|
PHP - Security Issues - Css Input By User
Hello,
I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? Similar TutorialsI am trying to keep the user input clean with this script but can't figure out what is wrong with it. the error I am getting is Warning: preg_match() expects parameter 1 to be string, $bad_strings = array( "content-type:", "mime-version:", "multipart/mixed", "Content-Transfer-Encoding:", "bcc:", "cc:", "to:", ); if (preg_match($bad_strings, $first_name)) { die; Hello, I am using <?=$PHP_SELF?> in a search form so it will stay on the same page. I have been advised that there are security risk to using that and that is is susceptible to sql injections and my database can be at risk. I have read about using the following code instead: htmlentities($_SERVER['PHP_SELF']) Is that more secure or are there other code that is more secure? Also could someone look at my database connection and see if there are any issues with it? Code: [Select] <?php $db_host = "localhost"; $db_user = "user"; $db_pass = "password"; $db_name = "database"; function db_connect() { global $db_host; global $db_user; global $db_pass; global $db_name; $connection = mysql_connect($db_host,$db_user,$db_pass); if (!(mysql_select_db($db_name,$connection))) { echo "Could not connect to the database"; } return $connection; } // Connect to the database db_connect(); ?> Thank you for any help you can provide. am I missing anymore input attacks to pass not having 2 of the same balls? Code: [Select] $numbers = "19|20|19"; $numArray = explode("|", $numbers); if ($numArray['0'] == $numArray['1'] OR $numArray['0'] == $numArray['2'] ){ $std->Error2("You cannot pick 2 numbers with the same ticket"); } The if function will see if 19 = 20, or 19 = 20 then I would it need to do $numArray['1'] == $numArray['2'] and so on right to get all possible ways? If so, is there a easier way instead of just using all OR Statements and not manually thinking about what possible way, isn't there just a way to check if 2 arrays are the same? (or 3) Hi Chaps, I'm about to start building a MySQL/PHP forum but would like to know what are the best administration steps to take. Basically it'll be open to members of a site to share info (as like many forums out there), but obviously I don't want anybody to post either harmful content or offensive material. Can someone point me in the right direction, or give me a basic outline of what I have to look out for? Many thanks Hi everybody !
Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security.
Consider the simple script below:
<?php
//error_reporting(E_ALL & ~E_NOTICE);
session_start();
if(isset($_POST['login'], $_POST['password']))
{
$login = $_POST['login'];
$password = $_POST['password'];
if(!empty($login) && !empty($password))
{
//echo "Ok";
echo "Welcome ". $login;
echo "<br> You password is.$password ";
}
}
?>
<html>
<body>
<form action="welcome2.php" method="post">
Name: <input type="text" name="login" />
Password: <input type="password" name="password" />
<input type="submit" name="submit"/>
</form>
</body>
</html>
It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then :
1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example.
2. Could the same be thwarted by the use of input filters?
3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done?
There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked.
Thanks all.
if i use code as follows, This is a safe way to take the value of the form ?
<html> <head></head> <body> <form method='post'> <input type='text' name='name' value='akli'> <input type='submit' name ='view' value='view'> </form> </body> </html> <?php extract($_POST); if($view) echo $name; ?>please healp me Hi all, if someone of you has a little spare time i would love to hear what you find about the small code below. I combined some scattered stuff around the internet. and was hoping some guru could tell me if its ok to output without any sneaky javascript to get inserted within the tags or other nasty stuff. Its a bb code that first trims the string, applies html entities than puts newlines to breaks and finishes it of with a little bbcode in the end. I was hoping if this is secure enough to output text in this case a post var but am aiming for data from the database. Thanks in advance Code: [Select] <?php //replace stuff //bb function function bbcode($data) { $input = array( '/\[b\](.*?)\[\/b\]/is', '/\[i\](.*?)\[\/i\]/is', '/\[u\](.*?)\[\/u\]/is', '/\[img\](.*?)\[\/img\]/is', '/\[url\](.*?)\[\/url\]/is', '/\[url\=(.*?)\](.*?)\[\/url\]/is' ); $output = array( '<strong>$1</strong>', '<em>$1</em>', '<u>$1</u>', '<img src="$1" />', '<a href="$1">$1</a>', '<a href="$1">$2</a>' ); $rtrn = preg_replace ($input, $output, $data); return $rtrn; } // if(isset($_POST['submit'])&& !empty($_POST['textvar'])){ $error_message = ''; $string = trim(htmlentities($_POST['textvar'], ENT_QUOTES)); $clean = nl2br($string); $super_clean = bbcode($clean); }else{ $error_message = 'enter some text'; $clean = ''; $super_clean =''; } Code: [Select] if ($ibforums->input['display1'] == "1"){ // }else{ $std->Error2("You're being Nawty!"); } Ok, this works fine. If they submit anything other then "1" for that input it shows "you're being nawty" but I want it to beable to be anything besides 1 or 0 so I added Code: [Select] if ($ibforums->input['display1'] == "0" OR "1"){ // }else{ $std->Error2("You're being Nawty!"); } and it still let's me submit anything...... i only want my $ibforums->input['display1'] to accept 1 or 0 as a input!!!! I don't want any hackers submitting other input values for this field! any help?! I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease. So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue. Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head. Its a classified website , considering this on what should I concentrate on as far as security goes ? btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query. Thanks Hey guys! I'm pretty new to php and starting work on a project, the first part I'm working on is a html page with text fields like this: Quote URL: Dropdown box: Submit when the submit happens I want it to post to a php page, parse whatever is inside a set of <h2> tags and print it to to the php page, also the user selects four options from the dropdown box and I need to print the string contained in the selection to the next page as well, As I said I'm pretty new but here's what i threw together so far based on references I found, but it doesn't work correctly: parse.html: Code: [Select] <html> <body> <form action="parse.php" method="post"> URL: <input type="text" name="turl" /> <br> Option: <select name="selectskill"> <option value="1">Low</option> <option value="2">Mid</option> <option value="3">High</option> <option value="4">Known</option> </select> <br> <br> <input type="submit" /> </form> </body> </html> parse.php: Code: [Select] <html> <head></head> <body> <?php $lol = $_POST["turl"]; $str = file_get_contents($lol); $DOM = new DOMDocument; $DOM->loadHTML($str); // Grab text inside the heading 2 tags $items = $DOM->getElementsByTagName('h2'); echo "option: " . $lol; // Display the content inside the second set of H2 tags echo $items->item(1)->nodeValue . "<br/>"; ?> </body> </head> </html> Thanks for all the help in advance! I appreciate your help guys. I was able to do something to the code. Now it looks like this: <?php include "include/dbc.php"; include "include/header.inc"; ?> <script type="text/javascript"> <!--Hide Code // Function Statements //Function to confirm submit function confirmSubmit() { var submitform = window.confirm("Are you sure you want to submit the activities?"); if (submitform == true) return validateForm(); return false; } // End Hide--> </script> <style type="text/css"> .mydate{ color:#00F; text-decoration:underline; cursor:pointer; } </style> <script type="text/javascript"> function displayDate(d){ var date=new Date(); var D=date.getDate(); date.setDate(D+d); var YYYY=date.getFullYear(); var MM=date.getMonth()+1; MM<10?MM='0'+MM:null; var DD=date.getDate(); DD<10?DD='0'+DD:null; var span=document.getElementById('date'); span.innerHTML= 'Entries for '+MM+'/'+DD+'/'+YYYY; } onload=function(){displayDate(0)}; </script> <h1>Food Diary</h1> <div class="full"> <center><div><span class="mydate" onclick="displayDate(-1)"><img src="images/left_arrow.png" border="0">Yesterday</span> <span id="date" style="font-size:2em;"></span> <span class="mydate" onclick="displayDate(1)">Tomorrow<img src="images/right_arrow.png" border="0"></span></div><br /> <a href="#" onclick="displayDate(0);return false;">Today</a> </center> <div class="full"> <form name="exercise" id="exercise" method="GET" action=""> <center><table> <tr> <td><h3>Add an Activity</h3></td> </tr> <tr> <td><input name="NewSearchString" style="width: 100px" type="text"/> <input type="submit" value="Search" /> </td> </tr> <tr> <td> <select name="activity"> <option value="_">Activity Browse...</option> <option value="all">All Activities</option> <option value="biking">Biking</option> <option value="condition">Conditioning</option> <option value="dancing">Dancing</option> <option value="fish">Fishing & Hunting</option> <option value="Home">Home Activities</option> <option value="misc">Miscellaneous</option> <option value="music">Music Playing</option> <option value="occupation">Occupation</option> <option value="running">Running</option> <option value="sports">Sports</option> <option value="walking">Walking</option> <option value="water">Water Activities</option> <option value="winter">Winter Activities</option> </select> <input type="submit" value="Submit" /></td></tr></table></center></form> </td> </tr> </table> </center> <table width="100%"> <tr bgcolor="#66CC33"> <td><div>Activity</div></td> <td><div>Specific Activity</div></td> <td><div>Time (hh:mm)</div></td> <td><div>Distance</div></td> <td><div>Units</div></td> </tr> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr> <?php if(isset($_GET[activity])) { $category=$_GET[activity]; $result = mysql_query("SELECT * FROM exercise WHERE type='$category'"); ?> <form action="add_activity.php" method="POST"> <?php while($row = mysql_fetch_array($result)) { echo '<tr><td><div>'.$row[Type].'</div></td>'; echo '<td><div>'.$row[Name].'<input type="hidden" name="exerciseid" value="'.$row[Name].'"></div></td>'; echo '<td><div><input type="text" name="duration['.$row['Name'].']"></div></td>'; echo '<td><div><input type="text" name="distance['.$row['Name'].']"></div></td>'; echo '<td><div><select> <option value="mile" name="mile">mile</option> <option value="Km" name="Km">km</option> <option value="M" name="M">m</option> <option value="Yard" name="yard">yrd</option> <option value="Feet" name="feet">ft</option> </select></div></td></tr>'; } mysql_close(); ?> <tr><td colspan="6" align="center"><input type="submit" name="submit" value="Add Activities"></td></tr> </form> <?php } ?> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr></table> This somewhat works. The problem is that this code passes all the activities to the second page, where the output looks like this: Array ( [exerciseid] => Hunting, general [duration] => Array ( [Fishing from boat, sitting] => 20 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [distance] => Array ( [Fishing from boat, sitting] => 25 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [submit] => Add Activities ) Is there a way I can pass what the user input instead of passing everything (form validation maybe?) Hi, I'm using the form data type 'date', and trying to verify it. It seems a little too complicated to check that it's in the correct format (with "/" between day/month/year), unless I use regular expression, which I don't know much about and seems feels like there's an alternate solution or it's not necessary. Currently, the script accepts DD*MM*YYYY, where * is any character, since it just strips the 3rd and 6th character and checks the day/month/year using checkdate(). I'm not even sure if this is a problem. I am giving the user a "verify" page, where I could put it in the correct format (DD/MM/YYYY), but is that enough? Feel like I'm missing something here, so any feedback would be great Hi, what is they best way to validate user input of strings? A couple of examples would be : 1> If i wanted to check for the existance on the coma ',' character in a string and replace it with a dash '-' character? 2> To check wether a user has entered a valid ip address in the form of x.x.x.x where x can range from 0-255? I think i may need ereg/preg to do this but i have no idea about how to layout the syntax. Thanks for looking. OK so i have a textfield and i have everything going to the database and then displaying on the page. Now is there a way to display code on the page but disable it from executing? There are some break tags in there so i would still like them to be executed on the page. Hello, Firstly I am only just learning php so please bear with me. What I want to be able to do is for a user to be able to enter a youtube url eg: Code: [Select] http://www.youtube.com/watch?v=8xz7ShMCWls I want the scrip to take the video ID (after watch?v=) and append it into a html embed code for our forums that do not have the feature to auto embed a youtube vid. Code: [Select] <p> <img height="350" width="425" class="fw_media_youtube fw-parse" alt="YouTube-AFTER WATCH?V=CODE" src="http://thumbs.webs.com/Platform/mediaPreview.jsp?type=YouTube&id=AFTER WATCH?V=CODE"/></p> Where you see AFTER WATCH?V=CODE is where I want it to place the video id and then return this completed code for the user to copy and paste: Code: [Select] <p> <img height="350" width="425" class="fw_media_youtube fw-parse" alt="YouTube-8xz7ShMCWls" src="http://thumbs.webs.com/Platform/mediaPreview.jsp?type=YouTube&id=8xz7ShMCWls"/></p> How would I be able to get this done. I do not expect to be spoon fed but just a litlle help please. Thank you so much if you do help. Ok so I got BB Code working. Now I want to prevent Users from inserting HTML into Posts. I have the following: $PostText = mysql_escape_string($_POST['replytext']); $Replace = Array ('/(<)(.+)(>)/','/(<\/)(.+)(>)/'); $ReplaceWith = Array ('<\\2>','</\\2>'); $PostText = preg_replace($Replace, $ReplaceWith, $PostText); Now If I were to input Code: [Select] <a href=http://phpfreaks.net>Php Freaks</a>Into a forum reply it would return: Code: [Select] <a href=http://phpfreaks.net>Php Freaks When Checking the database it has: Code: [Select] <a href=http://phpfreaks.net>Php Freaks</a> Any help on solving this? I manage a simple website for a small business - nothin fancy. I'm interested using some php to enhance the site a bit. I'm looking to accept some user input and put it into a database then display it back to them on another page. What php functions would be best to use to accomplish this? Thanks for the input! I have a page that has roughly 100 text input fields. Once the user is done, I need to put the data in my mysql db. How do I get the data from the user input page to the php page that will process the data (e.g. process.php)? I've done some searching and found a few possibilities use a ajax style call back to load a seperate asp page (e.g. createsession.asp) and that page set session variables that can then be read by process.php write everything to a cookie using some sort of a delimiter so that it can handle multiple variables (e.g. cookie data => var1/var2/var3/var4... write all the data to a text file and then have process.php load that file Which should I pursue? Is there a better option? I have a family site with a member list and a forum that both run on MySql. One of the items in the member list is the birthday. What I like to achieve is that a day or 2 before a member's birthday, a post wil be automaticly inserted in the forum, (a post that contains that this persons birthday is comming up in a few days) without any user input. I like to have this done automaticly because I don't feel like setting up a cron job for every member seperatly. There are just too many members. What I need is a script that will create a cron job or something simular the moment a new member registers and updates his profile and sets his birthday. The code below is a function that checks to see if an email address exists in a database, if so it alerts the user. The db has one table and one field. It works fine when there is ONE record! However, if there are > 1 it doesn't work. How can I step through each record and compare it to what the user entered? Of course, $_POST is the user's value and the db record is the $myAddy value. <?php function emailLookup() { include ('file:///Library/WebServer/Documents/re_connect_scripts/emailLookup.php'); while ($row = mysqli_fetch_array($result)) { extract ($row); $myAddy = $addy; } if ($_POST["add_email"] == $myAddy) { global $lookupError; $lookupError = 'This email address is already on the list.'; global $counter; $counter++; } else { return; } } ?> |
|||||||