PHP - Securing Php Sessions

Hello,

I'm writing an application that will have to interact with my webserver and it will be using php to input data into the database and retrieve from as well. However, I'm not sure what is the best approach on securing my database from people sniffing while using my application. The only thing that I can do that is coming to mind is try to use a unique key as a password and have one of my GET vars be that password, but that is easily sniff-able.

What can I do to secure my database and prevent people from filling up my databases if they sniff out my password key? Is there any kind of encryption I can use that will defeat this?

Hey,

I'm wondering how to secure my unsubscribe link. Currently the link looks something like this delete.php?id=6 the number is the field id of the email address. However when if someone then changed the to delete.php?id=5 then the email address with the id 5 would be deleted. I have tried doing an MD5 but it doesn't seem to work.

Any ideas I've been trying all day.

I was told that my login page could easily be manipulated to set themselves as my username (Mod Justin), giving them powers. How can I further secure my website's use of cookies?

Quote

I just visited your site as you - Mod Justin, simply by setting a 'user' cookie for your domain with your username in it.

Your login code is NOT effective at stopping anyone or any bot script from impersonating any of the users, even impersonating you.



My login code:

http://pastebin.com/cBLybGKq

Any possible solution to this?

Hello, I wish to secure the PayPal form button. As my button is used on a subscription website, I don't want people changing the parameters and code needs to be hidden from peering eyes with firebug for instance.


I have heard that you can pass the data to PayPal be given a CMD URL in return and you simply forward the user to such URL.


Anyone know of this? - or another method?


The button manager is not acceptable as the values will change in the hidden fields.


George.

I tried searching but came up empty handed, hoping you guys can give me some assistance.

I have a login script that I would like to lock down a little from flooding. What is the easiest way to do this? Something that will restrict the IP if the script encounters x amount of failed attempts in x amount of minutes.

Thanks!

I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them.

The files are
Form.HTML
Bin/config.php
Bin/mail.php

Any help is appreciated.

Hi my website offers the users to buy the videos. But the hackers are stealing my video links through view source. So there any option to hide my video links in view source and firebug etc..My videos are comign from amazon. and we are using JW  Players to play the videos
    The methods i have tried..
    1)Encode and decode the urls still the embed tag displays the complete path in firebug.
    2)Amazon provide signed url(temporary url)-Still have some problem in this..
    3)call the video through ajax call. Still the complete HTML code will be displayed in the firebug.
   
    please check here i have attached the firebug sample how it displays the code. Here we can find the complete video path in file: attribute in embed tag
   
    Is there any to hide the urls

Hi,

I want to secure my AJAX routines which use the POST method. I want to prevent people from posting to my method with their own program/script.

I have read about making a random seed that the server knows to expect from authorized AJAX sources.

What is the basic code for doing this?

I am building an e-commerce site and have a security question.

My Payment Gateway has given me "Log-In ID" and "Transaction Key" that I use to log in to their server to submit payments.

What is a *reasonable* way to protect this information?

I have a VPS with root access, although I'm relying on using sFTP and the Plesk Control Panel since I don't know SSH yet.

Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it?

Would that be secure enough for now?

Thanks,



Debbie

If I store a value in a hidden form control, and then use that as a means to pass the value to another PHP script, could that cause any security issues?

 

 

This topic has been moved to Application Design.

http://www.phpfreaks.com/forums/index.php?topic=346762.0

Hey Guys,

Me again!  Still working on this bloody database!

Okay, so I have a site that people can add a record to a database.  This record is filled using a form and the form contains an image that can be uploaded.

This works fine.

Then there's the ability to search a record based on a boolean search which displays a table with the record data and displays a thumbnail of the photo.

This also works fine.

Then I have a script that (once it's working) will allow you to edit the record.

This is where I'm having issues.  Here's my process for the form:

User searches for the record by using a boolean search Search finds the record and displays a form containing the original values in the database User changes some parts of the original record using the form Form then updates the database with the new values
The problem I'm having is with the photo function.  If there's no photo attached, I was getting an error saying that the photo field could not be empty.  So I used the following process:

User searches for the record using edit.php Form is displayed using edit_process.php edit_process.php is posted to update.php that has conditions to check if the file upload field is empty or not If the field is empty, then it requires updatenophoto.php If the field has a new image, it uses updatephoto.php
When I submit the form to the update.php script, it does nothing and gives me a blank page.

Here's my code for each of the parts (hit the character limit, code in comments):

Hi

Something strange is happening and I can't understand it.

A user can access an availability page of accommodation and book ita room, this works fine, and goes from availability to the booking form and back quite well, carrying the room  id of the accommdation and room/s selected in a session.

If they close the browser down and open the availability page again all the rooms are there as before, but when they select a room and go to the booking form the session of the room  id  and the rooms selected are empty.

If I do a session destroy and open the browser up again everything works fine again.

I have tried this in Chrome and Firefox and it seems to work fine

Any help would be appreciated

Hello,
Is there a problem in destroying a session and then starting it in the same file, for example:


session_name();
session_start();

session_destroy();



And lastly, if I create a variable $_SESSION['user'] under a session called 'one' i.e. session_name("one") and then create another variable $_SESSION['user'] under a session called 'two' i.e. session_name("two").
Are these two variables the same?

I there. I am making a small game, either you or the computer win depending on who's life hit 0 first I am using sessions to hold the health values, however I need a little bit of help. How do I make it actually go down after each move until one hits 0? Here is my script and thanks in advance...
Code: [Select]
<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Fighting Game</title>
</head>
<body>
<form action="fighting_game.php" method="post">
<select name='move_choice' id='move_choice'>
<option value='punch'>Punch</option>
<option value='kick'>Kick</option>
</select>
<input type='submit' name='submitbtn' value='Continue' id='submitbtn'>
</form>
<div id='matchdiv'>
<?php
$_SESSION['ai_health'] = 100;
$_SESSION['player_health'] = 100;

$moves_ai = array("Computer punches you in the face!","Computer kicks you in the gut!");
$moves_player = array("You punch Computer in the face!","You kick computer in the gut!");
$move_damage = array(2,10);
$move_dam_multiplier_player = array(rand(1,5),rand(5,10));
$move_dam_multiplier_ai = array(rand(1,5),rand(5,10));
if($_POST['submitbtn']){
  $choice = $_POST['move_choice'];
    }

   if($choice == "punch"){
   $total_dam_ai=($move_damage[0]*$move_dam_multiplier_ai[0]);
   $total_dam_player=($move_damage[0]*$move_dam_multiplier_player[0]);
   
   echo"$moves_player[1]"." Causing ".$total_dam_player." damage!<br>";
       echo"Computers current health is ". ($_SESSION['ai_health']-$move_damage[0]*$move_dam_multiplier_player[0]);
   echo"<br>$moves_ai[1]"." Causing ".$total_dam_ai." damage!<br>";
       echo"Your current health is ". ($_SESSION['player_health']-$move_damage[0]*$move_dam_multiplier_ai[0]);

  
     }
 
 elseif($choice == "kick"){
   $total_dam_ai=($move_damage[1]*$move_dam_multiplier_ai[1]);
   $total_dam_player=($move_damage[1]*$move_dam_multiplier_player[1]);
   
   echo"$moves_player[1]"." Causing ".$total_dam_player." damage!<br>";
       echo"Computers current health is ". ($_SESSION['ai_health']-$move_damage[1]*$move_dam_multiplier_player[1]);
   echo"<br>$moves_ai[1]"." Causing ".$total_dam_ai." damage!<br>";
       echo"Your current health is ". $new_player_health=($_SESSION['player_health']-$move_damage[1]*$move_dam_multiplier_ai[1]);
   
 
 }
   if($_SESSION['ai_health']<=0 && $_SESSION['player_health']>=0){
   echo"<br>Computer falls to the ground! He is knocked out! You win!";
   }
   
   if($_SESSION['player_health']<=0 && $_SESSION['ai_health'] >= 0){
   echo"<br>You fall to the ground! You are knocked out! You lose!";
   }
   if($_SESSION['player_health']<=0 && $_SESSION['ai_health'] <=0){
   echo"<br>You both fall to the ground! You are both knocked out! It's a draw!";
   }

?>
</div>
</body>
</html>