ajoo

Hi Ch0cu3r, Thanks for the reply and the suggestion. I will definitely make the switch. Would that be better from a security point of view or for any other number of reasons? I am asking so that many others like me would be clear about it. Thanks very much.

Hi, I have the following query SELECT user_details.User_club_ID, user_details.fname, user_details.lname, user_details.email, user_details.club_No club.CLUBCODE, club.club_id FROM user_details, club WHERE club_id = $cid AND user_details.club_No = club.CLUBCODE AND user_status = 'active'"; which I converted to a prepared statement as SELECT user_details.User_club_ID, user_details.fname, user_details.lname, user_details.email, user_details.club_No club.CLUBCODE, club.club_id FROM user_details, club WHERE club_id = ? AND user_details.club_No = club.CLUBCODE AND user_status = ?"; Please note that user_status is a field in the table user_details. The original query (non -PDO) works correctly. I want to know if this is correct and that the comparison in the WHERE clause i.e. user_details.club_No = club.CLUBCODE is security safe. If not then how should this be modified. Also if there is a better way to write this statement, kindly show that as well. Thanks Thanks all !

Hi Thanks Winston, That was good reading. Well I guess gaps are good. Guru Barand is always right. Thanks !

Hi Guru Barand, Thanks for the response. Well the missing id=7 doesn't matter really and the database will function correctly as you said. It's just that I feel that in a multi-user app it could result in a whole lot of lost ids and since the corresponding entries in different tables would have different values it could result in confusion especially if the number of entries is large. I mean if there is a way to keep the correspondence simple without much work then I would like to know and if it can be achieved in a simple manner I would like to implement it. Thanks loads for now and for so many times previously.

Hi everyone, I have an application that makes use of a transaction, inserting and updating values in different tables. One of the first tables it inserts into has an auto increment ID field. This ID values is used / updated in some other tables. Everything works fine. If however the transaction fails then the auto_increment values are upset - meaning that the sequence is jumped. For ex. if I had auto_increment values from 1 to 6 in this table and then the insert query fails for an auto_increment value of ID=7, then this value of ID = 7 is lost because the next time the query is run the auto_increment ID value will be equal to 8 and accordingly updated in the tables. ID value = 7 is lost. Is there any way to prevent this ? Please know that this is a multi - user application. Thanks.

Hi, Thanks for the reply. However that is not what I was looking for. I am using mysqli_real_escape_string on the variables of my login form and I want to replace that with input_filters. Can you please suggest what filter would be most apt for login and password fields on my form.I want the username not exceed 30 characters in length and both the fields to be SQL injection safe. I will use mysqli PDO for the database but I just want to validate my inputs at the point of entry into the program. I don't know if that's something redundant but I believe that it's good practice to validate inputs at the point of entry. At least that's what I have read on googled results. Thanks !

Hi all, I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login. Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat? Thanks all.

Hi Jacques, Thanks for that information. I use the mysqli as of now. I have to read up on PDOs. Will be a while before i use them though. I'll bear in mind this piece of information. Thanks.

Hi Psycho, Thanks for the response. Yea I am all mixed up reading security and related stuff, especially the ones you mention - sanitization and validation. I just mixed two issues by mistake. What I wanted to know was ( with an example) that if there can be security issues related to using a particular character set like UTF8. Any particular precautions that need to be taken when using UTF8. If there are any then please let me now. Thanks for the reply.

Hi Jacques, I am sorry, I think I mixed up the issue of mysql_real_escape_string with the utf-8 character encoding, the two issues that I read about today. As for the other errors in the script, I am aware of them. Thanks for the reply and sorry for this mix up.

Hi everybody ! Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security. Consider the simple script below: <?php //error_reporting(E_ALL & ~E_NOTICE); session_start(); if(isset($_POST['login'], $_POST['password'])) { $login = $_POST['login']; $password = $_POST['password']; if(!empty($login) && !empty($password)) { //echo "Ok"; echo "Welcome ". $login; echo "<br> You password is.$password "; } } ?> <html> <body> <form action="welcome2.php" method="post"> Name: <input type="text" name="login" /> Password: <input type="password" name="password" /> <input type="submit" name="submit"/> </form> </body> </html> It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then : 1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example. 2. Could the same be thwarted by the use of input filters? 3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done? There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked. Thanks all.

Wow !! Thank's for that information as well. Wonder what would be next on the security front. By the way I was wrong about the attack that I thought was XSS. That is a CSRF attack. Thanks everybody.

Thanks Guru Barand, Will do so. I have a few more questions that have occurred to me and which I would like to clarify. I had asked above "What sort of attack would the hacker need to make to send data to the website from a different page? " 1. Would that not be an XSS attack? 2. Is that not prevented by issuing and then checking for the value of a random token String in the forms? Sure I would still use sanitization on the input data but I am just asking this for my own understanding. Also QucikOldCar said "Because someone can use curl and do a POST or make their own form and direct it to your script.". 3. Since I am trying implement captcha on a login form, I am wondering if someone can create POST data using curl or a form, won't the same person be able to also generate captcha values and send them too thus defeating the purpose of captcha? I am not so sure about this one though because I feel that captcha values are server generated and the hacker would not be able to generate those on his own. Kindly clarify Thanks all.

Hi QOC, Thanks for that tip. Yes I am sanatizing the incoming data. Another thing that i wish to ask is that if I am sanatising a number by using a regex, is it possible for me to add a limit to the numbers as well. For e.g. if i use a regex like this : \Aall\z|[0-9]{1,2} , then this checks for the word 'all' or numbers from 1 to 999. What if I wanted to limit the highest number to 49, that is I wanted numbers from 0 to max number 49, then how can I do that. Thanks.

Hi Guru Barand !! Grateful to you for your help earlier and this reply. Yes I totally overlooked that. What sort of attack would the hacker need to make to send data to the website from a different page? Thank you again.

Hi all ! While it is clear that the input in an input text box requires to be filtered or sanitized, yet it is not clear to me if and why would the input of a dropdown menu / checkboxes / radio require to be filtered or sanitized. Can someone tell me if these inputs require sanitization? if yes, can you please explain how these would pose a security threat if left un-sanitized. Thanks !

Hi, Looking up to some of the gurus to reply to this oft asked yet very controversial question once again. Thanks !

Hi all ! I came across sec_session_start() function to start a secure session and I have used it. However I have come across so many comments on the usage of this function recently many of which suggest that this is quite useless, an overkill etc. etc. and that using Https is the best option and there too there are opinions that it has its own overheads and so on. So I would like to ask what purpose does this function serve? How good is it really? Should we use it or not? The most controversial part of this function seems to be the session_regenarate_id() which seems to create unwanted logouts and lost sessions. While this is apparently supposed to be used to prevent session hijacking or session fixation, I have again come across comments which say it is not advisable to use this function. Like it's of no use to deploy this function and should be avoided. Here is the function as I use it. function sec_session_start() { $session_name = 'sec_session_id'; $secure = false; // Set to true if using https. $httponly = true; ini_set('session.use_only_cookies', 1); $cookieParams = session_get_cookie_params(); session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); session_start(); // Start the php session session_regenerate_id(); // regenerated the session } And I use it on all the pages at the very top. It seems to work fine. I would be very happy to know the truth about this function and its usage. Thanks loads.

Hi , Thanks Ch0cur3, yes it has worked. The small caps ip did the trick. and I tried so may combinations but i guess I missed playing with the CASE. I did also get it to work with "Require all Granted" But I was looking to give selected access just like you showed me. Thanks again !! I will have some more follow up questions and would be back again later. Thanks again !

Hi, Thanks again for the reply. I tried making the changes as suggested. Require IP 192.168.2.104 (new ipv4) is not accepted by xampp. The server gives an error once restarted and stops. So I tried instead Allow from 192.168.2, Allow from 192.168.2.104, Allow from 192.168.2.104/8 (seperately) after the Require local and all were accepted since the server started but in all the cases I still got the same error exactly as below : Access forbidden! New XAMPP security concept: Access to the requested object is only available from the local network. This setting can be configured in the file "httpd-xampp.conf". If you think this is a server error, please contact the webmaster. Error 403 192.168.2.104 Apache/2.4.9 (Win32) OpenSSL/1.0.1g PHP/5.5.11 Please look into it once again and suggest further. Thanks

Hi, Thanks for the reply. I just tried as you suggested (http://192.168.2.107/xampp from the windows XP machine) and I got an error page saying that this is the new xampp security feature and that only a computer on a local network can access the page. Strangely I am trying to access the page from a local network !?? It further said that the setting could be modified in httpd-xampp.conf. It also gave a 403 error. I am sorry but I am unable to copy and send the exact page right now. I'll try and see if I can send the exact page later. Meanwhile suggest further. Let me know if any further input is required from me. Thanks.

Hi all, I have a networking issue. I'll define the problem. I have two computers home networked via a wifi modem cum router. One is a laptop with windows 7 and the other is a windows XP machine. The home network works fine. I am able to view the shared files of each of the computers from the other one. Now I have a xampp server running on the window 7 laptop as a localhost. The localhost runs just fine. I am able to access my local website from my laptop. However I want to use the windows XP machine to access the website being served by the windows 7 laptop via the home network. Windows7 laptop(server) ----- WindowsXP machine(client) ip4 add ----------------------------- ip4 add 192.168.2.107 --------------------- 192.168.2.107 Please can someone guide me on this. What all changes would I need to make in the configuration files and all such details. Thanks all

Hi ginerjm & Jacques1, Thanks very much for the reply & suggestions. I have been following most of those. As suggested by ginerjm, I have gone down most of my code along various paths but chances are that some of those paths may have been left unexplored by chance. I have had the error reporting left on so I was informed of all errors, warnings and notices that I have taken care of as far as I could or at least all those were reported. As suggested by Jacques1, I have tried to read as much on security as possible and also changed my login script to incorporate SH512 bycrypt where earlier I had used md5 hashing . I have gone through the OWASP list and tried to incorporate whatever I could. Security as everyone knows is a daunting task made more so by its ever changing dynamic nature - (rectify one issue only to know that another has sprung up). I therefore cannot say that I have a very secure code here but yes I have read and taken as many precautions that I could. I have checked the data going into the database is correct as well. The problem is to simulate a test to test the application with many users simultaneously logged in and working on the it at the same time. I would like to be able to identify any conflicts in the database due to an increased number of simultaneous users. I would like to add that I have used the innoDB for tables where I need to UPDATE and INSERT information, thereby using there inherent table (row level) sharing properties to avoid conflicts during these operations. However to be able to see how well table sharing issues are handled by the application, I would like to be able to device some test for it using some available tools. Also I would like to test the system on a localhost server. Any further information on this would be very welcome. I would also like to know how I may be able to connect my localhost server to work with a few more local machines at my work place through a wifi network,again to be able to test the application locally with a few real time users working on it simultaneously. Thanks very much.

Hi to all ! I would like to ask that :- 1. what is the best way to / or how to best test a multi-user login script. 2. The best way to test a multi user website that saves data from the users into a database. Are there any tools that can hep me in testing my work locally on a localhost before I move them out to a website. ? I have heard that testing routines can be written for such purposes to automate the testing. If so where should I begin to look for them? I have no idea at all about writing test routines / scripts. A tutorial , if any exists, would be a good place to start. Thanks very much.

Hi all, Well this seems to be the most slow moving part of the forum and maybe rightly so because it's basically a php forum. Anyways I have managed to solve this one. Will come back with some more flash problems and hope that I will get some pointers if not solutions. Thanks all !