Jump to content

Search the Community

Showing results for tags 'security'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (Dreamweaver, Zend, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL








Donation Link

Found 13 results

  1. I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious. Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ... sha1( $user_entered_value ) ... or some other sort of hashed/encrypted string. In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters? Thoughts?
  2. Hi, Below is how I am handling the database data before I display it on a page. . $query = "SQL QUERY to retrieve some data"; . . while ($stmt->fetch()) { $fname = html_escape($fname); $lname = html_escape($lname); $city = html_escape($city); $cell = html_escape($cell); // verify that $xid is numeric. if(($xid = fcheckNumber($xid)) === false) die('Internal error. Conatct Admin'; // verify that $role has a valid value against a set of values. if(($role = html_escape(fcheckRole($role)))=== false) die('Internal error. Conatct Admin'; // verify that $email is correctly formatted as an email should be. if(($email = html_escape(fcheckEmail($email)))=== false) die('Internal error. Conatct Admin'; // verify that $status is numeric. if(($status = fcheckNumber($status))===false) die('Internal error. Conatct Admin'; . . . display the above data in a form. } My questions are: Is this the right way of handling the data before I display it on a form or am i overdoing it with all the checks and die statements? Am I missing out some other security aspect here ? Then there are instances where i use verify a SESSION variable or a POST / GET variable similarly. if(($xid = $_SESSION['xid'])===false) die('Internal Error. Contact Admin'); OR if(($xid = $_POST['id'])===false) die('Internal Error. Contact Admin'); Is this alright or can I skip some of these checks ? I'd like to mention here that I use prepared statements for all queries and the same data verification as above when I add the data to the database. I do not html escape any data that is put into the DB. Thanks all !
  3. Hi all, I am sorry if I am posting this in the wrong place. If so, kindly transfer it to the appropriate section. I was using code that used recaptcha and that worked perfectly well. Now it has stopped working. The recaptcha dialog box simply does not display. Does anyone have any clue what could be going on? Has someone else also faced this similar problem recently Thanks all.
  4. Hi all ! I would have liked to continue this question on my previous post but since it became too long I thought I'ld post a new one. I would like to add the following bit of code on my reset page $current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; if(isset($_SERVER['HTTP_REFERER'])) $referrer = $_SERVER['HTTP_REFERER']; if ( $referrer === $current ) { }else { } to ensure that the page is being called from where it should be called. Is this OK or is there a better ( read more secure ) way to do it? (I think I read in one of the posts, quite some time ago, that this was not altogether secure). Since the password reset page is publicly accessible what other security concerns can turn up because of that and what care should be taken. Thanks all !
  5. Hi, Playing with hardening a little, and implemented samesite flag within a cookie, or at least tried to. Code like: session_set_cookie_params(0, "/; SameSite=Strict", "domain.com", true, true); $params = session_get_cookie_params(); session_start(); setcookie("PHPSESSID", session_id(), $params["lifetime"], $params["path"], $params["domain"], $params["secure"], $params["httponly"]); Warning: PHP Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in /homepages/39/d582945504/htdocs/portal-x/inc/cookies.php on line 21 Not sure if it's a huge deal to just leave that out..
  6. Securing my upload folder “upl” The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials. The upl folder has an .htaccess file that locks down all remote access. order deny,allow deny from all When something is needed from this directory we jump that wall with the help of apache after credentials are verified. I think this is straight forward so far. For images something like; <img src=”downloader.php?app=1&id=20&type=thumb”> For files something like; <a href=”downloader.php?app=1&id=20&type=file&fileid=1212”> After we check creds, we use similar to below to get data from that locked down folder. $size = filesize($file); header ( 'Content-Description: File Transfer' ); header("Content-Type: application/force-download"); header ( 'Content-Type: application/octet-stream' ); header ( "Content-Disposition: attachment; filename=\"".basename($file)."\""); header ( 'Expires: 0' ); header ( 'Cache-Control: must-revalidate' ); header ( 'Pragma: public' ); header ( 'Content-Length: ' . filesize ( $file ) ); ob_clean(); flush(); readfile ( $file ); exit(); seems to work pretty swimmingly for the most part. My problem is (or at lease a mild nuisance) is that it seems that these images loaded in this manner are not subject to the cache system of a browser? It looks like they reload every time a page is visited. Is there a way around this?
  7. Hi I have a question about generating a unique access token. I have read a lot on the internet about just using the php 'random_bytes' function. However I have found a scenario (although highly unlikely) where a session could potentially be hijacked. User 1 logs in and gets an access token of 'abcdef' (simplifying things). User 1 uses the system for a period of time but the token expires but doesn't get refreshed yet (as user 1 is idle) (so client still has access token stored on client). In the mean time User 1 decides to use a different device to login to their account which generates a new access token 'zxcvbn'. But then User 2 logs in and they get an access token of 'abcdef' as it is unique (like I say highly unlikely but still possible). Then User 1 goes back to their original device and tries to resume session (client still has 'abcdef' as an access token so it sends that to the server which then it finds it but is actually now against a different user), and then hijacks User 2's session unknowingly. What is the best way around this, what about always adding the internal user ID number to the token to make sure it will always be against the same user (and always truly unique for that user)? So we would end up with 'abcdef1' for user 1 and User 2s access token would be 'abcdef2' if the above scenario was to occur so we would never get a potential hijack of sessions? I know this sounds convoluted but just wanted peoples thoughts?
  8. Hi Guys, I've got xampp running on my machine with wordpress, and had 2 security related questions: A) I was constantly running into issues with wordpress and trying to find includes. I'm building a plugin, so on the plugin's main file, I just added a 'set_include_path' function equal to the root directory of my website. Then, the require_once, and include functions that are also on that page seem to have stopped having issues. Are there any security issues with using the set_include_path, and setting it to say 'C:/htdocs/home'? B) I used Xampp to install apache, mysql, and php. Until recently, I had no idea what PEAR was. I'm curious though...is PEAR installed by default with PHP or Xampp? Thanks for any help guys
  9. Hi all ! In my previous question asked today I said that I am using dropdown lists for selecting country, state, city and pin. The initial lists are blank and use the selection of country to trigger the loading of states and choosing a state triggers the loading of cities and so I am using ajax for this purpose - more specifically the $ajax() function of jquery. In a normal call to a php page, the integrity is maintained via sessions, and csrf is prevented via tokens embedded in the form, but how do I take care of these when data is being passed through the ajax call ? Any other security measures that need to be looked into while using this method or special security mechanisms that I need to apply? I would of-course check the data received this way, by using all the normal data validation methods on the server side. Thanks all !
  10. Hi all, I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. I have the headers information below: index.php?ppage (logged in) best.php?r='xxxx..' (invoked the embedded movie that invokes best.php) I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one. I hope I am able to convey my doubt clearly enough. I hope that the experts can either confirm or allay my fears. Thanks all.
  11. Hi all, I just changed one of my forms to use drop down lists for storing Country, State, City and Pin values. The values for each of these fields come from individual tables in the database having the same name as these fields. Since the values of pin or picodes are dependent on the city and their value in turn is dependent on the state and so on, so the tables need to check for data integrity. However, the tables not only need to check for data integrity in the sense that a value should exist in the parent table, it also needs to be verified that the data comes from the correct subset of values. For e.g. The values for the fields are as shown in the table below, parenthesis values representing their numeric unique ids. COUNTRY STATE CITY PIN C1 (1) ST1(1) CT1 (1) 11001 (1) CT2 (2) 11002 (2) ST2(2) CT3 (3) 12001 (3) CT4 (4) 12002 (4) Then the valid sets of values are CO ST CT P 1--- 1 --- 1 --- 1 1 ---1-----2----2 1----2-----3----3 1----2-----4----4 and so on. A value of 1 --- 2 --- 1 ---2 will obviously be wrong even though the values are coming from valid tables. The question then is, how to ensure in the simplest possible way, that an entry that i fetch from the database or that I am going to insert into it is correct according to the subset values as well. Thanks all !
  12. Hi all ! I am using this tutorial and I am modifying it to include csrf protection. The index.php uses getToken(); to generate an anti-csrf token which is then inserted in the form as a hidden input field as below: <tr> <td> <select id="country_dropdown" > <option value="-1">Select country</option> <?php while($stmt->fetch()) { ?> <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option } <?php // token added as hidden field echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> </select> </td> </tr> <tr> <td> <select id="state_dropdown" > <?php echo $_SESSION['token']; // debug ?> <option value="-1">Select state</option> </select> <?php // The token does not change even when it is changed in loaddata.php. The change values // does not get reflected here. So adding the below code is useless, so commented out. // echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> <span id="state_loader"></span> </td> </tr> This scheme works if the same token is to be used for all drop downs. If I change destroy and change the token in loaddata.php, the ajax response file, where the data is sent and received from for proceeding to the next drop-down, the change in the token value is not reflected in the index.php since, i guess, that file is not refreshed to load the new token value. So how can I make this work? Please help. Thanks !
  13. I apologize if it's the wrong section, I don't know which other section this question would belong in and it is the most popular section on the forum. Say I have a site where users are can purchase "packages" and to do so, they are sending payments directly to the company using a payment processor. The company tracks all the payments in the back-end. The users are also able to see their earnings, balance and withdrawals. Normally a user can make a withdrawal request and the company will send that user his earning balance. After the user receives his earnings in his bank account, he can go back to the site and purchase a new package. That's all great. But what if I want to give an option to the users where they can use the earnings in their account on the site to purchase a new package, instead of going through a payment processor? For e.g. I have $100 as my earning balance in my site's account. And the package I want to purchase is $50. I can simply purchase that package using the $100 I have in my account, instead of making a withdrawal request and wait for the $100 to show up in my bank account and then I go back to the site and purchase that package using a payment processor, as I did originally. I am wondering, if I give users that option, do I need to worry about anything security wise? Is that a wise option to give or should I just stick to payment processor for all user payments? *note I am not asking how to code it.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.