Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (PhpStorm, VS Code, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Age


Donation Link

  1. Hi, I am trying to set up a PIN protected area of my website. What I mean by that would be a simple pop up window similar to the usual php authentication pop-up window by most browser however where only a password is necessary to access the website - no username required. Would any of you know if this will be possible to do in php or any other language? Thank you. John
  2. The code I am having a problem with is this: ob_start(); $resultTxt = system($command, $result); $errTxt = ob_get_contents(); ob_clean(); $resultTxt = nl2br($errTxt) . "$resultTxt"; I get a PHP Warning that the system () has been disabled for security reasons. I don't have access to the php.ini file to change this. Can the code be changed from system to something else that will work?
  3. In my DB class i have a function to do a simple sanitize operation. The function does three things: 1. checks weather the input variable is a integer, if it is then it gets the int value of the variable and returns it. 2. checks weather the input variable is a string, if it is then it escapes it and returns it. 3. if it is neither an integer or a string then the variable is unset and returns a "Variable deleted" message. function sanitizeData($dbc, $input){ if(is_int($input)){ $input = intval($input); return $input; } elseif(is_string($input)){ $input = mysqli_real_escape_string($dbc, $input); return $input; } elseif(!is_int($input) OR !is_string($input)){ unset($input); return "Variable contents unknown, variable deleted!"; } } I wanted other peoples ideas, opinions and suggestions on this function and what you think of it Thanks
  4. Please help: Function copy () is a PHP function to copy files from one directory to another directory. Script php : <?php $dira='C:\Documents and Settings\admiN\Desktop\aaa\1.txt'; ---> Path Source (computer A) $dirb='\\\\server\\serversavegame\\1.txt'; ---> Path Destination (computer B) copy($dira,$dirb); ---> function copy() ?> Folder in source path and destination path I have shared with all the network status allow to change my files. But when I was running still error, the error description: Warning: copy(\\server\serversavegame\1.txt) [function.copy]: failed to open stream: Permission denied in C:\xampp\htdocs\tesdir\index.php on line 4 Please help thanks
  5. I am trying to login to the website in the below example. This script logs in using a username and password but then is directed to a page with a security question. This is where the problem is, I am unable to POST my answer on this page. The result of my output is just the page with the security question. $username = 'XXXX'; $password = 'XXXX'; $loginUrl = 'https://www.dandh.ca/v4/dh'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $loginUrl); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, 'Login='.urlencode($username).'&PW='.urlencode($password).'&Request=Login&formName=Login&jsEnabled=0&queryString=&Platform=Full&btLogin='.urlencode('Log In')); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookies.txt"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_exec($ch); // process main login curl_setopt($ch, CURLOPT_POSTFIELDS, 'securityAnswer=XXXX&Request=postForm&formName=loginChallengeValidation&btContinue=Continue'); echo curl_exec($ch); // process security question curl_close($ch); Here is the source code of the security question HTML form: <form name="securityForm" id="secForm" method="post" action="/v4/dh"> <input type="hidden" name="Request" value="postForm"><input type="hidden" name="formName" value="loginChallengeValidation"> <table border="0" align="center" cellpadding="10" cellspacing="0"> <tr> <td><span style="font-weight:bold;">Security Response</span> <br> <p> Please answer the following security question. Once the answer is confirmed you can continue. </p> <p style="margin-left: 20px;"> Question: What is the name of your best friend from childhood?</p> <p style="margin-left: 20px;"> Answer: <input type="text" id="securityAnswer" name="securityAnswer" size="50" maxlength="50"> </p> <p style="margin-left: 20px;"> <input type="submit" name="btContinue" value="Continue"> </p> <p> <i>If you do not know the answer to the security question, please email <a href="mailto:passwords@dandh.com">passwords@dandh.com</a> and they will send you a temporary password. <a href="/v4/dh?Request=postForm&formName=LogOut">Click here</a> to return to login page.</i> </p> </td> </tr> </table> </form>
  6. Hi everyone, Im doing a degree research project and need some participants that know a little about web security. Its very brief and will only take a minute to fill out. I really appreciate the help anyone that completes it http://www.surveymonkey.com/s/VQPM2FY Thank you! Have a great day
  7. Hi, I am using PBKDF2 to crypt my passwords, but I am not sure whether or not I am using it correctly. I create a random 32 character string and use it as salt, and use it to crypt the password, then I store both the encrypted password and the salt into the database. Is this the correct way to use the PBKDF2 crypting? Also, for my remember me feature I store the encrypted password and the user ID into a cookie which is used to log the user in. This method doesn't look very secure to me for some reason. Is there a better way to implement the remember me feature?
  8. Continuing my posting of security-related functions in this section, I've decided to post this one up. I've posted a basic version of the RegExp previously, to which Psycho gave me some good feedback. Thus, the current function was born: // Define the flags used for validating passwords. define ('SF_VALIDATE_PASS_LOWER', 1); define ('SF_VALIDATE_PASS_UPPER', 2); define ('SF_VALIDATE_PASS_NUMERICAL', 4); define ('SF_VALIDATE_PASS_SPECIAL', ; define ('SF_VALIDATE_PASS_ALL', 15); /** * Validates the password according to the flags and mininum length given. * * Returns true if the password matches the constraints, or false if it fails. * * Default minimum length is 8 characters, and all flags activated. * * @author Christian Fagerheim (Fagerheim Software) * @link www.fagsoft.no * @license Creative Commons Attribution-ShareAlike 3.0. http://creativecommons.org/licenses/by-sa/3.0/. * * @param string $password * @param int[optional] $minLength * @param int[optional] $flags * * @return bool */ function validatePassword ($password, $minLength = 8, $flags = SF_VALIDATE_PASS_ALL) { // Make sure we got a valid minimum length. if (!is_int ($minLength) || $minLength < 0) { trigger_error ('Minimum length must be a positive integer', E_USER_ERROR); } // Create the constraints for the password. $passReg = ''; if ($flags & SF_VALIDATE_PASS_LOWER) { $passReg .= '(?=.*[a-z])'; } if ($flags & SF_VALIDATE_PASS_UPPER) { $passReg .= '(?=.*[A-Z])'; } if ($flags & SF_VALIDATE_PASS_NUMERICAL) { $passReg .= '(?=.*\\d)'; } if (false && $flags & SF_VALIDATE_PASS_SPECIAL) { $special = preg_quote (',.;:"\'!?*(){}[]/^§|#¤%&_=<>@£$€ +-', '/'); $passReg .= "(?=.*[$special])"; } // Add the minimum length requirement. $passReg .= '.{'.$minLength.',}'; // Check that the password matches the constraints, and return a boolean. if (!preg_match ("/^$passReg\\z/u", $password)) { return false; } return $password; }
  9. This seems like the most appropriate forum on here for posting. I'm curious what people use for LAMP website vulnerability testing. I know of TrustWave and maybe one or two others. I'm not sure I want or need a subscription service where they scan on a recurring basis. Maybe just a one-time thing. I'm looking for the typical scans: cross-site scripting, SQL injection, and then patch suggestions for OS vulnerabilities, etc. Any advice is helpful.
  10. I know how to validate URL in PHP by using the FILTER_VALIDATE_URL or simply, using regular expression. However, I want to know how I can validate a URL to see if it contains file. For example: www.xxxx.com/abc.exe, www.xxxx.com/abc/abc.jpg, etc... As you see, the links contain a file, one has an executable and the other has an image. I want to know, how I can validate a URL to know if it has a file or not? Because I do not want URL with contain file to be in my form! So, any regular expression or other way to do that?
  11. When a user browses through my client's merchandise, they should be able to click on a product image at any time to retrieve a description, details, and larger image(s), of the product. Given the way the site is constructed, it will require a query to the database, and I would like for it to open in a new window so that the shopper does not lose their place. I have a general plan for how to accomplish this. Each product will need a dynamically generated link/submit button. It will open in a new window by using the target='_blank' attribute. I can use either post or get to query the product ID which will allow the new script to query the DB and echo the results to the page. My question is, are there any security risks? This website is generally pretty secure as the only customer input is unsigned integers, and all the get/post requests are validated. Since this is my first cart I just wanted to see if there are any recommended best practices or potential vulnerabilities for which I should plan.
  12. Hello people! I want to know some security features for file upload in PHP. I did read many stuffs, but not all have answered my questions. To start, I am more on front-end than back-end, so I am not a professional in PHP, but I do know several things in PHP (Procedural). I did create a file upload system before, which was to upload image, including security and validation. Anyway, I am planning to create a similar system again but I want to know more on things which I have applied before. Here are my questions: 1/ When validating file formats, which is better, validating by MIME or regular expression? I used regular expression before, because I have read MIME can be changed, even that I am curious. Here is an example of regular expression which accepts only JPG and GIF files: /\.(gif|jpg)$/i 2/ Can we upload file like EXE without affecting the server? I do not want the EXE file to execute now on the server, or simply, if it is infected, it can ruin the server. Is there a solution to tackle this or it is not recommended? Because many file hosting let you upload EX, RAR, ZIP, script formats etc... 3/ What other security measures should I take into account on file upload? All uploaded files will be in a folder, and the user will get their links to download. 4/ This question is not on security but mostly on cron job. Normally, file uploaded will be stored in a folder but not forever on the sever. I want that each 3 days, each file which has been uploaded, is deleted from the folder. I am not saying all files have to be deleted simultaneously, but each file which is more than 3 days. For example, I upload one today, on Sunday it will be deleted. If I upload another one tomorrow, on Monday it will be deleted. For this, a person told me to store the timestamps in a database and the name of the file. How to proceed the deletion with cron job? Thank!
  13. Greetings to all, Has anybody used this implementation of pbkdf2? http://crackstation.net/hashing-security.htm#phpsourcecode
  14. I am a young php developer who also does pen-testing for websites and company's. I am looking for some people interested in getting their web applications tested for security flaws. I am doing this just for experience (so it is free). All i need is a comment in one of your pages giving me permission to do so. That proves it is your website and that I have permission. I do not mess with any data or functionality, all I do is test your website security and send you a report with what I find. I can also offer to fix the bugs I find. Looking forward to helping some people secure their websites!
  15. I have a question about PHP, and how it stores data in RAM.. As we know, programs on a computer are run in RAM, and so, when I have a PHP script, and I am writing a string to a variable.... or when I am using file_get_contents to read data from a file into PHP... it's going to load it into RAM..... You see.... what I am really asking is a security question.... On Linux, you can run the following command, to get the 1st approx. 1MB of RAM extracted into a file... dd if=/dev/mem | hexdump -C > OUTPUTFILEHERE.txt And so... if I were to run this command, I would get 1MB of data from the RAM, and I'm thinking... this could contain sensitive data from a PHP script, aka passwords.... Like... if I have the following PHP code.... <?php $password = "my_password_here"; ?> .... then.... "my_password_here" might be stored in RAM, and thus, a hacker could extract the password out of RAM, and use it to compromise my security...? And so.....I have 2 quetions.... (1) how does PHP store variables in RAM? (2) if PHP does store it openly, what is the best way of wiping it...? Would over-writing the password variable with some junk.. manage to erase it from RAM..? Or... would I have to use some kind of PHP "flush" command...? Thank you for reading
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.