Jump to content

sf_guy

Members
  • Posts

    23
  • Joined

  • Last visited

sf_guy's Achievements

Member

Member (2/5)

0

Reputation

  1. All of my PHP files are secured by session checks, but I've found a possible security problem and am looking for ideas of how to fix it. Several of my PHP pages are custom built by the end user dropping files into a directory (write access to this directory is restricted). My PHP code recursively walks through the directory and builds links to all of the files there. It also strips the extension. The users give the files logical names so the links look good. For example, if they put "How to Fish.docx" into the subdirectory "Fishing" the end HTML code, generated by PHP will look something like this: <h3>Fishing</h3> <a href="How%20to%20Fish.docx" target="_blank">How to Fish</a><br> etc. The security problem is that they can now make a direct link to the "How to Fish" document and save it as a favorite and bypass all security checking done by the PHP pages. Is it possible to write some type of "trigger" code that will launch the PHP login page whenever a user tries to access a page in a certain directory? I've seen web sites that do this, but am not quite sure how. Is there another, simpler solution? Thanks!
  2. Thanks. That fixed it and also some of the links had hash tags in the file names, which is a no-no, so I told the client to stop posting files with names like "Production Issue #1.doc" and use "Production Issue No 1.doc" instead.
  3. I'm trying to create a PHP function that will go through an FTP directory and automatically create links to any files in that directory, and in any subdirectories. I've tried several attempts but keep getting "File not found" errors. The files have spaces in the names. I notice that the URL's have %20 in them instead, but this shouldn't be an issue, right? Anyway, here's the code that doesn't work (I based this off some other code I found, it's not entirely original). The links show correctly and the mouseovers appear correct, but a "File Not Found" error is thrown when a user clicks on the link: function getDirectory( $path = 'documents/user', $level = 0, $recurse = -1 ){ $ignore = array( 'cgi-bin', '.', '..','Thumbs.db' ); // Directories to ignore when listing output. $dh = @opendir( $path ); // Open the directory to the handle $dh while( false !== ( $file = readdir( $dh ) ) ){ // Loop through the directory if( !in_array( $file, $ignore ) ){ // Check that this file is not to be ignored $spaces = str_repeat( ' ', ( $level * 4 ) ); // Just to add spacing to the list, to better // show the directory tree. if( is_dir( "$path/$file" ) ){ // Its a directory, so we need to keep reading down... echo "<strong>$spaces $file</strong><br />"; if ($recurse==-1) { // Recurse down through subdirectories getDirectory( "documents/user/$file", ($level+1), $recurse ); } } else { echo $spaces . "<a href='$path/$file'>$file</a><br />"; // Print out the file name, and create a URL link to that file } } }
  4. I'm a bit of a PHP newbie and have been playing around with using sessions and general PHP security. I noticed that the sessions are stored in a directory on a user's hard drive. Could a smart user simply copy this information and then, when their session is closed and the info deleted, paste it back to the same subdirectory and regain access to parts of the application without proper authentication?
  5. I'm not a "server guy" so bear with me. I was asked to put my PHP app onto a Windows 2008 Dev server so, after a lot of trial and error, I finally got PHP and mySQL working fine, the inetpub directory permissions working OK, etc. Now it's time to go to production. Since things are working so well, I'd just like to mirror the DEV machine and then use that for production, but obviously the machine will have a different name. What, if anything, will I need to change in .INI files for PHP and mysql to keep them working in a production machine that's an exact mirror image of a DEV machine, except for the machine name itself? Thanks!
  6. Thanks. The installer script is definitely the way to go. I'm thinking I can even just deliver it as a one-time URL "setup.php" that creates the various tables, sets various parameters, etc. Superusers would have the ability to run it, and if it had already been run it would give warnings and ask if they wanted to reset to the initial state.
  7. Somewhat of a PHP newb still: I'm writing a PHP class to handle event logging in my various apps so that I can just do something like this, for example: logobject->log('<username>','useraction'>); and it will write an entry to the database log based on the user who did it, the action and a datestamp. There will be other items in the class, such as the ability to truncate logs, delete entries before a certain period (such as older than six months), etc. I'm trying to make the class as flexible as possible to save trouble down the road when a user inevitably asks for some specific type of logging. I was thinking of including a test in the class to make sure the log database exists and then creating it automatically if it doesn't. This got me thinking, however, that allowing an app to create a table could cause a whole host of security problems To get around this, I was thinking of automatically putting a REVOKE statement in the class so the app would, in essence, REVOKE its own SQL privileges to create tables. Is this a good approach?
  8. @PFMaBiSmAd: Thanks for all the help. None of these things turned out to be the issue, but I did learn a lot about domains and isset() so at least something good came out of it!
  9. Thanks to all who responded. Turns out it was a problem with the session store. I looked at the path, which was correct, but when I physically went there on the machine, it was full of garbage files and filenames with bad characters in them. We have various web servers running on several Virtual Machines on the same overall server, and a couple others in different areas had problems too. We moved the entire web site to a new VM and it's working fine now. I *did* learn the value of isset() though, so I can now display errors not just to people who logged out but to those who never logged in in the first place, so the day hasn't been a total waste. Thanks again for your help and Happy Thanksgiving
  10. I turned on error reporting, but no messages are showing other than the ones I already listed I thought perhaps there might be a security issue, but I checked C:\PROGRAMDATA\PHP\SESSIONS and there is a file in there called sess_905m06314ibdubru8ko0aqj4d1 which contains the following testvalue|s:11:"hello world"; and it is created when I run the app.
  11. @Pikeachu2000: I changed it so that there is nothing at all before session_start();. My understanding is that $_SESSION is supposed to be "super global" meaning it's available anywhere. What I'm trying to do is prevent users from initially going to a page directly by typing (or saving) the URL--I want them to have to go through the landing page. Would it be better to just avoid session altogether and just post a hidden form variable on the landing page and test for that on subsequent pages? For clarity, I made two stripped down, rewritten pages where the code STILL doesn't work, i.e. print "Hello World" ----------- WEB PAGE ONE.PHP ----------------- <?PHP session_start(); ?> <html> <head> <title>Page One</title> </head><body> <?PHP $_SESSION['testvalue'] = "Hello World"; ?> <p><a href="pagetwo.php">Click here</a> to see page two</p> </body></html> ----------- WEB PAGE TWO.PHP ----------------- <?PHP session_start(); ?> <html> <head> <title>Page Two</title> </head><body> <?PHP echo $_SESSION['testvalue']; ?> <br> </body></html> I run one.php, click the link to open two.php, and instead of a page showing "Hello World" I get Notice: Undefined index: testvalue in c:\inetpub\wwwroot\two.php Sorry if I seem dense but I'm just not understanding why even this isn't working.
  12. I added a DEBUG print_r statement to the $_SESSION array to see what values are in there and 'valid" IS there and it IS true, so not sure why subsequent pages don't see it DEBUG: Array ( [maxprivilegelevel] =>3 [valid] => TRUE [rotatingphotocount] => 31 ) These are all the variables I wanted set, and they are all being set correctly. On the subsequent pages all that's showing is: DEBUG: Array() so the session is obviously not being stored. Is the session stored in memory or on disk?
  13. Moving the session_start(); to the very very top of the file still causes the same "Undefined index" error, so that didn't change things.
  14. Our office suffered a two-day power outage. Fortunately, it was planned so I did an orderly shut down of the web server. I got the web server back up and running, but now code that was working fine before no longer works and I'm too new to PHP to figure out why. I have this at the start of the "landing" page (this is the page users get to after their password is validated) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[url="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]"> <?PHP session_start(); ?> <html xmlns="[url="http://www.w3.org/1999/xhtml"]http://www.w3.org/1999/xhtml[/url]"> <head> <title>Welcome</title> </head><body> <?PHP $_SESSION['valid']='TRUE'; ?> ... code and HTML ... </body></html> On each subsequent page linked to from the landing page, I have the following code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[url="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]"> <?PHP session_start(); ?> <html xmlns="[url="http://www.w3.org/1999/xhtml"]http://www.w3.org/1999/xhtml[/url]"> <head><title>Page Title</title> </head> <body> <?php /// Kick them out if they try to open this page directly if ($_SESSION['valid']!='TRUE') { session_destroy(); die("<b>You must be logged into this application to use it</b>"); ?> ... code and html ... </body></html> This was working perfectly fine until I restarted the server. Now, whenever I click a link that opens another PHP page, I get the error Notice: Undefined index: valid in C:\inetpub\wwwroot\usermanager\selectuser.php on line 9 You must be logged into this application to use it. Why? How do I fix this? I can't figure out how just restarting a server could change the code from working to non-working. I'm still a bit of a n00b with PHP. Help GREATLY appreciated. Thanks!
  15. Thanks, that's what I thought. Not quite ready for ajax yet. Is there a "best practice" way to tell the last id when writing multiple items using PHP? For example, one user may have startdate1, startdate2, and startdate 3 but another user could conceivably have all the way through startdate150. I'm thinking of using a test to see if doc.getelementbyID(startdate + variable) is null and then breaking out of the loop if so. Is that a good way to do it?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.