Search the Community

Hi, I'm using the code below to retrieve a file into a microcontroller running micropython. I understand I'm open for easy attacks so, I appreciate some inputs. TIA <?php $file = $_GET['file']; $dir = getcwd(); $file = $dir.'/'.$file; $myfile = fopen($file, "r") or die("FAIL"); echo file_get_contents($file); fclose($myfile); ?>

Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA

Securing my upload folder “upl” The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials. The upl folder has an .htaccess file that locks down all remote access. order deny,allow deny from all When something is needed from this directory we jump that wall with the help of apache after credentials are verified. I think this is straight forward so far. For images something like; <img src=”downloader.php?app=1&id=20&type=thumb”> For files something like; <a href=”downloader.php?app=1&id=20&type=file&fileid=1212”> After we check creds, we use similar to below to get data from that locked down folder. $size = filesize($file); header ( 'Content-Description: File Transfer' ); header("Content-Type: application/force-download"); header ( 'Content-Type: application/octet-stream' ); header ( "Content-Disposition: attachment; filename=\"".basename($file)."\""); header ( 'Expires: 0' ); header ( 'Cache-Control: must-revalidate' ); header ( 'Pragma: public' ); header ( 'Content-Length: ' . filesize ( $file ) ); ob_clean(); flush(); readfile ( $file ); exit(); seems to work pretty swimmingly for the most part. My problem is (or at lease a mild nuisance) is that it seems that these images loaded in this manner are not subject to the cache system of a browser? It looks like they reload every time a page is visited. Is there a way around this?

Hi, Playing with hardening a little, and implemented samesite flag within a cookie, or at least tried to. Code like: session_set_cookie_params(0, "/; SameSite=Strict", "domain.com", true, true); $params = session_get_cookie_params(); session_start(); setcookie("PHPSESSID", session_id(), $params["lifetime"], $params["path"], $params["domain"], $params["secure"], $params["httponly"]); Warning: PHP Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in /homepages/39/d582945504/htdocs/portal-x/inc/cookies.php on line 21 Not sure if it's a huge deal to just leave that out..

Hi all, I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. I have the headers information below: index.php?ppage (logged in) best.php?r='xxxx..' (invoked the embedded movie that invokes best.php) I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one. I hope I am able to convey my doubt clearly enough. I hope that the experts can either confirm or allay my fears. Thanks all.

Hi I have a question about generating a unique access token. I have read a lot on the internet about just using the php 'random_bytes' function. However I have found a scenario (although highly unlikely) where a session could potentially be hijacked. User 1 logs in and gets an access token of 'abcdef' (simplifying things). User 1 uses the system for a period of time but the token expires but doesn't get refreshed yet (as user 1 is idle) (so client still has access token stored on client). In the mean time User 1 decides to use a different device to login to their account which generates a new access token 'zxcvbn'. But then User 2 logs in and they get an access token of 'abcdef' as it is unique (like I say highly unlikely but still possible). Then User 1 goes back to their original device and tries to resume session (client still has 'abcdef' as an access token so it sends that to the server which then it finds it but is actually now against a different user), and then hijacks User 2's session unknowingly. What is the best way around this, what about always adding the internal user ID number to the token to make sure it will always be against the same user (and always truly unique for that user)? So we would end up with 'abcdef1' for user 1 and User 2s access token would be 'abcdef2' if the above scenario was to occur so we would never get a potential hijack of sessions? I know this sounds convoluted but just wanted peoples thoughts?

Hi all ! I am using this tutorial and I am modifying it to include csrf protection. The index.php uses getToken(); to generate an anti-csrf token which is then inserted in the form as a hidden input field as below: <tr> <td> <select id="country_dropdown" > <option value="-1">Select country</option> <?php while($stmt->fetch()) { ?> <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option } <?php // token added as hidden field echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> </select> </td> </tr> <tr> <td> <select id="state_dropdown" > <?php echo $_SESSION['token']; // debug ?> <option value="-1">Select state</option> </select> <?php // The token does not change even when it is changed in loaddata.php. The change values // does not get reflected here. So adding the below code is useless, so commented out. // echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> <span id="state_loader"></span> </td> </tr> This scheme works if the same token is to be used for all drop downs. If I change destroy and change the token in loaddata.php, the ajax response file, where the data is sent and received from for proceeding to the next drop-down, the change in the token value is not reflected in the index.php since, i guess, that file is not refreshed to load the new token value. So how can I make this work? Please help. Thanks !

Hi, Below is how I am handling the database data before I display it on a page. . $query = "SQL QUERY to retrieve some data"; . . while ($stmt->fetch()) { $fname = html_escape($fname); $lname = html_escape($lname); $city = html_escape($city); $cell = html_escape($cell); // verify that $xid is numeric. if(($xid = fcheckNumber($xid)) === false) die('Internal error. Conatct Admin'; // verify that $role has a valid value against a set of values. if(($role = html_escape(fcheckRole($role)))=== false) die('Internal error. Conatct Admin'; // verify that $email is correctly formatted as an email should be. if(($email = html_escape(fcheckEmail($email)))=== false) die('Internal error. Conatct Admin'; // verify that $status is numeric. if(($status = fcheckNumber($status))===false) die('Internal error. Conatct Admin'; . . . display the above data in a form. } My questions are: Is this the right way of handling the data before I display it on a form or am i overdoing it with all the checks and die statements? Am I missing out some other security aspect here ? Then there are instances where i use verify a SESSION variable or a POST / GET variable similarly. if(($xid = $_SESSION['xid'])===false) die('Internal Error. Contact Admin'); OR if(($xid = $_POST['id'])===false) die('Internal Error. Contact Admin'); Is this alright or can I skip some of these checks ? I'd like to mention here that I use prepared statements for all queries and the same data verification as above when I add the data to the database. I do not html escape any data that is put into the DB. Thanks all !

I apologize if it's the wrong section, I don't know which other section this question would belong in and it is the most popular section on the forum. Say I have a site where users are can purchase "packages" and to do so, they are sending payments directly to the company using a payment processor. The company tracks all the payments in the back-end. The users are also able to see their earnings, balance and withdrawals. Normally a user can make a withdrawal request and the company will send that user his earning balance. After the user receives his earnings in his bank account, he can go back to the site and purchase a new package. That's all great. But what if I want to give an option to the users where they can use the earnings in their account on the site to purchase a new package, instead of going through a payment processor? For e.g. I have $100 as my earning balance in my site's account. And the package I want to purchase is $50. I can simply purchase that package using the $100 I have in my account, instead of making a withdrawal request and wait for the $100 to show up in my bank account and then I go back to the site and purchase that package using a payment processor, as I did originally. I am wondering, if I give users that option, do I need to worry about anything security wise? Is that a wise option to give or should I just stick to payment processor for all user payments? *note I am not asking how to code it.

Hi all ! In my previous question asked today I said that I am using dropdown lists for selecting country, state, city and pin. The initial lists are blank and use the selection of country to trigger the loading of states and choosing a state triggers the loading of cities and so I am using ajax for this purpose - more specifically the $ajax() function of jquery. In a normal call to a php page, the integrity is maintained via sessions, and csrf is prevented via tokens embedded in the form, but how do I take care of these when data is being passed through the ajax call ? Any other security measures that need to be looked into while using this method or special security mechanisms that I need to apply? I would of-course check the data received this way, by using all the normal data validation methods on the server side. Thanks all !

Hi all, I just changed one of my forms to use drop down lists for storing Country, State, City and Pin values. The values for each of these fields come from individual tables in the database having the same name as these fields. Since the values of pin or picodes are dependent on the city and their value in turn is dependent on the state and so on, so the tables need to check for data integrity. However, the tables not only need to check for data integrity in the sense that a value should exist in the parent table, it also needs to be verified that the data comes from the correct subset of values. For e.g. The values for the fields are as shown in the table below, parenthesis values representing their numeric unique ids. COUNTRY STATE CITY PIN C1 (1) ST1(1) CT1 (1) 11001 (1) CT2 (2) 11002 (2) ST2(2) CT3 (3) 12001 (3) CT4 (4) 12002 (4) Then the valid sets of values are CO ST CT P 1--- 1 --- 1 --- 1 1 ---1-----2----2 1----2-----3----3 1----2-----4----4 and so on. A value of 1 --- 2 --- 1 ---2 will obviously be wrong even though the values are coming from valid tables. The question then is, how to ensure in the simplest possible way, that an entry that i fetch from the database or that I am going to insert into it is correct according to the subset values as well. Thanks all !

I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious. Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ... sha1( $user_entered_value ) ... or some other sort of hashed/encrypted string. In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters? Thoughts?

Hi all, I am sorry if I am posting this in the wrong place. If so, kindly transfer it to the appropriate section. I was using code that used recaptcha and that worked perfectly well. Now it has stopped working. The recaptcha dialog box simply does not display. Does anyone have any clue what could be going on? Has someone else also faced this similar problem recently Thanks all.

Hi all ! I would have liked to continue this question on my previous post but since it became too long I thought I'ld post a new one. I would like to add the following bit of code on my reset page $current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; if(isset($_SERVER['HTTP_REFERER'])) $referrer = $_SERVER['HTTP_REFERER']; if ( $referrer === $current ) { }else { } to ensure that the page is being called from where it should be called. Is this OK or is there a better ( read more secure ) way to do it? (I think I read in one of the posts, quite some time ago, that this was not altogether secure). Since the password reset page is publicly accessible what other security concerns can turn up because of that and what care should be taken. Thanks all !

Hi Guys, I've got xampp running on my machine with wordpress, and had 2 security related questions: A) I was constantly running into issues with wordpress and trying to find includes. I'm building a plugin, so on the plugin's main file, I just added a 'set_include_path' function equal to the root directory of my website. Then, the require_once, and include functions that are also on that page seem to have stopped having issues. Are there any security issues with using the set_include_path, and setting it to say 'C:/htdocs/home'? B) I used Xampp to install apache, mysql, and php. Until recently, I had no idea what PEAR was. I'm curious though...is PEAR installed by default with PHP or Xampp? Thanks for any help guys

I'm running across this more and more. Prospective client gives access (w/o NDA) to (relatively) secure solution for the purpose of generating a project specification and project estimate. Usually the SOP is some add-on module or feature enhancement - in other words, not a major overhaul of the current solution. In the due diligence, security holes are discovered, to varying degrees of insecurity. This really becomes an awkward situation when the current solution is provided by a third party OEM and leased by the client. To make matters worse, the prospective client decides NOT to proceed with the project so there is no financial benefit to giving away consulting services. Options are: A: Do not notify the prospective client their solution is insecure and move on. B: Notify the client their solution is insecure even though they are not the code authors and can't fix it without contacting the vendor. C: Notify the vendor they have insecure code even though there is no financial incentive to do so - and likely violates terms and conditions for the client. D: Sell the exploit knowledge on some hacker forum... ( just kidding, this IS NOT really an option - toungue and cheek people... ). There are plenty of recent cases in the news where dudes hacking systems (usually without permission) but without nefarious/malicious intent, have been arrested and charged. For example, last months airline hack... http://thehackernews.com/2015/05/fbi-plane-hacking.html What'd Ya Think?

Hey guys, So I wanted to know what security measures I would have to take when retrieving user information from the database with the $_GET method. The $_Get would be the user_id so do I need to add some if statements to make sure its an integer, not empty etc. And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc.

Hey guys, i have created a php file which takes two parameters: a subdirectory path a file extension it then echos the complete path pf (glob()) all the files with that extension in the searching folder. I wanted to know the security issues involved with this and how i might use escape methods to make sure someone can't move up the directory listing and get other filename. Are there any other concerns i should have? No data is coming or going to a database however there are other php files on the server which communicate with mySQL. Thanks alot!

I think the title is very clear but i have a site that has 2 user databases, one for web mail (Round cube) and one for a directory of content that the user has to be authenticated for. I was wondering if i should throw the password in $_SESSION and authenticate web mail if the user is logged in? Obviously i should not send that password back to the client if it be encrypted or not but i would inject the username and password into the web mail authentication handler as if the user had already filled in the form. Due to certain circumstances i am unable to merge the user databases. If there are any other possibilities do recommend them instead.

Hi all. i am trying to use php to include a javascript onto different pages, and then "sort of " pass it a var. The bulk of the code will be in an included footer php file. The var will be set in the main page. i have it working as follows: by just using echo 3 times.. the 1st with the first part of the script, the 2nd is the variable, and the 3rd is the rest of the script. The same endcode.php file needs to also be used for pages that wont have a var set, and wont be using the script - hense the isset. <!-- mainPage.php --> <?php $sion_gallery_id = '450'; ?> <?php include(endcode.php); ?> <!-- endcode.php --> <?php if (isset($sion_gallery_id)) {echo "start of javascript.......album/"; echo $sion_gallery_id; echo"/end of script"; } else { echo "var not on set";} ?> This works great, and i can set $sion_gallery_id do different numbers, and it pulls different albums through for diff pages. Is this secure enough as it is? I have read about whitelists, and tried the following: <!-- Headcode.php --> <?php $whitelist = array('465','6', '7','745','450'); ?> <!-- mainPage.php --> <?php include(Headcode.php);?> <?php $sion_gallery_id = '450'; ?> <?phpinclude(endCode.php); ?> <!-- endCode.php --> <?php if (isset($sion_gallery_id)) {if (in_array($sion_gallery_id, $whitelist)) {echo "java script content goes here.......album/"; echo $sion_gallery_id; echo"/end of script"; } else { echo "var not on white list";}} else { echo "No var set"; }; ?> This works when i try it at a basic level. However, when i set it up properly with the headcode and endcode pages being included, and also with all the actual javascript being echoed in endcode.php -- it worked perfectly for the first page. But when i changed the var to a different number, remembering to add this to the whitelist, it wont load - and echoes "var not on white list". ..... but it is? So, do i need to use a white list for this, or have i got the wrong end of the stick anyway. And if i do, can anyone see what may be happening? Is the first var getting cashed somewhere? Any help is much appreciated. Thanks, Sion.

Hi everybody ! Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security. Consider the simple script below: <?php //error_reporting(E_ALL & ~E_NOTICE); session_start(); if(isset($_POST['login'], $_POST['password'])) { $login = $_POST['login']; $password = $_POST['password']; if(!empty($login) && !empty($password)) { //echo "Ok"; echo "Welcome ". $login; echo "<br> You password is.$password "; } } ?> <html> <body> <form action="welcome2.php" method="post"> Name: <input type="text" name="login" /> Password: <input type="password" name="password" /> <input type="submit" name="submit"/> </form> </body> </html> It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then : 1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example. 2. Could the same be thwarted by the use of input filters? 3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done? There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked. Thanks all.

(I'm putting this in PHP since it's not a question specific to MySQL or other DB stuff.) I have a page that uses the GET id to find a product. GET variables are sanitized, and the SQL string is escaped even though it's expecting a number only. So the code seems safe to me. I'm getting some error_log results that appear to be hack attempts: SELECT p.*, t.id as blah FROM some_table p left outer join some_other_table t on p.id = t.product_id WHERE p.id = 139\' and benchmark(20000000,sha1(1))-- Should I be worried about something like this? Anything more (or less) that I should be doing?

I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them. The files are Form.HTML Bin/config.php Bin/mail.php Any help is appreciated.

Hi i have a simple script that functions perfect and easy but i am looking for a way to secure it a little is there any way for me to create a simple user checking system ? i have a mysql db with both usernames and passwords is there any way to get the username and password from a get comand in the url and check the db to see if they exist and if they do run the rest of my code and if not throw access denied ? i know this is not 100% secure but i its how i want it to be done could anyone help me with this ?

Hello. I'm working on a website with an editor that allows image uploading. Ideally I want to be able to develop a framework for this and use it in later projects. What I have in mind is this: Database has an images table Entries contain these fields: id, filename, and a short description Images are referred to by their ids in other parts of the application. That part seems simple to me, but now there are two details I need to determine: the file name, and storing the images. Big sites like Facebook - as far as I know - parse uploads and store them all in the same format. I can see the huge security benefit there. What are the best ways of doing that? As for the file name, I know PHP has a function to generate a file with a unique name. Is there any benefit to doing that over using the id? (i.e. 1.jpg, 2.png, 3.jpg, etc)