beckerdt

@teynon ***UPDATE*** Still not done with the create page. I decided to refactor and clean up my code it was getting messy. In the process I found an issue with TinyMCE that could allow scripts to be executed after data has been loaded into the database, reloaded from the database and then saved to the database again. The issue lies in the fact that TinyMCE is too good at cleaning up code. I would like to do away with the wysiwyg editor altogether but my mother-in-law will be using the site so I need to keep it for her and probably the wife.

@teynon I think I have the edit and delete page stuff locked down, FINALLY. Now just got to lock down the create page. I could not recreate or figure out how you deleted the home page this morning but I went back over my code and made the validation as specific as I could possibly think to make it, so could you please do whatever you did this morning to delete my home page and see if it blocks you from deleting the page now. Thanks. I drop another note here when I get the create page stuff locked down.

But you can edit pages you created under edit_page.php, right? Ok I fixed the problem. It was a stupid mistake. I misspelled one of my variables. You should be able to create, edit and delete your own stuff now.

But you can edit pages you created under edit_page.php, right?

I'm tracking now. I will work on this tomorrow.

@teynon - I bet you can't do it now! Thanks for the help.

One last note to anyone that might want to use this code put your real domain where it says domain.com. DO NOT remove the leading period, it's important!

I got it to work!!! <?php $rootDomain = '.domain.com'; session_set_cookie_params( 3600, '/', $rootDomain, false, false); session_start(); if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 2700)) { // last request was more than 45 min ago if(isset($_SESSION['id'])){ $connection = mysql_connect('localhost', '******', '*******'); if (!$connection){ die('Database connection failed: ' . mysql_error()); } $db_select = mysql_select_db('******'); $query = "UPDATE users SET online='no' WHERE id='{$_SESSION['id']}' LIMIT 1"; mysql_query($query); } $_SESSION = array(); if(isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } session_destroy(); // destroy session data in storage session_unset(); // unset $_SESSION variable for the runtime if(isset($connection)){ mysql_close($connection); } } $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp ?>

When a user logs into my site I put all their user info into a session like this session_start(); $_SESSION["login"] = 'true'; $_SESSION["id"] = $user_info['id']; $_SESSION["firstname"] = $user_info['firstname']; $_SESSION["lastname"] = $user_info['lastname']; $_SESSION["screen_name"] = $user_info['screen_name']; $_SESSION["facebook"] = $user_info['facebook']; $_SESSION["email"] = $user_info['email']; $_SESSION["date_joined"] = $user_info['date_joined']; $_SESSION["account_type"] = $user_info['account_type']; $_SESSION["account_active"] = $user_info['account_active']; $_SESSION["hashed_password"] = $user_info['hashed_password']; The problem is if they logged in from www.domain.com and then end up on a page at domain.com or the other way around they login from domain.com and end up on a page at www.domain.com the info stored in the session is not available. How can I have the session info available no matter if they logged in with www or not?

ok I think I have fixed the security flaw teynon pointed out by using strip_tags() on the title and removed the user_id from the form and placed it into the session for use after form submission.

thanks for the help looks like I'm going to go back to the drawing board with this. good luck with your ets.

teynon thanks for looking at my site. I see the two post you made. It looks like you entered some JavaScript that executed when the page loaded causing the site to behave oddly. I also appears that you were able to delete pages from the site without privileges. I'll admit you have me scratching my head. I really have no idea how you did that. The only way I can think of to keep that from happening is to strip out script tags with preg_replace or something like that. where you stationed at? I'm at Ft bliss.

Using var_dump() I tried my code on a clean page with no css and so on and the beginning space is missing so I am picking up that space from somewhere else. Thanks for the help

Still working on this same site. Have a quick question. I'm trying to use preg_replace to strip out a section of code but I am have problems getting it to work right. Code Example: $str = '<p class="code">some string here</p>'; PHP I'm using: $pattern = array(); $pattern[0] = '!<p class="code">!'; $pattern[1] = '!</p>!'; preg_replace($pattern,"", $str); This strips out the code just as I want with the exception of the space between the p and class. Returns: some string here //notice the single space at the beginning. I'm trying to get: some string here //no space at the beginning. I have been beating my head against the wall trying to find a solution. The reason I'm trying to strip it out in a chunk instead of breaking the preg_replace into pieces is because I don't want to change anything that may be in the string between the tags. Any ideas?

This is also a huge resource. https://www.owasp.org/index.php/Main_Page

To anyone starting out like me I want to share this presentation. I stumbled on it while searching the net for web design security. I learned a lot from this presentation. http://darianpatrick.com/presentations/penn_uiconf_08/slides.html

I think I have come up with an alternative to preg match. I have changed the function to use ctype_digit(). I did a search on the internet for known issues with ctype_digit() and didn't find anything. I tested it on my website any it seems to be working.

Thank you! This is very helpful. Can you recommend a method other than preg match or encrypting the URL that is secure. I thought of using sessions to pass everything but I think that might cause problems when it comes to setting and unsetting session variables.

Could someone take a look at the security particularly URL security in the forum section of my site. I stopped using encryption when passing variables in the URL mainly to simplify the script and because encrypting and checking was getting tedious. In the forum section I started using preg match function to look for what is expected. This made the script much cleaner and less tedious but I am afraid that I may have sacrificed some security.

As requested I have placed at text file in the root directory of my domain. http://beckerfamily1.com/phpfreaks.txt

Once again thanks for the help. I need to clarify the error message you received. The reason you got that message is because the pages you created had not been approved for display. I will modify the message before proceeding with the build. I'm also happy to see that the code you entered into the hack page did not execute. I spent a lot of time trying to find a way to keep that from happening.

Thanks for the reply. I activated your account so you could test more if you like.

All you website security gurus I need a favor. I am fairly new to PHP/MySql and by no means an expert on securing websites. I am building a family website and have reached my first couple of milestones. What I want to do before I go any further is make sure that I do not have any major security holes in my website. I understand that this is a family website and the likelihood of my site getting hacked is remote, but I still don’t want to leave the front door open if you know what I mean. Please take a look at my site located at http://beckerfamily1.com/testing and see if you can gain access using common hacking techniques. If you find a security hole please contact me ASAP at [email protected] with the details. I will be very grateful. Thank you in advance for your assistance. PS- For those that wish to do me harm this is a clean testing server on a secluded network you will not gain anything useful if you hack into it should you find a security hole.

Thanks for the help. Here is my SQL schema: mysql> SHOW COLUMNS FROM pages; +-----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+-------------+------+-----+---------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | position | int(11) | NO | | NULL | | | visible | tinyint(1) | NO | | NULL | | | page_name | varchar(30) | NO | | NULL | | | content | text | NO | | NULL | | +-----------+-------------+------+-----+---------+----------------+ 5 rows in set (0.01 sec) mysql> SHOW COLUMNS FROM sub_pages; +-----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+-------------+------+-----+---------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | page_id | int(11) | NO | | NULL | | | position | int(11) | NO | | NULL | | | visible | tinyint(1) | NO | | NULL | | | page_name | varchar(30) | NO | | NULL | | | content | text | NO | | NULL | | +-----------+-------------+------+-----+---------+----------------+ 6 rows in set (0.01 sec)

Hello, I'm new to PHP and I have come up with the following code for my navigation but I am sure there has to be an easier and more efficient way to do this. Someone please start me on the right path. Thanks <?php //Get selected page/sub page if (isset($_GET['page'])) { $sel_page = $_GET['page']; $sel_sub_page = ''; } elseif (isset($_GET['sub_page'])) { $sel_page = ''; $sel_sub_page = $_GET['sub_page']; } else { $sel_page = ''; $sel_sub_page = ''; } ?> <!--Begin Navigation--> <ul> <?php //run the loop to get the page titles $query = "SELECT * FROM pages ORDER BY position ASC"; $page_set = mysql_query($query); confirm_query($page_set); while($page = mysql_fetch_array($page_set)){ echo '<li><a href="content.php?page=' . urlencode($page['id']) . '">' . $page['page_name'] . '</a></li>'; //run sub page query to see if the ul tag is needed $query = "SELECT * FROM sub_pages WHERE page_id = {$page['id']} ORDER BY position ASC"; $sub_page_set = mysql_query($query); confirm_query($sub_page_set); $sub_page = mysql_fetch_array($sub_page_set); if ($sub_page !=''){ echo '<ul>'; } //run the sub page loop again to display the sub page title $query = "SELECT * FROM sub_pages WHERE page_id = {$page['id']} ORDER BY position ASC"; $sub_page_set = mysql_query($query); confirm_query($sub_page_set); while($sub_page = mysql_fetch_array($sub_page_set)) { echo '<li><a href="content.php?sub_page=' . urlencode($sub_page['id']) . '">' . $sub_page['page_name'] . '</a></li>'; } //run the sub page loop for the last time to see if the end ul tag is needed $query = "SELECT * FROM sub_pages WHERE page_id = {$page['id']} ORDER BY position ASC"; $sub_page_set = mysql_query($query); confirm_query($sub_page_set); $sub_page = mysql_fetch_array($sub_page_set); if ($sub_page !='') { echo '</ul>'; } } ?> </ul> <!--End Navigation-->