justAnoob Posted June 10, 2009 Share Posted June 10, 2009 How secure is secure? Registration, login, user file uploads, etc. Can anyone take a look at a couple scripts and let me know? Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/ Share on other sites More sharing options...
RussellReal Posted June 11, 2009 Share Posted June 11, 2009 for the data that is supplied by the user, you should NEVER trust, always make your expected numbers, an actual number like so: $id = (int) $_GET['id']; any strings a user can supply, like.. username and password, you want to first check of magic quotes is on, and then if it is, stripslashes and then mysql_real_escape_string that way all the 's are quoted out so you don't have to worry about SQL injection.. includes managed by GET variables should always have something before them in the include, for example Example Request: http://yoursite.com/members.php?action=boom BAD WAY TO HANDLE: include($_GET['action'].'php'); GOOD WAY TO HANDLE: include('member_includes/'.$_GET['action'].'php'); this way they can make action = http://whatever.com/blah and hope that you do the first way, and all your script will do is look for 'members_include/http://whatever.com/blah.php'.. that will ofcourse throw an error, but way better then getting hit with a good dose of XSS Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853398 Share on other sites More sharing options...
tail Posted June 11, 2009 Share Posted June 11, 2009 Make sure to use mysql_real_escape_string on all user inputs while dealing with databases. Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853504 Share on other sites More sharing options...
justAnoob Posted June 11, 2009 Author Share Posted June 11, 2009 i heard that was the most important to make sure you have. so if my site is pretty much done... I still have a lot more to do,, security issues i mean. right? Here is an example. I also heard that it is good to protect your include files... in the case below,, connection.php should somehow be protected. <?php session_start(); include "connection.php"; $item_name = mysql_real_escape_string($_POST['item_name']); $description = mysql_real_escape_string($_POST['description']); $in_return = mysql_real_escape_string($_POST['in_return']); $category = mysql_real_escape_string($_POST['listmenu']); define ("MAX_SIZE","1500"); function getExtension($str) { $i = strrpos($str,"."); if (!$i) { return ""; } $l = strlen($str) - $i; $ext = substr($str,$i+1,$l); return $ext; } $errors=0; if(isset($_POST['submit'])) { $image=$_FILES['image']['name']; if($image) { $filename = stripslashes($_FILES['image']['name']); $extension = getExtension($filename); $extension = strtolower($extension); if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "gif") && ($extension != "png")) { $_SESSION['badformat'] = "Your picture must be a .JPG .GIF or .PNG"; header("location: http://www.------.com/-------.php"); $errors=1; exit(); } else { $size=filesize($_FILES['image']['tmp_name']); if ($size > MAX_SIZE*1024) { $_SESSION['toobig'] = "Your picture can not exceed 1.5 megabyte."; header("location: http://www.----.com/-----.php"); $errors=1; exit(); } $image_name=time().'.'.$extension; $newname="userimages/$category/".$image_name; $copied = copy($_FILES['image']['tmp_name'], $newname); if (!$copied) { $_SESSION['notcopy'] = "There was an error posting your picture. Please try again later."; header("location: http://www.------.com/-----.php"); $errors=1; exit(); } } } } // if everything is good, post new pic for the user $mysqlcategory = $category; $imgpath = $newname; $findit = $_SESSION['id']; $result=mysql_query("SELECT id FROM members WHERE username = '$findit'"); $row=mysql_fetch_assoc($result); $user_id = $row['id']; $sql = "INSERT INTO abcxyz(item_name, description, in_return, imgpath, category, user_id)VALUES('$item_name','$description','$in_return', '$imgpath', '$mysqlcategory', '$user_id')"; mysql_query($sql) or die(mysql_error()); // go to confirmation page if upload is completed. if(isset($_POST['submit']) && !$errors) { $_SESSION['posted'] = $item_name; $_SESSION['picposted'] = $imgpath; header("location: http://www.-------.com/------.php"); exit(); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853509 Share on other sites More sharing options...
.josh Posted June 11, 2009 Share Posted June 11, 2009 includes managed by GET variables should always have something before them in the include, for example Example Request: http://yoursite.com/members.php?action=boom BAD WAY TO HANDLE: include($_GET['action'].'php'); GOOD WAY TO HANDLE: include('member_includes/'.$_GET['action'].'php'); BETTER WAY TO HANDLE: $allowed= array('home','about','contact'); // add pages allowed $page = (in_array($_GET['action'],$allowed))? $_GET['action'] . '.php' : $allowed[0] . '.php'; include($page); also, read this tutorial: http://www.phpfreaks.com/tutorial/php-security Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853511 Share on other sites More sharing options...
Ken2k7 Posted June 11, 2009 Share Posted June 11, 2009 justAnoob - there is no purpose in using mysql_real_escape_string on the $_POST fields right away. You may want to do something with the original values, not the escaped values. Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853538 Share on other sites More sharing options...
RussellReal Posted June 11, 2009 Share Posted June 11, 2009 yeah, what ken says, coz quoting out 's would actually throw off comparissons, and what crayon says.. that is way better, I've actually used that method b4, its also good for if () { } else { } coz then you could perform the else if the page isn't expected and throw an error Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853549 Share on other sites More sharing options...
.josh Posted June 11, 2009 Share Posted June 11, 2009 personally I do not really subscribe to using mysql_real_escape_string unless you expect quotes to be in the value. If you don't, you should just strip them out with str_replace or preg_replace. IMO it is better to validate data by checking to see if they are formatted the way you expect them to be, rather than doing some "catch-all" method like mysql_real_escape_string. Also, you might find this to be an interesting read: when escaping is not enough Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853554 Share on other sites More sharing options...
Reaper0167 Posted June 11, 2009 Share Posted June 11, 2009 Wow,, my hopes of getting a safe website up just shot down the tubes.... I have countless number of scripts and everyone is bringing all this new stuff to my attention.... I'm kinda bummed. Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853555 Share on other sites More sharing options...
Reaper0167 Posted June 11, 2009 Share Posted June 11, 2009 sorry about the name change,, my bro was on earlier, and I forgot he was signed in. Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853556 Share on other sites More sharing options...
justAnoob Posted June 11, 2009 Author Share Posted June 11, 2009 Wow,, sounds like I still have tons of work to do. Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853558 Share on other sites More sharing options...
tail Posted June 11, 2009 Share Posted June 11, 2009 You might want to store your include files in a directory below /public_html. Then set the include directory like this: set_include_path('/var/includes'); This way, no one will be able to access your include files besides your scripts. Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853690 Share on other sites More sharing options...
RussellReal Posted June 11, 2009 Share Posted June 11, 2009 includes really arn't the issue if you're including php files, but if you're allowing downloads for like special priveledged people, then you'd want THOSE files to be under your public directory, that way your members can't be jerks and link around your files to ppl who arn't paid members.. (although they could just send it to them with like MSN or w.e) Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-853694 Share on other sites More sharing options...
justAnoob Posted June 11, 2009 Author Share Posted June 11, 2009 All I really have have is registration, login, messaging, and picture/text upload.... So shouldn't I be worried about the places where users submit forms and text box data? The scripts that run to help display some of my pages,, are those really a big risk? Couldn't I also back up my server files and my mysql database everyday to ensure that I always have something to go back to? Quote Link to comment https://forums.phpfreaks.com/topic/161736-afraid-to-release-my-site-to-the-public-is-it-secure-enough/#findComment-854072 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.