jdlev

So I've reviewed my site with some OTC website vulnerability scanners, and think I have most of the holes closed. I'd like to see if anyone can hack it if they're up to the task. Here is the [removed link]. The main page is a basic login script which has a small user account mgmt system behind it. It's my first 'real' php site, so any advice is appreciated

Hi guys, I've learned a lot about formatting a mysql/php based website. I've got a User Interface, with access to individual accounts all setup. Now I want to test the security. Is there a good service out there that checks your website/webserver for vulnerabilities? Thanks! ~Jeff

Thanks guys!

So mysql will only take the date/time fields at 2012-11-12 and 8:00 What if I wanted to save/display the date at 11/12/12 instead and the time at 8:00am?

Ok...let's head in a different direction. I'm able to view all records associated with a username, and only that username. Here's what I want to do now. I want to give the user two options. I want to allow them to select one of the records and update or delete it. How would I do that? Do I need to create a unique ID for each funeral event? I assume that's the case. Then maybe just bind the checkbox that is created dynamically to the event ID? Person clicks submit, and the browser sends them to the next page where they can update their fields?

Crap! When the user submits information in the form, it goes to a universal database of all accounts. So I send the account number session variable in with the form data to be sorted later. Any suggestions on making it more secure? I could make it so the username associated with an account HAS to match the acct number in order to run the query to update/edit/delete records I guess? Then, even if they could change their acct number in firebug, they couldn't change their username beause they wouldn't know the password to log in with? Thanks for your help daveyk

Well, figured out the answer to my own question, but I'm still curious about the ability to view session variables? For anyone else wondering...you can pull in a session variable to a hidden field like so: <input type="hidden" name="loginName" id="loginName" value= "<?php echo $_SESSION['MM_loginName']; ?>" />

Here's the deal. My user auth. carries a session variable that is a user's account number. Whenever they submit a form, I want their account number to submit with the rest of the information on the form. I assume I should use a hidden field? Can someone post an example of the coding I would use to make the hidden field equal to the session variable? One other question on session variables. Can a user see them like in their cookies or somewhere? I'd like to keep the session variable private to improve security if i could. TIA!

Thanks a ton Dave!

Hi guys, Had a few questions. First off, my gear. Using CS5.5 for development with server 2003 iis6.0. What I'm developing is pretty straight forward, and has the following features: 1) Secure form people use to register company info & user info. 2) Once logged in, users will be able to post/update/edit/delete information about funerals to a universal funeral info database. 3) There will be two types of user accounts. An admin that can see all funeral information from all funeral homes, and then funeral home accounts that will only be able to see their individual account data. That's it...so I had a few questions... 1) I've been able to create a registration form pretty easily, and it posts to my database no problem. Only one issue that I can see right now. The password column shows the actual password...no encryption. Is there an easy way to encrypt the passwords that won't harm a user's ability to access their individual account? 2) I'm using dreamweaver's user authentication to allow access to restricted areas within the web site. When a person log's in, it verify's their information by checking their username/pwd. Then it further restricts a persons ability to view everything by fetching an access level associated with each user. I was able to echo and print the access level variable, which correlates to the user's account number. I want to use this information in a dynamic page that lists all records (funerals) associated with that account number. I can do that easily enough, but is PHP secure enough to prevent someone from logging in with a username & password and simply changing the account number (aka access level), and then running amuck with the funeral listings? Is that what's called an SQL injection attack? 3) I suppose I could add some more security, but not sure if it would help? What if instead of not just searching the account number for their funeral information, it matched their account number AND the name of the company when it pulled in information from the universal database? I want to make sure this is secure since we're dealing with funeral homes. It would take a sick #$#@ to screw with someone's funeral information, but I'd rather be safe than sorry. Thanks for any advice folks

Anyone? Anyone? Bueller?

I'm hoping to use PHP to try and do something...I am trying to create a way for our customers to manage their contact information. Basically, what I want them to be able to do is enter a person's name, and then select from a list what contact method they will be using. For instance, if they select "phone", fields relating to phone will appear below the Contact Name, Title, & Contact Type Fields. If they select, "email", fields relating to email will appear below the contact name, title & contact type fields. Here's an example: For phone entry: Contact Name Title Contact Type (upon selection - subform appears) (Field Dynamically Appears ->)Phone (Field Dynamically Appears ->)Phone Carrier (Field Dynamically Appears ->)Contact Notes For email entry: Contact Name Title Contact Type (upon selection - subform appears) (Field Dynamically Appears ->)Email Address (Field Dynamically Appears ->)Email Subject (Field Dynamically Appears ->)Contact Notes Thanks for any help! Jeff

I am trying to have a php sql statement create multiple tables in one sql statement. How would I do that?

Awesome! Thanks!!!

This may be more of an html question, but here goes. I have an image that functions at the the backdrop to my website. Basically, the image is 800 pixels wide. It is then placed into a table that is centered on the page, so the web page should always be in the center of the page, with a background behind it. Now, on this image, I am trying to figure out how certain parts of the image will act as hyperlinks. I have tried adding a layer over the top of the image, but the layer is static and won't stay centered with the image, so the hyperlink will shift based on the size of the window that is open because the image is supposed to stay centered. Let's say on the image there is the wording home, just over where it says home on the image, I want to create a hyperlink to take them back to the home page. Over the part of the image where it says, contact us, I want this area of the image to take them to the contact page. The page needs to stay centered, and the area for the people to click on to take them to a particular page needs to stay centered as well. Thanks for any help!

I haven't seen any...do I need to enable anything in the php.ini file in order to see some errors that I might be missing?

For whatever reason, session_regenerate_id() screwed up my authentication system in php. If I remove session_regenerate_id(), it works just fine, and creates 1 session file that contains data in the temp folder. If I leave session_regenerate_id() in there, it produces 2 session files after login, and won't allow access to the secured areas - it says authenticaion denied. Of the 2 session files it produces, one has data in it which is correct. The other has no data in it. There's not really any code, and I've never used session_regenerate_id() before so I'm not sure if I'm using the wrong syntax? Basically, what happens is that there is an if statement where if the user's name & password are found in the database, it regenerates the session id...so it's basially like this: if(user in database & password good) { session_regenerate_id(); }

There is still a lot of disk space remaining, so I don't think that is it. I think it might be a file rights issue? It writes the session files to the C:/WINNT/TEMP folder. Perhaps it doesn't have the ability to make changes to the file? If that is the case, which user do I need to grant access to the TEMP folder, and what level permission should I grant them. I'm trying to keep the site as secure as possible.

Here's the code: <?php //Start session session_start(); //Include database connection details require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); //Input Validations if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } //If there are input validations, redirect back to the login form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: login-form.php"); exit(); } //Create query $qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result) == 0) { //Login Successful session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['member_id']; $_SESSION['SESS_FIRST_NAME'] = $member['firstname']; $_SESSION['SESS_LAST_NAME'] = $member['lastname']; session_write_close(); header("location: member-index.php"); exit(); }else { //Login failed header("location: login-failed.php"); exit(); } }else { die("Query failed"); } ?>

Can anyone think of any ideas why the following code would create a session file, and then not put anything in it? Its basically a session file with absolutely nothing in it? Any help is greatly appreciated - TIA!

Can you do that in phpmyadmin? Also, what purpose does a join serve? I guess the real question is, do I gain anything by separating the customer aspects into seperate tables, or should I just make one massive table with 80 columns?

I'm working on creating a profile page for individuals. The problem is, there is a heck of a lot of columns. I'll be honest, I don't know a lot (well anything really) about linking tables in a database together, or if I should even bother linking tables in a database together. To give you a brief example, I have a database, we'll call it "customers", and in this database I have tables: General_Information, Interests, and Pictures. I want to basically have a page display the current information from each of these tables on a 'profile page', and allow the user to add/edit/delete things from their profile. Now each of these tables has the exact same column: "CustomerID". Should I set up a relational table structure where it will automatically update the three tables? Is there any advantage to a relational database structure? -or- Should I just create a massive single table in this database that has every field accounted for (about 70-80 total columns)? TIA for any advice!

I setup a whole other table and tested it. It was a combination of the fact that the table was the same name as the db and that i had some bad syntax. I have another issue. For whatever reason, when it imports the names of individuals into the database, it gets their full name, however, when you click on the persons name, the get function is supposed to put their full name in the URL - it doesn't. It only puts their first name in there? How do I put their full name in there? So instead of "myaddress.php?name=Bob", I get "myaddress.php?name=Bob+Saget" Thanks for all the help so far, I think this is the last step!

Do you need to use a select statement before an update statement? What if the database and table are named the same thing, could that cause a problem?

Here's what I got! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''database' SET 'C' = 'me' WHERE 'C' = 'OPEN' LIMIT 1' at line 1