlayer("play"); } function playListNext() { var _index = (playItem+1 < myPlayList.length) ? playItem+1 : 0; var index = plIndex[_index]; playListChange(_index, index ); } function playListPrev() { var _index = (playItem-1 >= 0) ? playItem-1 : myPlayList.length-1; var index = plIndex[_index]; playListChange(_index, index ); } </script> <?php include_once(JPATH_ROOT.DS.'modules/mod_jlplayer/skin/tpl.php'); ?> <?php }I was messing around in there with $file if ($server_utf8 == 1) { $fname = rawurlencode($file[count($file)-1]); } else { $fname = rawurlencode($file[count($file)-1]); } $fname = substr($fname, 0, -4); $file = $host."/".$music_dir."/psp.php?name=".$fname; echo $file;I am unsure how to retreive a file title only, with out the whole path, just the name and not even the file ext. It comes up with all the files names in the echo. Also I am not sure how joomline chooses just one file. I am not a php designer and I am quite confused lol Any help would be appreciated! Thank you. Hi, I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough. The Client gets a link like this: Code: [Select] mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52 Each client has a unique "id" I also have an ID for the administrative back-end. I do clean the GET variable before querying the database though. Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together. Thanks, mme Hi everyone, So, like my name says, I'm just a hobbyist PHPer, but I write the occassional PHP application for people, I've been doing it for quite a while and I fear that perhaps my way of securing my applications may be a bit antiquated... I was hoping that you guys/gals might be able to take a look and give me some help with perhaps how I could go about making these apps more secure... So, without further ado, here it is... standard application page, e.g. index.php Code: [Select] <? session_start(); if(!$_SESSION['Condition'] == 'Logged') { header("Location: login.php"); } elseif($_SESSION['Condition'] == 'Logged') { require "connection.inc"; ?> <? } ?> login.php page Code: [Select] <? if(isset($_POST['Login'])) { include_once 'connection.inc'; $count = 0; $query = "SELECT UserID FROM Users WHERE UserName = '$_POST[username]' AND UserPassword = '$_POST[password]'"; $results = mysql_query($query)or die(mysql_error()); $count = mysql_num_rows($results); while($row = mysql_fetch_array($results)) { $UserID = $row['UserID']; } if ($count == 1) { header("Location: loginaction.php?UserID=$UserID"); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title></title> <link rel="stylesheet" type="text/css" href="StyleSheet.css" /> <script language="javascript" type="text/javascript"> function loginValidate(form) { if (form.username.value == '') { alert('You must supply a Username.'); form.username.focus(); return false; } if (form.password.value == '') { alert('You must supply a Password.'); form.password.focus(); return false; } else { return true; } } </script> </head> <body> <? include_once 'header.inc'; ?> <div id="LoginBox"> <div id="SubFormBoxHeading"> Log In </div> <form id="thisform" action="<? echo $_SERVER['PHP_SELF']; ?>" onsubmit="return loginValidate(this)" method="post"> <table> <tr> <td colspan="2"> <? if (isset($_POST['Login']) && !$count == 1) { echo '<h3>Wrong Username and/or Password</h3>'; } ?> </td> </tr> <tr> <td class="Labels">Username:</td> <td><input type="input" id="username" name="username" size="20" /></td> </tr> <tr> <td class="Labels">Password:</td> <td><input type="password" id="password" name="password" size="20" /></td> </tr> <tr> <td colspan="2"> <div style="text-align: center; margin-top: 20px; margin-bottom: 20px;"> <input type="submit" id="Login" name="Login" value="Log In" /> </div> </td> </tr> </table> </form> </div> <? include_once 'footer.inc'; ?> </body> </html> loginaction.php page Code: [Select] <? session_start(); $_SESSION['Condition'] = 'Logged'; $_SESSION['UserID'] = $_GET['UserID']; header("Location: index.php"); ?> and finally, the logout.php page Code: [Select] <? session_start(); unset($_SESSION['Condition']); unset($_SESSION['UserID']); session_destroy(); header("Location: index.php"); ?> I have just made a couple of forms that submit data to a mysql database. I was wondering what measures I need to make to in order to keep the whole thing very secure. At the moment I have stripped the inputs of tags and forward slashes. Is there anything else I should do? Also some field in the form allow the user to enter a url. With these fields I have not stripped them of forward slashes. Is this a bad idea? Should I do something like replace the forward slashes with something else and then reverse this process every time I extract that data from the database? Hey, so basically this is what im trying to do: I'm writing an mp3 store, and want the user to be able to play the whole track before purchase. Currently all the music files are in a protected folder with permissions set so access isnt possible. The mp3 player calls play.php?fid=encryptedfileid rather than the direct music link. This is all working perfectly. The bit i am now stuck on is stopping the users going to play.php?fid=encryptedfileid directly and downloading the mp3 directly. How do I make it so the server can execute the play.php file, but the user cannot? I attempted to set a cookie in play.php and deny access if cookie was present, however the server also set the cookie, so this didnt work. See play.php code (in this example, fid is just the filename, but it will be more encrypted, calling to a special md5 hash, albumid and artistid). <?PHP // Define the path to file $filename=$_GET[fid]; $file = "music/$filename.mp3"; if(!$file) { // File doesn't exist, output error die('file not occupied'); } elseif(!file_exists($file)) { die('Error: File not found.'); } else { // Set headers header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=$file"); header("Content-Type: application/octet-stream"); header("Content-Transfer-Encoding: binary"); // Read the file from disk readfile($file); } ?> So to clarify, I need the server to access and execute this script with the mp3 player (simple javascript player) and the server not be able to visit play.php?fid=xxx directly to download. Thanks I'm building an e-commerce website using php and mysql and I'm a bit worried about security issues. The website is going to be handling personal information so I want to make sure that it's secure and that no-one can get hold of it. I don't really have any idea about and security issues or problems that I could run into and perhaps you could point me in the direction or some tutorials that would be really great. Also if anyone here has been in the same situation what did you do to make your site as secure as possible? Thanks for any help. I have nearly finished a website that i am making for my local community, they will be registering on the site and i am wandering what sort of security for the site i should be thinking about. I just dont want someone out there doing something to cause problem with the site and ruining it for everyone else. I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP. My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system. "Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this: Quote insert into newsletters (email) values ('.$POST['email'].') I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out. I believe I need to "sanitize" my input with a MySQL "real_escape_string" or something? Is there anything real obvious I should look out for when it comes to PHP security? Is there a way to forbid all strings/arguments except the few I need or something perhaps? |