Jump to content

Recommended Posts

for the data that is supplied by the user, you should NEVER trust, always make your expected numbers, an actual number

 

like so:

 

$id = (int) $_GET['id'];

 

any strings a user can supply, like.. username and password, you want to first check of magic quotes is on, and then if it is, stripslashes and then mysql_real_escape_string that way all the 's are quoted out so you don't have to worry about SQL injection..

 

includes managed by GET variables should always have something before them in the include, for example

 

Example Request: http://yoursite.com/members.php?action=boom

 

BAD WAY TO HANDLE:

include($_GET['action'].'php');

 

GOOD WAY TO HANDLE:

include('member_includes/'.$_GET['action'].'php');

 

this way they can make action = http://whatever.com/blah

and hope that you do the first way, and all your script will do is look for 'members_include/http://whatever.com/blah.php'.. that will ofcourse throw an error, but way better then getting hit with a good dose of XSS

 

i heard that was the most important to make sure you have. so if my site is pretty much done... I still have a lot more to do,, security issues i mean. right? Here is an example. I also heard that it is good to protect your include files... in the case below,, connection.php should somehow be protected.

<?php
session_start();
include "connection.php";

$item_name = mysql_real_escape_string($_POST['item_name']);
$description = mysql_real_escape_string($_POST['description']);
$in_return = mysql_real_escape_string($_POST['in_return']);
$category = mysql_real_escape_string($_POST['listmenu']);

define ("MAX_SIZE","1500");
function getExtension($str)
{
$i = strrpos($str,".");
if (!$i)
{
	return "";
}
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

$errors=0;
if(isset($_POST['submit']))
{
$image=$_FILES['image']['name'];
if($image) 
{

	$filename = stripslashes($_FILES['image']['name']);

	$extension = getExtension($filename);
	$extension = strtolower($extension);
	if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "gif") && ($extension != "png"))
	{
		$_SESSION['badformat'] = "Your picture must be a .JPG .GIF or .PNG";
		header("location: http://www.------.com/-------.php");
		$errors=1;
		exit();

	}
	else
	{
		$size=filesize($_FILES['image']['tmp_name']);
		if ($size > MAX_SIZE*1024)
		{
			$_SESSION['toobig'] = "Your picture can not exceed 1.5 megabyte.";
			header("location: http://www.----.com/-----.php");
			$errors=1;
			exit();
		}

		$image_name=time().'.'.$extension;
            $newname="userimages/$category/".$image_name;

		$copied = copy($_FILES['image']['tmp_name'], $newname);
		if (!$copied)
		{
			$_SESSION['notcopy'] = "There was an error posting your picture. Please try again later.";
			header("location: http://www.------.com/-----.php");
			$errors=1;
			exit();

		}

	}
}
}

// if everything is good, post new pic for the user
$mysqlcategory = $category;
$imgpath = $newname;
$findit = $_SESSION['id'];
$result=mysql_query("SELECT id FROM members WHERE username = '$findit'");
$row=mysql_fetch_assoc($result);
$user_id = $row['id'];
$sql = "INSERT INTO abcxyz(item_name, description, in_return, imgpath, category, user_id)VALUES('$item_name','$description','$in_return', '$imgpath', '$mysqlcategory', '$user_id')";
mysql_query($sql) or die(mysql_error());
// go to confirmation page if upload is completed.
if(isset($_POST['submit']) && !$errors)
{
$_SESSION['posted'] = $item_name;
$_SESSION['picposted'] = $imgpath;
header("location: http://www.-------.com/------.php");
exit();
} 

?>

includes managed by GET variables should always have something before them in the include, for example

 

Example Request: http://yoursite.com/members.php?action=boom

 

BAD WAY TO HANDLE:

include($_GET['action'].'php');

 

GOOD WAY TO HANDLE:

include('member_includes/'.$_GET['action'].'php');

 

BETTER WAY TO HANDLE:

$allowed= array('home','about','contact'); // add pages allowed
$page = (in_array($_GET['action'],$allowed))? $_GET['action'] . '.php' : $allowed[0] . '.php';
include($page);

 

also, read this tutorial:

 

http://www.phpfreaks.com/tutorial/php-security

yeah, what ken says, coz quoting out 's would actually throw off comparissons, and what crayon says.. that is way better, I've actually used that method b4, its also good for if () { } else { } coz then you could perform the else if the page isn't expected and throw an error :)

personally I do not really subscribe to using mysql_real_escape_string unless you expect quotes to be in the value.  If you don't, you should just strip them out with str_replace or preg_replace.  IMO it is better to validate data by checking to see if they are formatted the way you expect them to be, rather than doing some "catch-all" method like mysql_real_escape_string.  Also, you might find this to be an interesting read:

 

when escaping is not enough

You might want to store your include files in a directory below /public_html. Then set the include directory like this: set_include_path('/var/includes');

 

This way, no one will be able to access your include files besides your scripts.

includes really arn't the issue if you're including php files, but if you're allowing downloads for like special priveledged people, then you'd want THOSE files to be under your public directory, that way your members can't be jerks and link around your files to ppl who arn't paid members.. (although they could just send it to them with like MSN or w.e)

All I really have have is registration, login, messaging, and picture/text upload.... So shouldn't I be worried about the places where users submit forms and text box data? The scripts that run to help display some of my pages,, are those really a big risk? Couldn't I also back up my server files and my mysql database everyday to ensure that I always have something to go back to?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.