|
PHP - Utf8 And Php Security Issues
Hi everybody !
Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security.
Consider the simple script below:
<?php
//error_reporting(E_ALL & ~E_NOTICE);
session_start();
if(isset($_POST['login'], $_POST['password']))
{
$login = $_POST['login'];
$password = $_POST['password'];
if(!empty($login) && !empty($password))
{
//echo "Ok";
echo "Welcome ". $login;
echo "<br> You password is.$password ";
}
}
?>
<html>
<body>
<form action="welcome2.php" method="post">
Name: <input type="text" name="login" />
Password: <input type="password" name="password" />
<input type="submit" name="submit"/>
</form>
</body>
</html>
It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then :
1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example.
2. Could the same be thwarted by the use of input filters?
3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done?
There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked.
Thanks all.
Similar TutorialsHello, I am using <?=$PHP_SELF?> in a search form so it will stay on the same page. I have been advised that there are security risk to using that and that is is susceptible to sql injections and my database can be at risk. I have read about using the following code instead: htmlentities($_SERVER['PHP_SELF']) Is that more secure or are there other code that is more secure? Also could someone look at my database connection and see if there are any issues with it? Code: [Select] <?php $db_host = "localhost"; $db_user = "user"; $db_pass = "password"; $db_name = "database"; function db_connect() { global $db_host; global $db_user; global $db_pass; global $db_name; $connection = mysql_connect($db_host,$db_user,$db_pass); if (!(mysql_select_db($db_name,$connection))) { echo "Could not connect to the database"; } return $connection; } // Connect to the database db_connect(); ?> Thank you for any help you can provide. Hi Chaps, I'm about to start building a MySQL/PHP forum but would like to know what are the best administration steps to take. Basically it'll be open to members of a site to share info (as like many forums out there), but obviously I don't want anybody to post either harmful content or offensive material. Can someone point me in the right direction, or give me a basic outline of what I have to look out for? Many thanks Hi all, if someone of you has a little spare time i would love to hear what you find about the small code below. I combined some scattered stuff around the internet. and was hoping some guru could tell me if its ok to output without any sneaky javascript to get inserted within the tags or other nasty stuff. Its a bb code that first trims the string, applies html entities than puts newlines to breaks and finishes it of with a little bbcode in the end. I was hoping if this is secure enough to output text in this case a post var but am aiming for data from the database. Thanks in advance Code: [Select] <?php //replace stuff //bb function function bbcode($data) { $input = array( '/\[b\](.*?)\[\/b\]/is', '/\[i\](.*?)\[\/i\]/is', '/\[u\](.*?)\[\/u\]/is', '/\[img\](.*?)\[\/img\]/is', '/\[url\](.*?)\[\/url\]/is', '/\[url\=(.*?)\](.*?)\[\/url\]/is' ); $output = array( '<strong>$1</strong>', '<em>$1</em>', '<u>$1</u>', '<img src="$1" />', '<a href="$1">$1</a>', '<a href="$1">$2</a>' ); $rtrn = preg_replace ($input, $output, $data); return $rtrn; } // if(isset($_POST['submit'])&& !empty($_POST['textvar'])){ $error_message = ''; $string = trim(htmlentities($_POST['textvar'], ENT_QUOTES)); $clean = nl2br($string); $super_clean = bbcode($clean); }else{ $error_message = 'enter some text'; $clean = ''; $super_clean =''; } if i use code as follows, This is a safe way to take the value of the form ?
<html> <head></head> <body> <form method='post'> <input type='text' name='name' value='akli'> <input type='submit' name ='view' value='view'> </form> </body> </html> <?php extract($_POST); if($view) echo $name; ?>please healp me Hello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease. So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue. Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head. Its a classified website , considering this on what should I concentrate on as far as security goes ? btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query. Thanks Hi, I am trying to update the database with the arabic characters using utf8, when am trying with firefox no problem in updating also i check with database values are in utf8 format. But at the same time working with IE, values are not updating as utf8 format. Looking for answer confused..hope.. Thanks Im using this code Code: [Select] //create message with token gained before $post = array( 'access_token' => $access_token, 'message' => html_entity_decode($description, ENT_QUOTES), 'name' => html_entity_decode(strip_tags($post_title, ENT_QUOTES)), 'caption' => html_entity_decode(strip_tags($post_title, ENT_QUOTES)), 'link' => $_SESSION['blog_base'].'article/'.$post_url.'/', 'description' => html_entity_decode($description, ENT_QUOTES), 'picture' => 'http://www.socialnewsoffice.com/uploads/'.$article_img); to publish information to facebook however when i publish this i get this Code: [Select] Leasing receive another Great Testimonial from�Steve Brennan at�MCM Insurance Group\r\nTo whom it may concern\r\nEarlier this year we to... any ideas? hello i have problem with reading utf-8 text from normal text file with utf8 encoding. I am bulgarian i want to read and write bulgarian text but i cant. $fh = fopen("pics/names.txt", 'r'); $theData = fread($fh, 5); fclose($fh); echo $theData; This is what i use. Iam with windows 7. Pls help me... Hello, I am using a regex with /iumsU modifiers. On some servers this crashes PHP and I need to turn UTF8 off thus the modifier becoming /imsU I am wondering how can I detect the requirements for /u to work normally so I can dynamically adjust my regex? Cheers Hello, I've got a huge database that is filled with text. It is encoded in UTF8 and some of the symbols used (like emoticons) are encoded in the private use area of UTF8 (http://www.fileformat.info/info/unicode/block/private_use_area/utf8test.htm). Now I want to replace those codes of the private use area with the corresponding smilies etcetera. So actually my question is, how do I replace specific UTF8 codes with something else in PHP? Thanks in advance! In attachment is the code I generated from Flex Builder: My issue is that the UTF8 (coding of the MySQL database) isn't correctly interpreted, the solution is to use : $stmt = mysqli_prepare($this->connection, "SET NAMES UTF8;"); But I don't know how to enter it in this syntax? It is I think the: $stmt = mysqli_prepare($this->connection, "SELECT * from $this->tablename"); that has to be modified, but how? Really searching a long time on the correct syntax, but without any result... Please help, thanks a lot Wimmerke Hi, I am looking to create a directory that can not be accessed using .htaccess and neither can files directly. But I want to make it so when you are signed into joomla you can access the files via a mp3 player on the sight. My mp3 extention is joomline player flplayer. And I heard that if I cange the name of the file in joomla fomr lovelove.com/audio/love/abc.mp3 to lovelove.com/audio/love/abc.php?name=abc and then that abc.php script (inside the script it checks if you are logged in) will retrieve the file name, and the joomline will play it it will work. is this possible? Also, if not what can I do for this to work? Right now my script is not working as the joomline looks up all the mp3 files as one big string. this is the abc.php which on my site its calld psp.php
<?php
define( '_JEXEC', 1 );
define( 'JPATH_BASE', realpath(dirname(__FILE__).'/../../' ));
require_once ( JPATH_BASE .'/includes/defines.php' );
require_once ( JPATH_BASE .'/includes/framework.php' );
$mainframe =& JFactory::getApplication('site');
if( !empty( $_GET['name'] ) )
{
// check if user is logged
if(JFactory::getUser()->guest) {
die( "ERROR: invalid song or you don't have permissions to download it." );
}
else {
$psp = preg_replace( '#[^-\w]#', '', $_GET['name'] );
$psp_file = "{$_SERVER['DOCUMENT_ROOT']}/audio/live/{$psp}.mp3";
if( file_exists( $psp_file ) )
{
header( 'Cache-Control: public' );
header( 'Content-Description: File Transfer' );
header( "Content-Disposition: attachment; filename={$psp_file}" );
header( 'Content-Type: application/mp3' );
header( 'Content-Transfer-Encoding: binary' );
readfile( $psp_file );
exit;
}
}
}
?>
then I have joomline player jlplayer
<?php
/**
* JoomLine mp3 player - Joomla mp3 player
*
* @version 1.5
* @package JoomLine mp3 player
* @author Anton Voynov (anton@joomline.ru), Sergii Gaievskiy (shturman.kh@gmail.com)
* @copyright (C) 2010 by Anton Voynov(http://www.joomline.ru)
* @license GNU/GPL: http://www.gnu.org/copyleft/gpl.html
*
* If you fork this to create your own project,
* please make a reference to JoomLine someplace in your code
* and provide a link to http://www.joomline.ru
**/
defined('_JEXEC') or die('Restricted access');
function ascii2hex($ascii, $reverse = false) {
$hex = array();
for ($i = 0; $i < strlen($ascii); $i++) {
$byte = strtoupper(dechex(ord($ascii{$i})));
$byte = str_repeat('0', 2 - strlen($byte)).$byte;
$hex[] = $byte;
}
if ($reverse) $hex = array_reverse($hex);
return implode(" ",$hex);
}
function read_frame (&$f, &$tagdata, $frame) {
$pos = strpos($tagdata,$frame);
if ( $pos !== FALSE) {
// frame found. read length of this frame
fseek($f, 10+$pos+4);
$frame2len = hexdec(ascii2hex(fread($f,4)));
if (($frame2len-1) > 0) {
// read frame data
fseek($f, 10+$pos+4+2+4+1);
$data = trim(fread($f,$frame2len-1));
$hexfdata = ascii2hex($data);
if ( substr($hexfdata,0,5) == 'FF FE' or substr($hexfdata,0,5) == 'FE FF' ) {
$data = iconv("UCS-2","UTF-8",$data);
} else {
if (!preg_match('//u', $data)) {
$data = iconv("cp1251", "UTF-8",$data);
}
}
return $data;
} else {
return false;
}
} else {
return false;
}
}
function readmp3tag($file) {
$f = fopen($file, 'rb');
rewind($f);
fseek($f, -128, SEEK_END);
$tmp = fread($f,128);
if ($tmp[125] == Chr(0) and $tmp[126] != Chr(0)) {
// ID3 v1.1
$format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a28COMMENT/x1/C1TRACK/C1GENRENO';
} else {
// ID3 v1
$format = 'a3TAG/a30NAME/a30ARTISTS/a30ALBUM/a4YEAR/a30COMMENT/C1GENRENO';
}
$id3v1tag = unpack($format, $tmp);
// read tag length
fseek($f, 8);
$tmp = fread($f,2);
$tmp = ascii2hex($tmp);
$taglen= hexdec($tmp);
$tagdata = "";
if ($taglen > 0) {
//read tag data
fseek($f, 10);
$tagdata = fread($f,$taglen);
}
// find song title frame
$title = read_frame ($f, $tagdata, "TIT2");
if (!$title) {
if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['NAME'],0,1)) != '00' ) {
$title = $id3v1tag['NAME'];
} else {
$title = explode(DS,$file);
$title = $title[count($title)-1];
$title = explode('.',$title);
$title=$title[0];
}
if (!preg_match('//u', $title)) $title = iconv("cp1251", "UTF-8",$title);
}
$artist = read_frame ($f, $tagdata, "TPE1");
if (!$artist) {
if ($id3v1tag['TAG']== 'TAG' && ascii2hex(substr($id3v1tag['ARTISTS'],0,1)) != '00') {
$artist = $id3v1tag['ARTISTS'];
} else {
$artist = "";
}
}
if (!preg_match('//u', $artist)) $artist = iconv("cp1251", "UTF-8//TRANSLIT",$artist);
$id3tag['NAME'] = $title;
$id3tag['ARTIST'] = $artist;
return $id3tag;
}
if (DS == "/")
$dir = str_replace("\\",DS,$music_dir);
else
$dir = str_replace("/",DS,$music_dir);
$dir = JPATH_ROOT.DS.$dir;
if (!is_dir($dir)) {
echo "Wrong dir in settings";
} else {
$files = glob($dir.DS."*.{mp3,MP3}",GLOB_BRACE);
if (count($files) > 0) {
sort($files);
$host = $base_uri;
foreach ($files as $file) {
$tags = readmp3tag($file);
$file = explode (DS, $file);
if ($server_utf8 == 1) {
$fname = rawurlencode($file[count($file)-1]);
} else {
$fname = rawurlencode($file[count($file)-1]);
}
$fname = substr($fname, 0, -4);
$file = $host."/".$music_dir."/psp.php?name=".$fname;
echo $file;
$artist = trim($tags['ARTIST']);
$artist = $artist == "" ? "" : "{$tags['ARTIST']} - ";
$playlist[] = '{name:"'.$artist.$tags['NAME'].'",mp3:"'.$file.'"}';
}
}
/*
*
//if(!window.jQuery) {
document.write(unescape('<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js">%3C/script%3E'));
document.write(unescape('<script type="text/javascript">jQuery.noConflict();%3C/script%3E'));
//}
*
*/
?>
<script type="text/javascript">
var myPlayList = [
<?php
echo implode(",\n ",$playlist)."\n";
?>
];
Array.prototype.find=function(v){
for (i=0;i<this.length;i++){
if (this[i]==v) return i;
}
return 0;
}
var plIndex = [];
for (i=0;i<myPlayList.length;i++) {
plIndex[i] = i;
}
<?php if ($shfl == 1) : ?>
//shuffle
function randOrd(){
return (Math.round(Math.random())-0.5);
}
plIndex.sort(randOrd);
<?php endif; ?>
function setCookie (name, value) {
document.cookie = name + "=" + escape(value) + "; expires=Thu, 01-Jan-2055 00:00:01 GMT; path=/";
}
function getCookie(name) {
var cookie = " " + document.cookie;
var search = " " + name + "=";
var setStr = null;
var offset = 0;
var end = 0;
if (cookie.length > 0) {
offset = cookie.indexOf(search);
if (offset != -1) {
offset += search.length;
end = cookie.indexOf(";", offset)
if (end == -1) {
end = cookie.length;
}
setStr = unescape(cookie.substring(offset, end));
}
}
return(setStr);
}
function changeShflStatus(el) {
nowPlay = plIndex[playItem];
if (el.checked) {
setCookie("jlp_shfl","shuffle");
plIndex.sort(randOrd);
} else {
setCookie("jlp_shfl","notshuffle");
plIndex.sort();
}
playItem = plIndex.find(nowPlay);
}
</script>
<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jq.js"></script>
<script type="text/javascript">jQuery.noConflict();</script>
<link href="<?=$base_uri?>/modules/mod_jlplayer/skin/skin.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="<?=$base_uri?>/modules/mod_jlplayer/js/jquery.jplayer.min.js"></script>
<script type="text/javascript">
var playItem = 0;
jQuery(function(){
var jpPlayTime = jQuery("#jplayer_play_time");
var jpTotalTime = jQuery("#jplayer_total_time");
var jlp_shfl = getCookie("jlp_shfl");
if (jlp_shfl == "shuffle") {
document.getElementById('jlp_shfl').checked = true;
} else if (jlp_shfl == "notshuffle") {
document.getElementById('jlp_shfl').checked = false;
}
jsuri = baseuri+"/modules/mod_jlplayer/js/";
jQuery("#jquery_jplayer").jPlayer({
ready: function() {
displayPlayList();
playListInit(enable_autoplay); // Parameter is a boolean for autoplay.
},
errorAlerts:true,
warningAlerts:true,
swfPath: jsuri
})
.jPlayer("onProgressChange", function(loadPercent, playedPercentRelative, playedPercentAbsolute, playedTime, totalTime) {
jpPlayTime.text(jQuery.jPlayer.convertTime(playedTime));
jpTotalTime.text(jQuery.jPlayer.convertTime(totalTime));
})
.jPlayer("onSoundComplete", function() {
playListNext();
});
jQuery("#jplayer_previous").click( function() {
playListPrev();
return false;
});
jQuery("#jplayer_next").click( function() {
playListNext();
return false;
});
});
function displayPlayList() {
for (i=0; i < myPlayList.length; i++) {
jQuery("#jplayer_playlist").append("<div id='jplayer_playlist_item_"+i+"'>"+ myPlayList[i].name +"</div>");
jQuery("#jplayer_playlist_item_"+i).data( "index", i ).click( function() {
var index = jQuery(this).data("index");
if (plIndex[playItem] != index) {
_index = plIndex.find(index);
playListChange( _index, index );
} else {
jQuery("#jquery_jplayer").jPlayer("play");
}
});
}
}
function playListInit(autoplay) {
if(autoplay) {
playListChange(0, plIndex[0] );
} else {
playListConfig(0, plIndex[0] );
}
}
function playListConfig(_index, index ) {
jQuery("#jplayer_playlist_item_"+plIndex[playItem]).removeClass("jplayer_playlist_current");
jQuery("#jplayer_playlist_item_"+index).addClass("jplayer_playlist_current");
playItem = _index;
jQuery("#jquery_jplayer").jPlayer("setFile", myPlayList[plIndex[playItem]].mp3);
}
function playListChange(_index, index ) {
playListConfig(_index, index );
jQuery("#jquery_jplayer").jPlayer("play");
}
function playListNext() {
var _index = (playItem+1 < myPlayList.length) ? playItem+1 : 0;
var index = plIndex[_index];
playListChange(_index, index );
}
function playListPrev() {
var _index = (playItem-1 >= 0) ? playItem-1 : myPlayList.length-1;
var index = plIndex[_index];
playListChange(_index, index );
}
</script>
<?php include_once(JPATH_ROOT.DS.'modules/mod_jlplayer/skin/tpl.php'); ?>
<?php
}
I was messing around in there with $file
if ($server_utf8 == 1) {
$fname = rawurlencode($file[count($file)-1]);
} else {
$fname = rawurlencode($file[count($file)-1]);
}
$fname = substr($fname, 0, -4);
$file = $host."/".$music_dir."/psp.php?name=".$fname;
echo $file;
I am unsure how to retreive a file title only, with out the whole path, just the name and not even the file ext.It comes up with all the files names in the echo. Also I am not sure how joomline chooses just one file. I am not a php designer and I am quite confused lol Any help would be appreciated! Thank you. I want to create an ADMIN directory with several directory under that. I want to be certain that the user cannot log into any of the directory unless they have confirmed login. Is $_session id's the best way to go? Should I create on the flyer and attached to username? What is the best practice for this? Regards, DED Hi there, I'm in serious need to find a way to block people from a website I code for. The thing is, we have a jailing system, nice and simple, and IP/email ban system too. But with proxies, advertisers and repeated troublemakers keep coming back because we just get the new proxy IP each time and it's a losing battle. What I need is a way to ban them properly from the site, like somehow stopping the computer they use from accesing the site. someone once said you can use a cookie to stop a browser getting on the site, but I don't know how to set it up to give the cookies out upon login and find the one associated to an account we don't want (by "cookie" banning I guess?") and stop them from logging in. |
|||||||