Jump to content

sf_guy

Members
  • Posts

    23
  • Joined

  • Last visited

Everything posted by sf_guy

  1. All of my PHP files are secured by session checks, but I've found a possible security problem and am looking for ideas of how to fix it. Several of my PHP pages are custom built by the end user dropping files into a directory (write access to this directory is restricted). My PHP code recursively walks through the directory and builds links to all of the files there. It also strips the extension. The users give the files logical names so the links look good. For example, if they put "How to Fish.docx" into the subdirectory "Fishing" the end HTML code, generated by PHP will look something like this: <h3>Fishing</h3> <a href="How%20to%20Fish.docx" target="_blank">How to Fish</a><br> etc. The security problem is that they can now make a direct link to the "How to Fish" document and save it as a favorite and bypass all security checking done by the PHP pages. Is it possible to write some type of "trigger" code that will launch the PHP login page whenever a user tries to access a page in a certain directory? I've seen web sites that do this, but am not quite sure how. Is there another, simpler solution? Thanks!
  2. Thanks. That fixed it and also some of the links had hash tags in the file names, which is a no-no, so I told the client to stop posting files with names like "Production Issue #1.doc" and use "Production Issue No 1.doc" instead.
  3. I'm trying to create a PHP function that will go through an FTP directory and automatically create links to any files in that directory, and in any subdirectories. I've tried several attempts but keep getting "File not found" errors. The files have spaces in the names. I notice that the URL's have %20 in them instead, but this shouldn't be an issue, right? Anyway, here's the code that doesn't work (I based this off some other code I found, it's not entirely original). The links show correctly and the mouseovers appear correct, but a "File Not Found" error is thrown when a user clicks on the link: function getDirectory( $path = 'documents/user', $level = 0, $recurse = -1 ){ $ignore = array( 'cgi-bin', '.', '..','Thumbs.db' ); // Directories to ignore when listing output. $dh = @opendir( $path ); // Open the directory to the handle $dh while( false !== ( $file = readdir( $dh ) ) ){ // Loop through the directory if( !in_array( $file, $ignore ) ){ // Check that this file is not to be ignored $spaces = str_repeat( ' ', ( $level * 4 ) ); // Just to add spacing to the list, to better // show the directory tree. if( is_dir( "$path/$file" ) ){ // Its a directory, so we need to keep reading down... echo "<strong>$spaces $file</strong><br />"; if ($recurse==-1) { // Recurse down through subdirectories getDirectory( "documents/user/$file", ($level+1), $recurse ); } } else { echo $spaces . "<a href='$path/$file'>$file</a><br />"; // Print out the file name, and create a URL link to that file } } }
  4. I'm a bit of a PHP newbie and have been playing around with using sessions and general PHP security. I noticed that the sessions are stored in a directory on a user's hard drive. Could a smart user simply copy this information and then, when their session is closed and the info deleted, paste it back to the same subdirectory and regain access to parts of the application without proper authentication?
  5. I'm not a "server guy" so bear with me. I was asked to put my PHP app onto a Windows 2008 Dev server so, after a lot of trial and error, I finally got PHP and mySQL working fine, the inetpub directory permissions working OK, etc. Now it's time to go to production. Since things are working so well, I'd just like to mirror the DEV machine and then use that for production, but obviously the machine will have a different name. What, if anything, will I need to change in .INI files for PHP and mysql to keep them working in a production machine that's an exact mirror image of a DEV machine, except for the machine name itself? Thanks!
  6. Thanks. The installer script is definitely the way to go. I'm thinking I can even just deliver it as a one-time URL "setup.php" that creates the various tables, sets various parameters, etc. Superusers would have the ability to run it, and if it had already been run it would give warnings and ask if they wanted to reset to the initial state.
  7. Somewhat of a PHP newb still: I'm writing a PHP class to handle event logging in my various apps so that I can just do something like this, for example: logobject->log('<username>','useraction'>); and it will write an entry to the database log based on the user who did it, the action and a datestamp. There will be other items in the class, such as the ability to truncate logs, delete entries before a certain period (such as older than six months), etc. I'm trying to make the class as flexible as possible to save trouble down the road when a user inevitably asks for some specific type of logging. I was thinking of including a test in the class to make sure the log database exists and then creating it automatically if it doesn't. This got me thinking, however, that allowing an app to create a table could cause a whole host of security problems To get around this, I was thinking of automatically putting a REVOKE statement in the class so the app would, in essence, REVOKE its own SQL privileges to create tables. Is this a good approach?
  8. @PFMaBiSmAd: Thanks for all the help. None of these things turned out to be the issue, but I did learn a lot about domains and isset() so at least something good came out of it!
  9. Thanks to all who responded. Turns out it was a problem with the session store. I looked at the path, which was correct, but when I physically went there on the machine, it was full of garbage files and filenames with bad characters in them. We have various web servers running on several Virtual Machines on the same overall server, and a couple others in different areas had problems too. We moved the entire web site to a new VM and it's working fine now. I *did* learn the value of isset() though, so I can now display errors not just to people who logged out but to those who never logged in in the first place, so the day hasn't been a total waste. Thanks again for your help and Happy Thanksgiving
  10. I turned on error reporting, but no messages are showing other than the ones I already listed I thought perhaps there might be a security issue, but I checked C:\PROGRAMDATA\PHP\SESSIONS and there is a file in there called sess_905m06314ibdubru8ko0aqj4d1 which contains the following testvalue|s:11:"hello world"; and it is created when I run the app.
  11. @Pikeachu2000: I changed it so that there is nothing at all before session_start();. My understanding is that $_SESSION is supposed to be "super global" meaning it's available anywhere. What I'm trying to do is prevent users from initially going to a page directly by typing (or saving) the URL--I want them to have to go through the landing page. Would it be better to just avoid session altogether and just post a hidden form variable on the landing page and test for that on subsequent pages? For clarity, I made two stripped down, rewritten pages where the code STILL doesn't work, i.e. print "Hello World" ----------- WEB PAGE ONE.PHP ----------------- <?PHP session_start(); ?> <html> <head> <title>Page One</title> </head><body> <?PHP $_SESSION['testvalue'] = "Hello World"; ?> <p><a href="pagetwo.php">Click here</a> to see page two</p> </body></html> ----------- WEB PAGE TWO.PHP ----------------- <?PHP session_start(); ?> <html> <head> <title>Page Two</title> </head><body> <?PHP echo $_SESSION['testvalue']; ?> <br> </body></html> I run one.php, click the link to open two.php, and instead of a page showing "Hello World" I get Notice: Undefined index: testvalue in c:\inetpub\wwwroot\two.php Sorry if I seem dense but I'm just not understanding why even this isn't working.
  12. I added a DEBUG print_r statement to the $_SESSION array to see what values are in there and 'valid" IS there and it IS true, so not sure why subsequent pages don't see it DEBUG: Array ( [maxprivilegelevel] =>3 [valid] => TRUE [rotatingphotocount] => 31 ) These are all the variables I wanted set, and they are all being set correctly. On the subsequent pages all that's showing is: DEBUG: Array() so the session is obviously not being stored. Is the session stored in memory or on disk?
  13. Moving the session_start(); to the very very top of the file still causes the same "Undefined index" error, so that didn't change things.
  14. Our office suffered a two-day power outage. Fortunately, it was planned so I did an orderly shut down of the web server. I got the web server back up and running, but now code that was working fine before no longer works and I'm too new to PHP to figure out why. I have this at the start of the "landing" page (this is the page users get to after their password is validated) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[url="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]"> <?PHP session_start(); ?> <html xmlns="[url="http://www.w3.org/1999/xhtml"]http://www.w3.org/1999/xhtml[/url]"> <head> <title>Welcome</title> </head><body> <?PHP $_SESSION['valid']='TRUE'; ?> ... code and HTML ... </body></html> On each subsequent page linked to from the landing page, I have the following code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[url="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]"> <?PHP session_start(); ?> <html xmlns="[url="http://www.w3.org/1999/xhtml"]http://www.w3.org/1999/xhtml[/url]"> <head><title>Page Title</title> </head> <body> <?php /// Kick them out if they try to open this page directly if ($_SESSION['valid']!='TRUE') { session_destroy(); die("<b>You must be logged into this application to use it</b>"); ?> ... code and html ... </body></html> This was working perfectly fine until I restarted the server. Now, whenever I click a link that opens another PHP page, I get the error Notice: Undefined index: valid in C:\inetpub\wwwroot\usermanager\selectuser.php on line 9 You must be logged into this application to use it. Why? How do I fix this? I can't figure out how just restarting a server could change the code from working to non-working. I'm still a bit of a n00b with PHP. Help GREATLY appreciated. Thanks!
  15. Thanks, that's what I thought. Not quite ready for ajax yet. Is there a "best practice" way to tell the last id when writing multiple items using PHP? For example, one user may have startdate1, startdate2, and startdate 3 but another user could conceivably have all the way through startdate150. I'm thinking of using a test to see if doc.getelementbyID(startdate + variable) is null and then breaking out of the loop if so. Is that a good way to do it?
  16. I searched for this but couldn't find a definitive answer: Are session variables available immediately? For example, if I have <head> <script type="text/javascript"> var stopvalue = <? PHP echo $SESSION['maxrows'] ?>; function validate() { for (x=0; x<stopvalue, x++) { // do something } } </script> </head> and then, in the <body> on the same page have $SESSION['maxrows']=db->Recordcount(); Will 'maxrows' be visible to the 'validate' function or not? Thanks, everyone on this forum has been very helpful to this PHP beginner. I know I could just try it and see if it works, but I don't want to go down the path of develping an entire page only to find it won't work (and if it won't work, what's a good alternative?)
  17. I'm trying to use the jquery-ui datepicker function in my PHP database script. Here's the definition: <script type="text/javascript"> $('.dateclass').each(function(){ $(this).datepicker(); }); </script> And here is where I try to use it: while($db->nextRecord()){ // walk through all returned rows and create the links // Color code every other line $counter++; if ($counter % 2) { printf("<tr>"); } else { printf("<tr bgcolor='e0e0e0'>"); } // Create editable form printf("<td><input class = 'dateclass' type='text' size='10' maxwidth='10' id='startdatepicker%s' name='startdatepicker%s' value='%s' /></td> <td><input class = 'dateclass' type='text' size='10' maxwidth='10' id='enddatepicker%s' name='enddatepicker%s' value='%s' /></td></tr>", $counter,$counter,$db->Record['start_date'], $counter,$counter,$db->Record['end_date']); } The date fields never drop down. Any ideas what I'm doing wrong. The following sample I found online works just fine:, and the data is filling into the fields correctly from the database <input type="text" class="datepick" id="date_1" /> <input type="text" class="datepick" id="date_2" /> <input type="text" class="datepick" id="date_3" /> script: $('.datepick').each(function(){ $(this).datepicker(); });
  18. Ugh, I was just told to convert a bunch of PHP mySQL apps I didn't write to run under Oracle. I'm fairly new to PHP and know nothing about Oracle (but am trying to read up as much as I can) Can any of this be accomplished via search and replace, i.e. replacing the mysqli-> calls with Oracle calls, or is it totally different and I'll have to go line by line. Also, Oracle doesn't seem to offer any kind of auto-numbering (or does it?) so a lot of the tables with primary keys based on unique, ascending numbers are going to have to be changed. If someone could post the equivalent of a mysqli "SELECT" and "UPDATE" for Oracle it would be HUGELY appreciated!
  19. Thanks--still learning so this is good to know. I put a hidden field on the form and set it to POST with which operation is required and it works fine now. Thanks again.
  20. I have a form where a superuser can add a new regular user, or edit or delete the information for a regular user. To make deleting harder, they have to type the word "CONFIRM" in a box to cause the delete to occur. The javascript validation for lengths, dupes, etc. is all working fine, but this last bit of code is not (I realize I could just have the .submit() once in the code block but moved it because I thought that might be the issue (apparantly it isn't). INSERT and UPDATE work fine, but DELETE is never seen for some reason. if (passesvalidation == "true") { if (v_insert == "TRUE" { // Set header alert('DEBUG: Insert Confirmed'); <?PHP $_SESSION['header']='New User Successfully Added"; ?> <?PHP $_SESSION['data_action']='INSERT;?> document.forms["useredit"].submit(); } else { if (v_delete == "CONFIRM") { // Set header alert('DEBUG: Delete Confirmed'); <?PHP $_SESSION['header']='User Successfully Deleted'; ?> <?PHP $_SESSION['data_action']='DELETE';?> document.forms["useredit"].submit(); } else { // Set header alert('DEBUG: Update Confirmed"); <?PHP $_SESSION['header']='User Information Changed Successfully'; ?> <?PHP $_SESSION['data_action']='UPDATE';?> document.forms["useredit"].submit(); } } } On the submission form, I have the following: switch ($_SESSION['data_action']) { case "INSERT": $query = "INSERT INTO userlist VALUES '$userid','$firstname','$lastname',$usertype,'$pw','$email','2025-12-31')"; break; case "UPDATE": // if the password reset button is checked, then reset user's password if (isset($_POST['fld_resetpassword'])) { $query = "UPDATE userlist SET firstname = '$firstname', lastname = '$lastname', usertype = '$usertype', pw = '$pw', email = '$email' WHERE userid = '$userid'"; } else { // otherwise don't change the password $query = "UPDATE userlist SET firstname = '$firstname', lastname = '$lastname', usertype = '$usertype', email = '$email' userid = '$userid'"; } break; case "DELETE": $query = "DELETE FROM userlist WHERE userid = '$userid'"; break; } INSERT works fine. UPDATE works fine. DELETE displays the message "ALERT: DEBUG Delete Confirmed" but then, on the PHP page, the output is: DEBUG: ----------> Data action ------------> UPDATE DEBUG: ----------> QUERY ------------> UPDATE userlist SET firstname = '... etc. etc. The code is definitely recognizing that it's a delete because the DELETE alert is being triggered, but why isn't the "<?PHP $_SESSION['data_action']='DELETE'; ?>" setting being honored and instead being seen/set as "UPDATE"? Thanks
  21. Thanks, I knew it was something obvious. Had guessed I could probably leave off socket, but didn't know I could leave off port. That means 3306 must be the default? Thanks again.
  22. I've been put in charge of writing a fairly large database app for my company using PHP and I know very little about it, but my boss assumes because I know Access that I can figure out PHP, and I have to a large extent. I've got my queries working fine in terms of SELECT but am having a hard time with INSERT, UPDATE and DELETES Here's a sample INSERT that throws three warnings, and fails to update the table, but doesn't cause an error. <?php $host="localhost"; $port=3306; $socket=""; $user="<database user name here>"; $pw="<database password here>"; $dbname="safety"; // Get the user ID and password from sign-in page $id = $_SESSION['userid']; echo 'debug' . $id; // DISPLAYS CORRECTLY $pass = $_REQUEST['pw']; echo 'debug' . $pass // DISPLAYS CORRECTLY $mysqli = new mysqli($host, $port, $socket, $user, $pw, $dbname); // line 62 /* check connection */ if (mysqli_connect_errno()) { printf("Connect failed, please report this error to I.T.: %s\n", mysqli_connect_error()); exit(); } $query = "UPDATE userlist SET pw = '$pass' WHERE userid = '$id'"; $mysqli->query($query); $mysqli->close(); ?> This code generates 3 warnings, and the database is left unchanged. I have no idea what I'm doing wrong, since I've seen examples like this on other web sites. Help for a newbie is much appreciated! The warnings are: Warning: mysqli::mysqli() expects parameter 5 to be long, string given in C:\inetpub\wwwroot\safetymonitor\changesuccess.php on line 62 Warning: mysqli::query() [mysqli.query]: Couldn't fetch mysqli in C:\inetpub\wwwroot\safetymonitor\changesuccess.php on line 71 // I'm not trying to fetch, just write! Warning: mysqli::close() [mysqli.close]: Couldn't fetch mysqli in C:\inetpub\wwwroot\safetymonitor\changesuccess.php on line 74
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.