waynewex Posted June 20, 2008 Share Posted June 20, 2008 Okay, I'm in the process of setting up a social network, mainly to develop my php skills further as I find that taking on big projects is often the best way to learn. Here are some of the things that I need opinions on: 1) What do you think the most secure way of handling sessions is? 2) What type of password encryption do you think is the best? 3) What tips do you have for stopping SQL injection? All opinions on any topic is welcome. Thanks guys. Quote Link to comment Share on other sites More sharing options...
jonsjava Posted June 20, 2008 Share Posted June 20, 2008 man. it's just plain funny you asked that. I just wrote some functions to make 2 of the 3 questions you have easier: 2) What type of password encryption do you think is the best? MD5 is just fine, so long as you salt it. I do it like this: <?php //function to auto-salt the password function password($input){ $key = "1k4w3G!"; $password = md5($input.$key); return $password; return true; } //usage: $password = password($_POST['password']); ?> I also just finished 2 functions that work together to stop mysql injections. It will also e-mail you if someone attempts to attack your site. <?php session_start(); /* cleanInput and checkForAttack. Usage: add your db connection at the top of page, then run it as such: Lets assume you have a form, and one of the text areas is named "subject" Also, lets assume you have a get element, named "page" <?php include ("functions.inc.php"); //page that has the functions $subject1 = cleanInput($_POST['subject']); $page = cleanInput($_GET['page'], true); //set to true, if it's a $_GET variable //now your data has been cleaned up. Also, you can use it to clean up arrays: <?php $post_data = cleanInput($_POST); now, instead of using the $_POST array, you use the $post_data array */ $host = "localhost"; $db = "db_name"; $db_user = "DB_USER"; $db_password = "DB_PASS"; $link = mysql_connect($host, $db_user, $db_password); mysql_select_db($db); function cleanInput($input, $is_get=false){ if (is_array($input)){ $new_array22 = array(); foreach ($input as $key => $value){ $value = checkForAttack($value, $is_get); $new_array22[$key] = mysql_real_escape_string($value); } $input = array(); foreach ($new_array22 as $key=>$value){ $input[$key] = $value; } } else{ $$input = checkForAttack($input, $is_get); $input = mysql_real_escape_string($input); } return $input; } function checkForAttack($input, $is_get=false){ if ($is_get != false && strstr($input, "http")){ $subject = "Hacking (GET) attempt on your website!"; $to = "jonsjava@gmail.com"; $their_ip = $_SERVER['REMOTE_ADDR']; $date = date("n/j/Y Hi s:u"); $whois = shell_exec("/usr/bin/whois $their_ip"); $page = $_SERVER['PHP_SELF']; $headers = "From: webmaster@jonsajva.com"; $message = "IP Address: $their_ip\n date Attempted: $date\n Page attacked: $page\n Data Passed: $input\n Who Is Info:\n\n $whois\n"; mail($to, $subject, $message, $headers); session_unset(); session_destroy(); header("location:".$input); exit(); } elseif (strstr($input, "SELECT *") || strstr($input, "INSERT INTO" || strstr($input, "DESCRIBE TABLE")) || strstr($input, "OR 1")){ $subject = "Hacking attempt on your website!"; $to = "jonsjava@gmail.com"; $their_ip = $_SERVER['REMOTE_ADDR']; $date = date("n/j/Y Hi s:u"); $whois = shell_exec("/usr/bin/whois $their_ip"); $page = $_SERVER['PHP_SELF'].$_SERVER['QUERY_STRING']; $headers = "From: webmaster@jonsajva.com"; $message = "IP Address: $their_ip\n date Attempted: $date\n Page attacked: $page\n Data Passed: $input\n Who Is Info:\n\n $whois\n"; mail($to, $subject, $message, $headers); } return $input; } //you can use it for $_GET: $page = cleanInput($_GET['page'], true); //or for $_POST, or anything else: $page = cleanInput($_POST['some_data']);//don't use ", true" if it isn't a $_GET variable. //you can then use the $page variable for anything you passed into it. don't forget to fill in the db connection data, or include your stuff. Quote Link to comment Share on other sites More sharing options...
waynewex Posted June 20, 2008 Author Share Posted June 20, 2008 Absoultely ace man. Quote Link to comment Share on other sites More sharing options...
lemmin Posted June 20, 2008 Share Posted June 20, 2008 What do you mean by "secure way of handling sessions?" sessions are server side and cannot be faked so they are pretty secure. As for SQL injection, the method that I have found to work best for me is to use a lot of "id"'s to reference rows and only allow numerical user input(to some degree). Obviously when a user is filling out a form he/she needs to input textual information, but on common site navigating methods, I pass only numerical values through post or get. Quote Link to comment Share on other sites More sharing options...
jonsjava Posted June 20, 2008 Share Posted June 20, 2008 I doctored up my code some, to make things case-insensitive: <?php session_start(); /* cleanInput and checkForAttack. Usage: add your db connection at the top of page, then run it as such: Lets assume you have a form, and one of the text areas is named "subject" Also, lets assume you have a get element, named "page" <?php include ("functions.inc.php"); //page that has the functions $subject1 = cleanInput($_POST['subject']); $page = cleanInput($_GET['page'], true); //set to true, if it's a $_GET variable //now your data has been cleaned up. ?> Also, you can use it to clean up arrays: <?php $post_data = cleanInput($_POST); ?> now, instead of using the $_POST array, you use the $post_data array */ $host = "localhost"; $db = "jonsjava_dating"; $db_user = "jonsjava"; $db_password = "freed0m$"; $day = date("d"); $month = date("M"); $year = date("Y"); $link = mysql_connect($host, $db_user, $db_password); mysql_select_db($db); function cleanInput($input, $is_get=false){ if (is_array($input)){ $new_array22 = array(); foreach ($input as $key => $value){ $value = checkForAttack($value, $is_get); $new_array22[$key] = mysql_real_escape_string($value); } $input = array(); foreach ($new_array22 as $key=>$value){ $input[$key] = $value; } } else{ $$input = checkForAttack($input, $is_get); $input = mysql_real_escape_string($input); } return $input; } function checkForAttack($input, $is_get=false){ if ($is_get != false && stristr($input, "http")){ $subject = "Hacking (GET) attempt on your website!"; $to = "jonsjava@gmail.com"; $their_ip = $_SERVER['REMOTE_ADDR']; $date = date("n/j/Y Hi s:u"); $whois = shell_exec("/usr/bin/whois $their_ip"); $page = $_SERVER['PHP_SELF']; $headers = "From: webmaster@jonsajva.com"; $message = "IP Address: $their_ip\n date Attempted: $date\n Page attacked: $page\n Data Passed: $input\n Who Is Info:\n\n $whois\n"; mail($to, $subject, $message, $headers); session_unset(); session_destroy(); header("location:".$input); exit(); } elseif (stristr($input, "SELECT *") || stristr($input, "INSERT INTO" || stristr($input, "DESCRIBE TABLE")) || stristr($input, "OR 1")){ $subject = "Hacking attempt on your website!"; $to = "jonsjava@gmail.com"; $their_ip = $_SERVER['REMOTE_ADDR']; $date = date("n/j/Y Hi s:u"); $whois = shell_exec("/usr/bin/whois $their_ip"); $page = $_SERVER['PHP_SELF'].$_SERVER['QUERY_STRING']; $headers = "From: webmaster@jonsajva.com"; $message = "IP Address: $their_ip\n date Attempted: $date\n Page attacked: $page\n Data Passed: $input\n Who Is Info:\n\n $whois\n"; mail($to, $subject, $message, $headers); } return $input; } $page = cleanInput($_GET['page'], true); print $page; Oh, and lemmin: As for SQL injection, the method that I have found to work best for me is to use a lot of "id"'s to reference rows and only allow numerical user input(to some degree). Obviously when a user is filling out a form he/she needs to input textual information, but on common site navigating methods, I pass only numerical values through post or get. That's good advice, so long as you also sanitize all data coming in from users. Quote Link to comment Share on other sites More sharing options...
waynewex Posted June 20, 2008 Author Share Posted June 20, 2008 Thanks Jon. I'll keep your email address beside the code since your wrote it. And some people store sessions in the database. Why is that? Is is it a good idea to place IP addresses in a session and then match em up each time? Quote Link to comment Share on other sites More sharing options...
jonsjava Posted June 20, 2008 Share Posted June 20, 2008 I tend to store the session in the db, and store their IP in there as well. That way, if by some miracle, they modify their session, or spoof one (I don't know of any way they can), you just compare their IP with the IP you have in the DB for them. This means does not work too well for AOL, so be warned. AOL users IP addresses change at different intervals. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.