Security help

[Incredinot]

Hi..

 

Can anyone help me with if these codes are secure?

 

Page 1.

<?php $uid = $_GET['uid']; // Recieving a user id ?>

<form action="mysqlpage.php" method="post">
    <input type="hidden" name="uid" value="<?php print $uid; ?>"/>
    <input type="hidden" name="date" value="<?php print time(); ?>" />
    <input type="text" name="name" value="" />
<label>
      <select name="selectbox" id="selectbox">
        <option value="value">value</option>
        <option value="value">value</option>
      </select>
    </label>
<input type="submit" value="Confirm" />
</form>

 

Page 2.

<?php

mysql_connect("host", "user", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$uid = mysql_real_escape_string($_POST['uid']);
$name = mysql_real_escape_string($_POST['name']);
$selectbox = mysql_real_escape_string($_POST['selectbox']);
$date = mysql_real_escape_string($_POST['date']);

if(($name == "") || ($selectbox == "")){
// Send user back with a message that fields was not filled..
return;}

$success = mysql_query("INSERT INTO somewhere (uid, name, selectbox, date)
  VALUES('$uid', '$name', '$selectbox', '$date')")
  or die(mysql_error());

// redirect to success page 
if ($success){
  // Send user to a "ok" page..
}
else{
  // Send to "something happened...
}
?>

 

Ive used the "mysql_real_escape_string", but is that enough?

Can anyone do something evil to my site?

 

And is it okay to have my mysql login information in a file like that?

[Deoctor]

i think u use an

enctype=""

for the form..

so that no one can pass the autologins to the site as well validate it using a js file...

[Incredinot]

More i can do with security ind mind?

[Daniel0]

Ive used the "mysql_real_escape_string", but is that enough?

 

Don't show raw error messages with potentially sensitive information to your users (mysql_error()). Implement some proper error handling that allows you to turn off error messages like that in a production environment (but still logs it), but shows it during development.

 

And is it okay to have my mysql login information in a file like that?

 

Well, it would be a good idea storing them in a configuration file that isn't stored in a publicly accessible folder. If the PHP module somehow fails on your web server, your login information will be in plain sight to everybody. It's also a good idea for organizing your files properly.

[roopurt18]

As long as you always use mysql_real_escape_string() (or whatever is appropriate for your database), nobody should be able to inject SQL into your codes.  In other words, nobody should be able to turn a statement such as:

select * from users where username='foo' and password='password'

into

select * from users where username='foo'; update users set password='asdf' where 1=1; select * from users where password='password';

 

However, that's not the only type of vulnerability your application could fall prey to.  There's all sorts of inherent dangers in scripts that upload files, delete files, or use any sort of user input for anything.  You should always, always use strict pattern checking on anything that comes from the user.

 

Also, if you want to be even more secure, invest in some sort of PHP encoding program, such as Zend Guard or nu-coder.  What you use depends on what you can get installed on your server, but these types of protection will prevent someone from walking off with your source and easily discovering passwords or other important information.  Plain-text passwords scare the crap out of me.  You back up your PHP code, your host backs up your PHP code, your client backs up your PHP code.  The back ups get backed up and before long who knows where they are and who has access to them and your most sensitive information is in them.  :/