Afraid to release my site to the public. Is it secure enough?

[justAnoob]

How secure is secure?  Registration, login, user file uploads, etc. Can anyone take a look at a couple scripts and let me know?

[RussellReal]

for the data that is supplied by the user, you should NEVER trust, always make your expected numbers, an actual number

 

like so:

 

$id = (int) $_GET['id'];

 

any strings a user can supply, like.. username and password, you want to first check of magic quotes is on, and then if it is, stripslashes and then mysql_real_escape_string that way all the 's are quoted out so you don't have to worry about SQL injection..

 

includes managed by GET variables should always have something before them in the include, for example

 

Example Request: http://yoursite.com/members.php?action=boom

 

BAD WAY TO HANDLE:

include($_GET['action'].'php');

 

GOOD WAY TO HANDLE:

include('member_includes/'.$_GET['action'].'php');

 

this way they can make action = http://whatever.com/blah

and hope that you do the first way, and all your script will do is look for 'members_include/http://whatever.com/blah.php'.. that will ofcourse throw an error, but way better then getting hit with a good dose of XSS

 

[tail]

Make sure to use mysql_real_escape_string on all user inputs while dealing with databases.

[justAnoob]

i heard that was the most important to make sure you have. so if my site is pretty much done... I still have a lot more to do,, security issues i mean. right? Here is an example. I also heard that it is good to protect your include files... in the case below,, connection.php should somehow be protected.

<?php
session_start();
include "connection.php";

$item_name = mysql_real_escape_string($_POST['item_name']);
$description = mysql_real_escape_string($_POST['description']);
$in_return = mysql_real_escape_string($_POST['in_return']);
$category = mysql_real_escape_string($_POST['listmenu']);

define ("MAX_SIZE","1500");
function getExtension($str)
{
$i = strrpos($str,".");
if (!$i)
{
	return "";
}
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

$errors=0;
if(isset($_POST['submit']))
{
$image=$_FILES['image']['name'];
if($image) 
{

	$filename = stripslashes($_FILES['image']['name']);

	$extension = getExtension($filename);
	$extension = strtolower($extension);
	if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "gif") && ($extension != "png"))
	{
		$_SESSION['badformat'] = "Your picture must be a .JPG .GIF or .PNG";
		header("location: http://www.------.com/-------.php");
		$errors=1;
		exit();

	}
	else
	{
		$size=filesize($_FILES['image']['tmp_name']);
		if ($size > MAX_SIZE*1024)
		{
			$_SESSION['toobig'] = "Your picture can not exceed 1.5 megabyte.";
			header("location: http://www.----.com/-----.php");
			$errors=1;
			exit();
		}

		$image_name=time().'.'.$extension;
            $newname="userimages/$category/".$image_name;

		$copied = copy($_FILES['image']['tmp_name'], $newname);
		if (!$copied)
		{
			$_SESSION['notcopy'] = "There was an error posting your picture. Please try again later.";
			header("location: http://www.------.com/-----.php");
			$errors=1;
			exit();

		}

	}
}
}

// if everything is good, post new pic for the user
$mysqlcategory = $category;
$imgpath = $newname;
$findit = $_SESSION['id'];
$result=mysql_query("SELECT id FROM members WHERE username = '$findit'");
$row=mysql_fetch_assoc($result);
$user_id = $row['id'];
$sql = "INSERT INTO abcxyz(item_name, description, in_return, imgpath, category, user_id)VALUES('$item_name','$description','$in_return', '$imgpath', '$mysqlcategory', '$user_id')";
mysql_query($sql) or die(mysql_error());
// go to confirmation page if upload is completed.
if(isset($_POST['submit']) && !$errors)
{
$_SESSION['posted'] = $item_name;
$_SESSION['picposted'] = $imgpath;
header("location: http://www.-------.com/------.php");
exit();
} 

?>

[.josh]

includes managed by GET variables should always have something before them in the include, for example

 

Example Request: http://yoursite.com/members.php?action=boom

 

BAD WAY TO HANDLE:

include($_GET['action'].'php');

 

GOOD WAY TO HANDLE:

include('member_includes/'.$_GET['action'].'php');

 

BETTER WAY TO HANDLE:

$allowed= array('home','about','contact'); // add pages allowed
$page = (in_array($_GET['action'],$allowed))? $_GET['action'] . '.php' : $allowed[0] . '.php';
include($page);

 

also, read this tutorial:

 

http://www.phpfreaks.com/tutorial/php-security

[Ken2k7]

justAnoob - there is no purpose in using mysql_real_escape_string on the $_POST fields right away. You may want to do something with the original values, not the escaped values.

[RussellReal]

yeah, what ken says, coz quoting out 's would actually throw off comparissons, and what crayon says.. that is way better, I've actually used that method b4, its also good for if () { } else { } coz then you could perform the else if the page isn't expected and throw an error

[.josh]

personally I do not really subscribe to using mysql_real_escape_string unless you expect quotes to be in the value.  If you don't, you should just strip them out with str_replace or preg_replace.  IMO it is better to validate data by checking to see if they are formatted the way you expect them to be, rather than doing some "catch-all" method like mysql_real_escape_string.  Also, you might find this to be an interesting read:

 

when escaping is not enough

[Reaper0167]

Wow,, my hopes of getting a safe website up just shot down the tubes.... I have countless number of scripts and everyone is bringing all this new stuff to my attention.... I'm kinda bummed.

[Reaper0167]

sorry about the name change,, my bro was on earlier, and I forgot he was signed in.

[justAnoob]

Wow,, sounds like I still have tons of work to do.

[tail]

You might want to store your include files in a directory below /public_html. Then set the include directory like this: set_include_path('/var/includes');

 

This way, no one will be able to access your include files besides your scripts.

[RussellReal]

includes really arn't the issue if you're including php files, but if you're allowing downloads for like special priveledged people, then you'd want THOSE files to be under your public directory, that way your members can't be jerks and link around your files to ppl who arn't paid members.. (although they could just send it to them with like MSN or w.e)

[justAnoob]

All I really have have is registration, login, messaging, and picture/text upload.... So shouldn't I be worried about the places where users submit forms and text box data? The scripts that run to help display some of my pages,, are those really a big risk? Couldn't I also back up my server files and my mysql database everyday to ensure that I always have something to go back to?