Search the Community

Hi, I'm using the code below to retrieve a file into a microcontroller running micropython. I understand I'm open for easy attacks so, I appreciate some inputs. TIA <?php $file = $_GET['file']; $dir = getcwd(); $file = $dir.'/'.$file; $myfile = fopen($file, "r") or die("FAIL"); echo file_get_contents($file); fclose($myfile); ?>

Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA

Securing my upload folder “upl” The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials. The upl folder has an .htaccess file that locks down all remote access. order deny,allow deny from all When something is needed from this directory we jump that wall with the help of apache after credentials are verified. I think this is straight forward so far. For images something like; <img src=”downloader.php?app=1&id=20&type=thumb”> For files something like; <a href=”downloader.php?app=1&id=20&type=file&fileid=1212”> After we check creds, we use similar to below to get data from that locked down folder. $size = filesize($file); header ( 'Content-Description: File Transfer' ); header("Content-Type: application/force-download"); header ( 'Content-Type: application/octet-stream' ); header ( "Content-Disposition: attachment; filename=\"".basename($file)."\""); header ( 'Expires: 0' ); header ( 'Cache-Control: must-revalidate' ); header ( 'Pragma: public' ); header ( 'Content-Length: ' . filesize ( $file ) ); ob_clean(); flush(); readfile ( $file ); exit(); seems to work pretty swimmingly for the most part. My problem is (or at lease a mild nuisance) is that it seems that these images loaded in this manner are not subject to the cache system of a browser? It looks like they reload every time a page is visited. Is there a way around this?

Hi, Playing with hardening a little, and implemented samesite flag within a cookie, or at least tried to. Code like: session_set_cookie_params(0, "/; SameSite=Strict", "domain.com", true, true); $params = session_get_cookie_params(); session_start(); setcookie("PHPSESSID", session_id(), $params["lifetime"], $params["path"], $params["domain"], $params["secure"], $params["httponly"]); Warning: PHP Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in /homepages/39/d582945504/htdocs/portal-x/inc/cookies.php on line 21 Not sure if it's a huge deal to just leave that out..

I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious. Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ... sha1( $user_entered_value ) ... or some other sort of hashed/encrypted string. In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters? Thoughts?

Hi all, I am sorry if I am posting this in the wrong place. If so, kindly transfer it to the appropriate section. I was using code that used recaptcha and that worked perfectly well. Now it has stopped working. The recaptcha dialog box simply does not display. Does anyone have any clue what could be going on? Has someone else also faced this similar problem recently Thanks all.

Hi all ! I would have liked to continue this question on my previous post but since it became too long I thought I'ld post a new one. I would like to add the following bit of code on my reset page $current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; if(isset($_SERVER['HTTP_REFERER'])) $referrer = $_SERVER['HTTP_REFERER']; if ( $referrer === $current ) { }else { } to ensure that the page is being called from where it should be called. Is this OK or is there a better ( read more secure ) way to do it? (I think I read in one of the posts, quite some time ago, that this was not altogether secure). Since the password reset page is publicly accessible what other security concerns can turn up because of that and what care should be taken. Thanks all !

Hi Guys, I've got xampp running on my machine with wordpress, and had 2 security related questions: A) I was constantly running into issues with wordpress and trying to find includes. I'm building a plugin, so on the plugin's main file, I just added a 'set_include_path' function equal to the root directory of my website. Then, the require_once, and include functions that are also on that page seem to have stopped having issues. Are there any security issues with using the set_include_path, and setting it to say 'C:/htdocs/home'? B) I used Xampp to install apache, mysql, and php. Until recently, I had no idea what PEAR was. I'm curious though...is PEAR installed by default with PHP or Xampp? Thanks for any help guys

I'm running across this more and more. Prospective client gives access (w/o NDA) to (relatively) secure solution for the purpose of generating a project specification and project estimate. Usually the SOP is some add-on module or feature enhancement - in other words, not a major overhaul of the current solution. In the due diligence, security holes are discovered, to varying degrees of insecurity. This really becomes an awkward situation when the current solution is provided by a third party OEM and leased by the client. To make matters worse, the prospective client decides NOT to proceed with the project so there is no financial benefit to giving away consulting services. Options are: A: Do not notify the prospective client their solution is insecure and move on. B: Notify the client their solution is insecure even though they are not the code authors and can't fix it without contacting the vendor. C: Notify the vendor they have insecure code even though there is no financial incentive to do so - and likely violates terms and conditions for the client. D: Sell the exploit knowledge on some hacker forum... ( just kidding, this IS NOT really an option - toungue and cheek people... ). There are plenty of recent cases in the news where dudes hacking systems (usually without permission) but without nefarious/malicious intent, have been arrested and charged. For example, last months airline hack... http://thehackernews.com/2015/05/fbi-plane-hacking.html What'd Ya Think?

Hey guys, So I wanted to know what security measures I would have to take when retrieving user information from the database with the $_GET method. The $_Get would be the user_id so do I need to add some if statements to make sure its an integer, not empty etc. And what function would I use for in case of the user attempts to break the website by changing the url with commas,malicious code, etc.

Hey guys, i have created a php file which takes two parameters: a subdirectory path a file extension it then echos the complete path pf (glob()) all the files with that extension in the searching folder. I wanted to know the security issues involved with this and how i might use escape methods to make sure someone can't move up the directory listing and get other filename. Are there any other concerns i should have? No data is coming or going to a database however there are other php files on the server which communicate with mySQL. Thanks alot!

I think the title is very clear but i have a site that has 2 user databases, one for web mail (Round cube) and one for a directory of content that the user has to be authenticated for. I was wondering if i should throw the password in $_SESSION and authenticate web mail if the user is logged in? Obviously i should not send that password back to the client if it be encrypted or not but i would inject the username and password into the web mail authentication handler as if the user had already filled in the form. Due to certain circumstances i am unable to merge the user databases. If there are any other possibilities do recommend them instead.

Hi all. i am trying to use php to include a javascript onto different pages, and then "sort of " pass it a var. The bulk of the code will be in an included footer php file. The var will be set in the main page. i have it working as follows: by just using echo 3 times.. the 1st with the first part of the script, the 2nd is the variable, and the 3rd is the rest of the script. The same endcode.php file needs to also be used for pages that wont have a var set, and wont be using the script - hense the isset. <!-- mainPage.php --> <?php $sion_gallery_id = '450'; ?> <?php include(endcode.php); ?> <!-- endcode.php --> <?php if (isset($sion_gallery_id)) {echo "start of javascript.......album/"; echo $sion_gallery_id; echo"/end of script"; } else { echo "var not on set";} ?> This works great, and i can set $sion_gallery_id do different numbers, and it pulls different albums through for diff pages. Is this secure enough as it is? I have read about whitelists, and tried the following: <!-- Headcode.php --> <?php $whitelist = array('465','6', '7','745','450'); ?> <!-- mainPage.php --> <?php include(Headcode.php);?> <?php $sion_gallery_id = '450'; ?> <?phpinclude(endCode.php); ?> <!-- endCode.php --> <?php if (isset($sion_gallery_id)) {if (in_array($sion_gallery_id, $whitelist)) {echo "java script content goes here.......album/"; echo $sion_gallery_id; echo"/end of script"; } else { echo "var not on white list";}} else { echo "No var set"; }; ?> This works when i try it at a basic level. However, when i set it up properly with the headcode and endcode pages being included, and also with all the actual javascript being echoed in endcode.php -- it worked perfectly for the first page. But when i changed the var to a different number, remembering to add this to the whitelist, it wont load - and echoes "var not on white list". ..... but it is? So, do i need to use a white list for this, or have i got the wrong end of the stick anyway. And if i do, can anyone see what may be happening? Is the first var getting cashed somewhere? Any help is much appreciated. Thanks, Sion.

Hi everybody ! Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security. Consider the simple script below: <?php //error_reporting(E_ALL & ~E_NOTICE); session_start(); if(isset($_POST['login'], $_POST['password'])) { $login = $_POST['login']; $password = $_POST['password']; if(!empty($login) && !empty($password)) { //echo "Ok"; echo "Welcome ". $login; echo "<br> You password is.$password "; } } ?> <html> <body> <form action="welcome2.php" method="post"> Name: <input type="text" name="login" /> Password: <input type="password" name="password" /> <input type="submit" name="submit"/> </form> </body> </html> It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then : 1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example. 2. Could the same be thwarted by the use of input filters? 3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done? There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked. Thanks all.

(I'm putting this in PHP since it's not a question specific to MySQL or other DB stuff.) I have a page that uses the GET id to find a product. GET variables are sanitized, and the SQL string is escaped even though it's expecting a number only. So the code seems safe to me. I'm getting some error_log results that appear to be hack attempts: SELECT p.*, t.id as blah FROM some_table p left outer join some_other_table t on p.id = t.product_id WHERE p.id = 139\' and benchmark(20000000,sha1(1))-- Should I be worried about something like this? Anything more (or less) that I should be doing?

I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them. The files are Form.HTML Bin/config.php Bin/mail.php Any help is appreciated.

Hi i have a simple script that functions perfect and easy but i am looking for a way to secure it a little is there any way for me to create a simple user checking system ? i have a mysql db with both usernames and passwords is there any way to get the username and password from a get comand in the url and check the db to see if they exist and if they do run the rest of my code and if not throw access denied ? i know this is not 100% secure but i its how i want it to be done could anyone help me with this ?

Hello. I'm working on a website with an editor that allows image uploading. Ideally I want to be able to develop a framework for this and use it in later projects. What I have in mind is this: Database has an images table Entries contain these fields: id, filename, and a short description Images are referred to by their ids in other parts of the application. That part seems simple to me, but now there are two details I need to determine: the file name, and storing the images. Big sites like Facebook - as far as I know - parse uploads and store them all in the same format. I can see the huge security benefit there. What are the best ways of doing that? As for the file name, I know PHP has a function to generate a file with a unique name. Is there any benefit to doing that over using the id? (i.e. 1.jpg, 2.png, 3.jpg, etc)

Hello I am looking to create an expiring token for use with our password reset system. We want tokens to be valid for a set period, let's say 24hrs. Currently we md5 the username and userid, and send this as a token to the users registered email... It's OK, but means that token is valid indefinitely. I am not keen on adding more fields to the database to store the time the request was made, so wondered if anyone had a suggestion? Is there a way I can encrypt a token including a timestamp and then decrypt it to separate the elements out to check the timestamp? Thanks

I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc. So, I have a simple file upload. I'm never saving the files, just get contents and dump the file and work with the string version. I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input. Problem is, the user input is supposed to be valid PHP code. I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct. What kinds of things do I need to look out for? Is it possible to inject when working with strings? My initial thought is to regex the entire file and replace key portions with known replacements. So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?) But that may be completely unnecessary processing time if I'm not in any danger, here. Thanks ahead of time for any help. PS - as a side question -- what's the best way to verify a file is a php file? I know of getimagesize for images, but should I just check for <? to verify it's php? That seems like it would be too easy to fool -- then again, it might not matter much. -Adam

Hi all ! I am really stuck on creating a secure login and site navigation system. Can someone say how secure sessions be created and how to use sessions / cookies / session - cookies together. for navigating a website, like moving from page to page and any special precautions to take while doing a critical task ( say one which involves accessing a database for reading or writing). Generally either sessions or cookies are used for this but I was wondering if it would be a good idea to use both in case that makes the system more secure. Thanks

I have a site which is far from finished, it doesn't have a user registration system yet and has plenty of security holes that need patching. I wanna upload it onto the web so friends can enter data into it, but of course I don't want random people having access to it, and don't want bots attempting to index it. Will adding a .htaccess file with a username/password rule to the root directory keep all bots and humans (which don't have a username/password) out? Side question: if someone logs into the site with a username/password combo that I added to the passwd file (used by the .htaccess file), will I be able to track the user? For example, if someone goes and deletes half the database, will I be able to tell which user it was without having to look through the apache log files? Sorry thats a bad example, lets say I want to make a welcome screen saying "Welcome user3", can I do that with .htaccess system?

Hi All, I am new here and new to PHP...so please be gentle! I was wondering if there is any kind of tool/framework/plug-in available which will help me find security holes in my bespoke software developed using PHP. For obvious reasons, I cannot make the application public...but any advice/guidance/best practice guide would be really appreciated. Has anyone used or can recommend any free/open source penetration testing tools which would highlight the most common security mistakes? Thank you in advance! Jon Bespoke Software Expert UK

Hi All, I am looking into different methods to prevent users from directly accessing a php file. For example, if you have a form with an action="whatever.php" on it, a user can inspect the element in see in the DOM what the action is as well as the file path to that action. As shown in the form below: <form id="contact" name="contact" method="POST" action="php/process.php"> <input type="text" value="email" name="email" id="email" class="width" > <input type="submit" value="Submit" name="submit" id="submit" class="button"> </form> The action is "process.php." What are some of the different methods that prevents a user from typing that URL into the address bar and going directly to the file? Right now, if a user goes to that file they get an error that says something like "The variable $email does not exist." But someone can just type that parameter into the URL and the file would be exposed. One method that comes to mind is checking if "submit" is set. Then if it is not, redirect the user back to index.php. Does that make sense? Does anyone have any other methods in mind? Thanks in advance,

This may sound like a weird one. I'm in the process of making a HTML5 game where I need to make contact with a MYSQL database. I planned on doing this using PHP scripts that the game sends AJAX requests to with post data. Is there a way of securing these scripts so no one on the outside can access (or just run) them, but the game can. The game will be ran on the same server as the scripts. Does this sound ridiculous or is it possible? Or am I going about this the entirely wrong way, thanks for any answers in advance!!