|
PHP - Protecting From Data Ciphers
Data siphoning is becoming more common every day,
Data siphoning is when you intercept the data and sniff between a client and a host, also known as sniffing a connection. ( i am focusing on session hijack)
To protect clients I've decided to write an MD5 calculation function which changes a secure string (such as a password) to plain MD5
Then once the MD5_password reaches PHP i BCRYPT with cost 20 using password_hash
_
MD5 is not ideal at all and i would like to write a better encryption but i only know how to do MD5 for java script, but i really don't need that much security here.
the purpose is to not show sensitive information, that's going to be hashed on the server, during a data siphon attack.
_
Data siphoning can not be protected against on the host server, the siphoning happens on the clients side usually when they don't have a strong firewall or such.
What are some good techniques you would practice to protect from data siphoning?
Before added security i was able to siphon this:
Username: Richard
Password: mypassword
After added security i was able to siphon this:
Username: 6ae199a93c381bf6d5de27491139d3f9
Password: 5f4dcc3b5aa765d61d8327deb882cf99
Now the only vulnerability between the client and server is if the hacker dns hacks the client which could redirect them to a website that looks like mine with the same EXACT url. which i can't help.
The real username can be retrieved in a session on login.
The real username and password can be found if a hacker injects js to remove the MD5 function, so if you know how to detect JavaScript injection i would like to know that as well.
______
Pretty much it looks like this..
Form -> Send md5(username) & md5(password) -> Server check if match in datbase -> If so login.
^ cypher ^cypher (session)
Edited by Richard_Grant, 12 September 2014 - 03:27 AM. Similar TutorialsHello, I have a form for uploading CV files into a CV database. Once the files are uploaded to their directory (e.g. www.jobsboard.com/cvdatabase/) please could someone tell me how to restrict access to users? e.g. once a user logs into their userpanel they should be able to click on a hyperlink to download a CV e.g. (www.jobsboard.com/cvdatabase/CV1.doc) but a user who isn't logged in shouldn't be able to access www.jobsboard.com/cvdatabase/CV1.doc Please could you tell me whether this is possible? Many thanks, Stu Hi All, I'm trying to secure my web app which is currently in development, and came across this issue. I have a header.php and footer.php page which are included to every page, with the content in the middle. The problem is, if you visit header.php then it displays the header, with some blank text. What is the best way to protect this - i.e., if visited directly, it re-directs to index.php etc. My initial thought is to set a $happylink on each page and in the header and footer, checking basically doing the following if (isset($happylink) && !empty($happylink)) { blah blah; } else { Header("Location: index.php"); } Would that be the best way? Is there something easier?
I have a script that runs periodically by a launchd timer. I give the script a very tight timeout ( set_time_limit(120); ). Hi, I was asked to create an app, wherein, the user may enter the email addresses of people manually, and it auto generates a random key. now this key will be used access such pages e.g proposal.test.com/ppc proposal.test.com/seo proposal.test.com/design so using the key for example => Sa22asdf it should appear like this proposal.test.com/ppc/Sa22asdf proposal.test.com/seo/Sa22asdf proposal.test.com/design/Sa22asdf without the unique key generated during the input of email address, the URL mentioned shouldn't be accessed by anyone.. now my question is, how to approach this thing in PHP ? I have done the input for email address and generation of random keys., but i don't know yet what to do or how to do the securing of pages using those keys ? I been wondering how to protect all the files that contain classes, functions and forms in php to prevent direct access to something that the user shouldnt be able to without the proper check's (typing http://server/inc/login.php insteand of http://server/), and i came to this small idea of checking if an object is set or not but i m wondering if this is really the best idea here's what i have (the case bellow will protect an login form to be accessed directly): Code: [Select] <?php if(!isset($mysqlobj)) die(); if( isset( $_POST['username'] ) && isset( $_POST['password'] ) ){ $login = authentication::login( $_POST['username'], $_POST['password'] ); if( $login == true ){ header( 'location:?go=home' ); }else{ $_SESSION['message'] = 'loginfailed'; header( 'location:?go=login' ); } }else{ if( !empty($_SESSION['logged'] ) && $_SESSION['logged'] == true ){ header( 'location:?go=home' ); }else{ ?> <div id="loginform"> <form action="?go=login" method="post"> <table align="center"> <tr> <td><font size="2">Username</font></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><font size="2">Password</font></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="center"><input type="submit" value="Login" /></td> </tr> </table> </form> </div> <?php } } ?> Just looking for an "best practice" i tried google for it but i couldnt get to an straight awnser any enlightment is appreciated. Hi, I'm putting together a database that once logged in, a user is able to insert, update and delete records via html forms. The login is secured using mysql_real_escape_string, but I'm wondering should I do the same for all form elements that pass data to the db? There are a wide range of inputs, from numeric, alphanumeric, dates and more. I'd appreciate your feedback. Regards, James I have had a customer want to run my application (PHP/APACHE/MYSQL) on their server rather than a commercial hosting offering (JUSTHOST/GODADDY)
I am reluctant, as it means giving them access to my PHP code which could possibly be copied or distributed.
Can I protect against this?
Hi all, I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at. It's essentially an online community that was a uni project that has spiraled and grown exponetially. I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine. The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported. I want my site to be as secure as it can be, within reason. I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results. I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields. This si what I have and what I've changed. if ($_POST['parse_var'] == "bio"){ $bio_body = $_POST['bio_body']; //$bio_body = str_replace("'", "'", $bio_body); (WAS TESTING THIS BUT NO JOY) //$bio_body = str_replace("`", "'", $bio_body); $bio_body = mysql_real_escape_string($bio_body); $bio_body = nl2br(htmlspecialchars($bio_body)); $bio = $_POST['bio']; $bio = eregi_replace("'", "'", $bio); (This works but is not as secure) $bio = eregi_replace("`", "'", $bio); $bio = mysql_real_escape_string($bio); $bio = nl2br(htmlspecialchars($_POST['bio'])); $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'"); and so on....} When I change it to str_replace if I type in don't the whole word is deleted. when I type in preg I get an error. Can someone please give me the correct code / syntax for getting the result I want. I just want to make sure that every single field that has a user input is protected against any malicious attacks. Thanks. Am new here - looks like a great foru! I would sincerely appreciate any help anyone can give me. I have been trying to solve my problem for hours and I am not having any luck, so I thought I would post and see if anyone can help. I am very stuck and am not making much progress on this project, and I am certain the answer is very simple. I am constructing a form to collect data for a specialized purpose. The form and program actually work for its intended function, but I am trying to enhance the user experience by preventing customers from having to reenter all of their data should there be a problem with any of the data submitted. I have been able to do that with the contact form portion, but what I am having trouble with is the portion which has as many as 400 possible entries. So, in a nutshell, if the customers contact data is incomplete or in error, the form will ask them to return to the page and correct things. The previous data entered has been saved in the session and the input value will equal the previous entry. i.e. <tr> <td align="right" class="infoBox"><?php echo ENTRY_EMAIL_ADDRESS; ?></td> <td align=left><?php echo "<input type=text name='cemail' value=\"$cemail\" size=35 maxlength=35>" ?></td> </tr> Works perfectly, all well and good there. On the other 400 more or less entries, I am having a difficult time tweaking the string concatenation to work to achieve similar results. There are 4 columns each with $points entries asking for a dimension in either feet or inches. The <input name=> is one of ptaf,ptai,ptbf,ptbi, appended programatically with the corresponding row number or data point. i.e. "ptaf1", "ptai1", etc... This is produced by the example below and works perfectly also. <?php { $points=100; $i=1; while ($i <= $points) {echo ' <tr><td align="center" width="6"><b> ' .$i . '</b></td> <td align="right" NOWRAP>A' .$i . ' (ft) <input type="text" name="ptaf'.$i.'" size=4 maxlength=3> </td> <td align="right" NOWRAP>A' .$i . ' (in) <input type="text" name="ptai'.$i.'" size=4 maxlength=4> </td> <td align="right" NOWRAP>B' .$i . ' (ft) <input type="text" name="ptbf'.$i.'" size=4 maxlength=3> </td> <td align="right" NOWRAP>B' .$i . ' (in) <input type="text" name="ptbi'.$i.'" size=4 maxlength=4> </td> '; $i++; } } ?> I am trying to add <input value=$ptai.$i> for each field but as I mentioned I am not having any luck. It seems as if I have tried every combination imagineable, but still no luck. My head is spinning! The closest I seem to have gotten was with this: <td align="right" NOWRAP>A' .$i . ' (ft) <input type="text" size=6 maxlength=3 name="ptaf'.$i.'" value="' . "$ptaf" . $i . '" ></td> But line 17 for example returns this: <input type="text" value="17" name="ptaf17" maxlength="3" size="6"> To recap, I am trying to have the value set to whatever the customer may have entered previously. Again, I would most appreciate any help anyone can give me. If you need clarification on anything please let me know. Thanks AJ Hello to all, I have problem figuring out how to properly display data fetched from MySQL database in a HTML table. In the below example I am using two while loops, where the second one is nested inside first one, that check two different expressions fetching data from tables found in a MySQL database. The second expression compares the two tables IDs and after their match it displays the email of the account holder in each column in the HTML table. The main problem is that the 'email' row is displayed properly while its while expression is not nested and alone(meaning the other data is omitted or commented out), but either nested or neighbored to the first while loop, it is displayed horizontally and the other data ('validity', 'valid_from', 'valid_to') is not displayed.'
Can someone help me on this, I guess the problem lies in the while loop? <thead> <tr> <th data-column-id="id" data-type="numeric">ID</th> <th data-column-id="email">Subscriber's Email</th> <th data-column-id="validity">Validity</th> <th data-column-id="valid_from">Valid From</th> <th data-column-id="valid_to">Valid To</th> </tr> </thead> Here is part of the PHP code:
<?php
while($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
echo '
<tr>
<td>'.$row["id"].'</td>
';
while ($row1 = $stmt1->fetch(PDO::FETCH_ASSOC)) {
echo '
<td>'.$row1["email"].'</td>
';
}
if($row["validity"] == 1) {
echo '<td>'.$row["validity"].' month</td>';
}else{
echo '<td>'.$row["validity"].' months</td>';
}
echo ' <td>'.$row["valid_from"].'</td>
<td>'.$row["valid_to"].'</td>
</tr>';
}
?>
Thank you. Hi, after banging my head against the wall for a while thinking this would be a simple task, I'm discovering that this is more complicated than I thought. Basically what I have is a link table linking together source_id and subject_id. For each subject there are multiple sources associated with each. I had created a basic listing of sources by subject... no problem. I now need a way of having a form to create an ordered list in a user-specified way. In other words, I can currently order by id or alphabetically (subject name lives on a different table), but I need the option of choosing the order in which they display. I added another row to this table called order_by. No problem again, and I can manage all of this in the database, however I want to create a basic form where I can view sources by subject and then enter a number that I can use for sorting. I started off looping through each of the entries and the database (with a where), and creating a foreach like so (with the subject_id being grabbed via GET from the URL on a previous script) Code: [Select] while($row = mysqli_fetch_array($rs)) { //update row order if (isset($_POST['submit'])) { //get variables, and assign order $subject_id = $_GET['subject_id']; $order_by = $_POST['order_by']; $source_id = $row['source_id']; //echo 'Order by entered as ' . $order_by . '<br />'; foreach ($_POST['order_by'] as $order_by) { $qorder = "UPDATE source_subject set order_by = '$order_by' WHERE source_id = '$source_id' AND subject_id = '$subject_id'"; mysqli_query($dbc, $qorder) or die ('could not insert order'); // echo $subject_id . ', ' . $order_by . ', ' . $source_id; // echo '<br />'; } } else { $subject_id = $_GET['subject_id']; $order_by = $row['order_by']; $source_id = $row['source_id']; } And have the line in the form like so: Code: [Select] echo '<input type="text" id="order_by" name="order_by[]" size="1" value="'. $order_by .'"/> (yes I know I didn't escape the input field... it's all stored in an htaccess protected directory; I will clean it up later once I get it to work) This, of course, results in every source_id getting the same "order_by" no matter what I put into each field. I'm thinking that I need to do some sort of foreach where I go through foreach source_id and have it update the "order_by" field for each one, but I must admit I'm not sure how to go about this (the flaws of being self-taught I suppose; I don't have anyone to go to on this). I'm hoping someone here can help? Thanks a ton in advance This could be PHP or MySql so putting it in PHP forum for now... I have code below (last code listed) which processes a dynamically created Form which could have anywhere from 0 to 6 fields. So I clean all fields whether they were posted or not and then I update the mySQL table. The problem with this code below is that if, say, $cextra was not posted (i.e. it wasnt on the dynamically created form), then this code would enter a blank into the table for $cextra (i.e. if there was already a value in the table for $cextra, it gets overwritten, which is bad). What is the best way to handle this? I'm thinking i have to break my SQL query into a bunch of if/else statements like this... Code: [Select] $sql = "UPDATE cluesanswers SET "; if (isset($_POST['ctext'])){ echo "ctext='$ctext',"; } else { //do nothing } and so on 5 more times.... That seems horribly hackish/inefficient. Is there a better way? Code: [Select] if (isset($_POST['hidden']) && $_POST['hidden'] == "edit") { $cimage=trim(mysql_prep($_POST['cimage'])); $ctext=trim(mysql_prep($_POST['ctext'])); $cextra=trim(mysql_prep($_POST['cextra'])); $atext=trim(mysql_prep($_POST['atext'])); $aextra=trim(mysql_prep($_POST['aextra'])); $aimage=trim(mysql_prep($_POST['aimage'])); //update the answer edits $sql = "UPDATE cluesanswers SET ctext='$ctext', cextra='$cextra', cimage='$cimage', atext='$atext', aextra='$aextra', aimage='$aimage'"; $result = mysql_query($sql, $connection); if (!$result) { die("Database query failed: " . mysql_error()); } else { } Here's the code that deals with the client side:
<?php
session_start();
if(!isset($_SESSION['Logged_in'])){
header("Location: /page.php?page=login");
}
?>
<!DOCTYPE Html>
<html>
<head>
<!--Connections made and head included-->
<?php require_once("../INC/head.php"); ?>
<?php require_once("../Scripts/DB/connect.php"); ?>
<!--Asynchronously Return User Names-->
<script>
$(document).ready(function(){
function search(){
var textboxvalue = $('input[name=search]').val();
$.ajax(
{
type: "GET",
url: 'search.php',
data: {Search: textboxvalue},
success: function(result)
{
$("#results").html(result);
}
});
};
</script>
</head>
<body>
<div id="header-wrapper">
<?php include_once("../INC/nav2.php"); ?>
</div>
<div id="content">
<h1 style="color: red; text-align: center;">Member Directory</h1>
<form onsubmit="search()">
<label for="search">Search for User:</label>
<input type="text" size="70px" id="search" name="search">
</form>
<a href="index.php?do=">Show All Users</a>|<a href="index.php?do=ONLINE">Show All Online Users</a>
<div id="results">
<!--Results will be returned HERE!-->
</div>
search.php
<?php //testing if data is sent ok echo "<h1>Hello</h1><br>" . $_GET['search']; ?>This is the link I get after sending foo. http://www.family-li...php?&search=foo Is that mean it was sent, but I'm not processing it correctly? I'm new to the whole AJAX thing. Say there is a complex opt in process where people start to enter their data but certain questions stop them where they close out of the page. They already entered their data and I feel there is a way to grab it and post it to mysql even though they do not click submit.
How would this be done?
A super simple example (proof of concept) or a link to a tutorial would be very useful.
Edited by brentman, 23 September 2014 - 10:42 AM. I have two tables. Table Name:Users Fields: User_name user_email user_level pwd 2.Reference Fields: refid username origin destination user_name in the users table and the username field in reference fields are common fields. There is user order form.whenever an user places an order, refid field in reference table will be updated.So the user will be provided with an refid Steps: 1.User needs to log in with a valid user id and pwd 2.Once logged in, there will be search, where the user will input the refid which has been provided to him during the time of order placement. 3.Now User is able to view all the details for any refid 3.Up to this we have completed. Query: Now we need to retrieve the details based on the user logged in. For eg: user 'USER A' has been provided with the referenceid '1234' during the time of order placement user 'USER B' has been provided with the referenceid '2468' during the time of order placement When the userA login and enter the refid as '2468' he should not get any details.He should get details only for the reference ids which is assigned to him. <?php session_start(); if (!$_SESSION["user_name"]) { // User not logged in, redirect to login page Header("Location: login.php"); } $con = mysql_connect('localhost','root',''); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("login", $con); $user_name = $_POST['user_name']; $refid = $_POST['refid']; $query = "SELECT * from reference,users WHERE reference.username=users.user_name AND reference.refid='$refid' AND "; $result = mysql_query($query) or trigger_error('MySQL encountered a problem<br />Error: ' . mysql_error() . '<br />Query: ' . $query); while($row = mysql_fetch_array($result)) { echo $row['refid']; echo $row['origin']; echo $row['dest']; echo $row['date']; echo $row['exdate']; echo $row['username']; } echo "<p><a href=\"logout.php\">Click here to logout!</a></p>"; ?> <html> <form method="post" action="final.php"> Ref Id:<input type="text" name="refid"> <input type="submit" value="submit" name="submit"> </html> I can add and delete data from my table. Now I need to be able to change one or more fields in an entry. So I want to retrieve a row from the db, display that data on a form where the user can change any field and then pass the changed data to an update.php program. I know how to go from form to php. But how do I pass the data from retrieve.php to a form so it will display? Do I use a URL and Get? Can I put the retrieve and form in the same program? hi guys, im new to this forum I'm new also to php, I need help from you guys: I want to display personal information from a certain person (the data is on the mysql database) using his name as a link: example: (index.php) names 1. Bill Gates 2. Mr. nice Guy i want to click Bill Gates (output.php) Name: Bill Gates Country:xxxx Age: xx etc. How can i make this or how to learn this? I'm pulling data from an xml file and I'm getting a lot of duplicates. How can I remove the duplicates from the query? Code: [Select] foreach($xml->category->subcategory as $category){ echo $category[id]; }//end foreach Hi, I want to pull data from db, where sometimes all rows and sometimes rows matching given "username". Here is my code:
//Grab Username of who's Browsing History needs to be searched.
if (isset($_GET['followee_username']) && !empty($_GET['followee_username']))
{
$followee_username = $_GET['followee_username'];
if($followee_username != "followee_all" OR "Followee_All")
{
$query = "SELECT * FROM browsing_histories WHERE username = \"$followee_username\"";
$query_type = "followee_username";
$followed_word = "$followee_username";
$follower_username = "$user";
echo "$followee_username";
}
else
{
$query = "SELECT * FROM browsing_histories";
$query_type = "followee_all";
$followed_word = "followee_all";
$follower_username = "$user";
echo "all";
}
}
When I specify a "username" in the query via the url: browsing_histories_v1.php?followee_username=requinix&page_number=1 I see result as I should. So far so good.
Now, when I specify "all" as username then I see no results. Why ? All records from the tbl should be pulled! browsing_histories_v1.php?followee_username=all&page_number=1 This query shouldv'e worked:
$query = "SELECT * FROM browsing_histories";
|
|||||||