PHP - Protecting Web Site, Strategy Help

Hello,

I'm working on a very simple strategy based game site (mainly to expand my knowledge).

What I basically want it to do is, you send a solider to an area which takes, say 20 seconds. After 20 seconds, he battles for 30 seconds, and then arrived back home which takes another 20 seconds.

All the user is going to be seeing is a 'status' echo'ed text saying "Arriving in 00:??", "Battle Over in 00:??", and "Home in 00:??".

So its just using a time counter. But what makes it more complicated, is that I want the time progress to be saved (datebase), so say I have to wait 50 seconds, I can sign off, go on another computer, sign in and still see my timer going down according to the time that has just passed.

So, what I've done so far is, have 4 variables:

$realTime - Holds the actual time in seconds.
$waitingTime - Holds how long I need to wait. (this is stored in my DB)
$differenceTime - Difference between real time and my waiting time. (loaded from my DB)
$soliderProgress - Progress of the solider, so: Arriving, Battle ... (stored on DB)


Code: [Select]
$realTime = date("s");

//soliderProgress is 'Starting' by default
if(soliderProgress == "Starting"){
   //solider is moving to area
   $differenceTime = $realTime + $waitingTime;
   $SQL = ("UPDATE users SET differenceTime='$differenceTime' WHERE username='$username'");
   soliderProgress = "Arriving";
   $SQL = ("UPDATE users SET soliderProgress='$soliderProgress' WHERE username='$username'");
}

if(soliderProgress == "Arriving"){
   echo "Arriving to area";
   if($realTime >= $differenceTime){
      //timer is complete
      soliderProgress = "Battle";
      $SQL = ("UPDATE users SET soliderProgress='$soliderProgress' WHERE username='$username'");
   }
}

This kind of works, but sometimes my $differenceTime is higher than 60 which messes it up, and also the timer isn't live ... so I have to keep refreshing the page

I am refactoring entire collective scattered SQL from my legacy codebase, and into separate classes, and looking for some structure to put it into.

Right now I have folders effectively called `DataFromDB` - contains classes that accepts whatever parameters are given, and returns pure data back to the user `DAO` - Data Access Object, which takes that raw data from DB and makes sense out of it and prepares it for consumption by the model/business logic layer objects. That is:

    - src (folder)
      |- DAO (folder)
        | - ProductADAO (classes - take data in, return consumable objects out)
        | - ProductBDAO
        | - ...
        | - ProductZDAO
      |- DataFromDB (folder)
        | - ProductAData (classes - contain methods to query pure result sets from DB)
        | - ProductBData
        | - ...
        | - ProductZData

Whenever I need to make a new SQL or refactor an old one I do this: What is this SQL doing?  Is it operating on `SomeObjectX`?  If yes, find/create class called `ObjectX`, and add a method to it, extracting pure data from DB, put it into `DataFromDB` folder. Write the `DAO` object if needed to transform data into a consumable object. Use the object as is in my code. Does this look like a good strategy?  Is there a better one?   My problem with this one is that before (now) all the SQL is tightly coupled and is included into the multiple business classes.  Using the above strategy will mean I am to be creating many many classes, a lot of classes, most likely one for every few SQL statements.    The pros is that it seems like I will achieve a level of code modularity that I wanted.

Hello,

I have a form for uploading CV files into a CV database.

Once the files are uploaded to their directory (e.g. www.jobsboard.com/cvdatabase/) please could someone tell me how to restrict access to users?

e.g. once a user logs into their userpanel they should be able to click on a hyperlink to download a CV e.g. (www.jobsboard.com/cvdatabase/CV1.doc) but a user who isn't logged in shouldn't be able to access www.jobsboard.com/cvdatabase/CV1.doc

Please could you tell me whether this is possible?

Many thanks,

Stu

Data siphoning is becoming more common every day, Data siphoning is when you intercept the data and sniff between a client and a host, also known as sniffing a connection. ( i am focusing on session hijack)   To protect clients I've decided to write an MD5 calculation function which changes a secure string (such as a password) to plain MD5   Then once the MD5_password reaches PHP i BCRYPT with cost 20 using password_hash _   MD5 is not ideal at all and i would like to write a better encryption but i only know how to do MD5 for java script, but i really don't need that much security here. the purpose is to not show sensitive information, that's going to be hashed on the server, during a data siphon attack. _   Data siphoning can not be protected against on the host server, the siphoning happens on the clients side usually when they don't have a strong firewall or such.     What are some good techniques you would practice to protect from data siphoning?       Before added security i was able to siphon this:  Username: Richard Password: mypassword   After added security i was able to siphon this:  Username: 6ae199a93c381bf6d5de27491139d3f9 Password: 5f4dcc3b5aa765d61d8327deb882cf99     Now the only vulnerability between the client and server is if the hacker dns hacks the client which could redirect them to a website that looks like mine with the same EXACT url. which i can't help.   The real username can be retrieved in a session on login.     The real username and password can be found if a hacker injects js to remove the MD5 function, so if you know how to detect JavaScript injection i would like to know that as well.     ______ Pretty much it looks like this..   Form -> Send md5(username) & md5(password) -> Server check if match in datbase -> If so login.                                                                                 ^ cypher                                                               ^cypher (session)
Edited by Richard_Grant, 12 September 2014 - 03:27 AM.

Hi All,

I'm trying to secure my web app which is currently in development, and came across this issue.

I have a header.php and footer.php page which are included to every page, with the content in the middle. The problem is, if you visit header.php then it displays the header, with some blank text.

What is the best way to protect this - i.e., if visited directly, it re-directs to index.php etc.

My initial thought is to set a $happylink on each page and in the header and footer, checking basically doing the following


if (isset($happylink) && !empty($happylink))
{
     blah blah;
}
else
{
     Header("Location: index.php");
}

Would that be the best way? Is there something easier?

I have a script that runs periodically by a launchd timer. I give the script a very tight timeout ( set_time_limit(120); ). 

Most of the time, my script works great. But every once in a while, one of the commands I run in an exec( ) call seems to hang. This of course is a problem because once the exec( ) call hangs, the php script hangs as time spent on exec( ) calls does not count towards the script's runtime. 

Furthermore since the script is still running, launchd doesn't call it again. So in this way, my script is entirely at the mercy of a command line program not having a problem. And if it does, I can't do anything about it.  

So while I could try to figure out why my particular command seems to go awry (which is its own weird issue), the bigger issue is how can I call command line programs in php in a way that don't allow a runaway command to lock up the whole script forever? I wish there was an exec( )-type function with timeout built in. Or even a script timelimit function that DID count pauses and external programs. Something to kill this!? Something other than a SECOND php script that would check on the first script and kill it when there is a problem. There MUST be a better solution than that?

Any thoughts?

I been wondering how to protect all the files that contain classes, functions and forms in php to prevent direct access to something that the user shouldnt be able to without the proper check's (typing http://server/inc/login.php insteand of http://server/), and i came to this small idea of checking if an object is set or not but i m wondering if this is really the best idea here's what i have (the case bellow will protect an login form to be accessed directly):

Code: [Select]
<?php
    if(!isset($mysqlobj)) die();
    if( isset( $_POST['username'] ) && isset( $_POST['password'] ) ){
        $login = authentication::login( $_POST['username'], $_POST['password'] );
        if( $login == true ){
            header( 'location:?go=home' );
        }else{
            $_SESSION['message'] = 'loginfailed';
            header( 'location:?go=login' );
        }
    }else{
      if( !empty($_SESSION['logged'] ) && $_SESSION['logged'] == true ){
          header( 'location:?go=home' );
      }else{
          ?>
            <div id="loginform">
                <form action="?go=login" method="post">
                    <table align="center">
                        <tr>
                            <td><font size="2">Username</font></td>
                            <td><input type="text" name="username" /></td>
                        </tr>
                        <tr>
                            <td><font size="2">Password</font></td>
                            <td><input type="password" name="password" /></td>
                        </tr>
                        <tr>
                            <td colspan="2" align="center"><input type="submit" value="Login" /></td>
                        </tr>
                    </table>
                </form>
                </div>               
          <?php
      }   
    }
?>

Just looking for an "best practice" i tried google for it but i couldnt get to an straight awnser any enlightment is appreciated.

Hi, I'm putting together a database that once logged in, a user is able to insert, update and delete records via html forms.

The login is secured using mysql_real_escape_string, but I'm wondering should I do the same for all form elements that pass data to the db? There are a wide range of inputs, from numeric, alphanumeric, dates and more.

I'd appreciate your feedback.

Regards,

James

I have had a customer want to run my application (PHP/APACHE/MYSQL) on their server rather than a commercial hosting offering (JUSTHOST/GODADDY)   I am reluctant, as it means giving them access to my PHP code which could possibly be copied or distributed.    Can I protect against this?    

Hi all,

I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at.  It's essentially an online community that was a uni project that has spiraled and grown exponetially.

I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine.  The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported.

I want my site to be as secure as it can be, within reason.

I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results.
I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields.

This si what I have and what I've changed.
if ($_POST['parse_var'] == "bio"){
   
    $bio_body = $_POST['bio_body'];
    //$bio_body = str_replace("'", "&#39;", $bio_body);  (WAS TESTING THIS BUT NO JOY)
    //$bio_body = str_replace("`", "&#39;", $bio_body);
         $bio_body = mysql_real_escape_string($bio_body);
         $bio_body = nl2br(htmlspecialchars($bio_body));

        $bio = $_POST['bio'];
   $bio = eregi_replace("'", "&#39;", $bio);           (This works but is not as secure)
   $bio = eregi_replace("`", "&#39;", $bio);
        $bio = mysql_real_escape_string($bio);
        $bio = nl2br(htmlspecialchars($_POST['bio']));

        $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'");
       and so on....}


When I change it to str_replace if I type in don't the whole word is deleted.  when I type in preg I get an error.
Can someone please give me the correct code / syntax for getting the result I want.

I just want to make sure that every single field that has a user input is protected against any malicious attacks.
Thanks.

I have several "sites" located in my html directory, and each has a "general" access point and an "administrator" access point:

/var/www/html/site1/index.php
/var/www/html/site1/administrator/index.php
/var/www/html/site2/index.php
/var/www/html/site2/administrator/index.php
/var/www/html/site3/index.php
/var/www/html/site3/administrator/index.php

All sites are similar except that data will be specific to site1, site2, or site3, etc.   Users who log onto /var/www/html/siteX/index.php are totally unrelated to those who logon to /var/www/html/siteX/administrator/index.php, will have different logon credentials, are stored in different DB tables, and each should have their own session.  If a user logs off of either the general or administrator site, it should not effect the other site even if they were previously logged on to both on the same PC (and of course not effect other sites). When a user logs off, I would like to destroy their previous cookie and associated session.  Users for either will only use https.  I am using Apache to rewrite https://www.mysite.com/ to https://mysite.com/.  While I named the administrator site "administrator" above, the administrator user has the ability to change the directory name.   I am thinking I need to use session_set_cookie_params to specify where I wish the session cookie to be stored since /var/www/html/siteX/administrator/index.php is a sub-directory to /var/www/html/siteX/index.php, but am not really sure.  Sorry for the cryptic post, but I am not very well versed in this subject. How would you recommend setting up cookies/sessions for this scenario?  Thank you

Hi,

My first post here is a cry for help

I have a Windows 2003 server running IIS6/PHP5, the server hosts multiple web sites.

The problem is include files that are for site A are showing on site B (each site having its own includes as part of the site files in its own site folder), though not every time, its very random, sometimes the correct includes show, sometimes ones from another site on the same server. This only occurs where the include files for both sites have the same name, such as 'inc-header.php' for example.

I can only assume PHP is caching includes and because they have the same name is showing the wrong one on other sites sometimes, if I rename them to something unique then the problem goes away, but its not a practical solution to rename all include files to unique names so I find myself looking for a 'real' fix.

I have a feeling its to do with the include_path in the php.ini, but right now its disabled with a semi-colon, and I don't want to set one as I have no global includes, all includes are site specific.

Any help would be very much appreciated!

Phil

now i use this code to show where the visitors came from to my site.

<?php
$referer=$_SERVER['HTTP_REFERER'];
echo $referer;
?>

now, i want to show the  5 latest vistors referer's site url on my site ?

Not sure if I'm trying to achieve something totally crazy here, or if this is something pretty standard. Didn't have much luck with searching as I'm not fully down with all the terms.

(A) I have one site providing an RSS feed.
(B) I have one site I want to search, once for each of the items in the feed A.
(C) I want the results of the search in (B) to be displayed on page (C).

So for example, the feed on (A) says;

apples
bananas
oranges
cheese

I want site (B) to search for each of those terms (by passing the item in the feed (A) to the ?search= part of the URL of that page) and then show the results from THAT search on page C. Bit of a complex one, let me know if you need me to clarify. Thanks for any help!