Jump to content

database security


The Little Guy

Recommended Posts

How are you allowing uploads?

Via a script? FTP accounts? Your not making any sense.

If your using FTP you can restrict where FTP users can go on your sites folder structure, this has nothing to do with PHP though its purely how you run FTP on your site.

PHP scripts for uploading don't allow any kind of view of your entire folders/files structure they just simply create a copy of the uploaded file and move it from the temp directory to the destination directory set out in the script.
Link to comment
Share on other sites

Firstly, It's a bad idea to allow people to upload files into the same folder as your connect page.

Secondly, even if they have the name of your connect.php page, they can't view any of the details by running it as it's enclosed in PHP's tags, meaning it gets executed server side.

Regards
Huggie
Link to comment
Share on other sites

[quote author=HuggieBear link=topic=121909.msg502360#msg502360 date=1168533124]
Firstly, It's a bad idea to allow people to upload files into the same folder as your connect page.
[/quote]
Its not in the same folder.


[quote author=Cep link=topic=121909.msg502355#msg502355 date=1168532818]
Via a script? FTP accounts? Your not making any sense.
[/quote]
I'm using a script.

basically what I'm saying, is if someone found the name of the file of all the database connection information, all they would  need to do is this (example):

include"/connect.php";
mysql_query("drop table table_name");
Link to comment
Share on other sites

Well no you couldn't use,

include"/connect.php";
mysql_query("drop table table_name");

Your connection script must have some sort of variable or function that stores the connection call, so without that function name or variable the above script would turn around and say "What table", "What database" and as they cannot physically view the information contained within the connect.php how are they ever going to know?
Link to comment
Share on other sites

Not necessarily true... Some connect scripts actually carry out the connect itself by just including it, rather than needing to call a function within it from another script, for those that do that, a simple [i]mysql_list_tables()[/i] will get you started.

Regards
Huggie
Link to comment
Share on other sites

the database info:
[code]
<?php
$dbHost = "localhost";    //Location Of Database usually its localhost
$dbUser = "xxxxx";        //Database User Name
$dbPass = "xxxxx";        //Database Password
$dbDatabase = "file_host";      //Database Name

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");
?>
[/code]

One way of how I use it:
[code]
<?php
include"db.php";
$sql = mysql_query("SELECT * FROM users WHERE id='{$_SESSION['id']}'")or die(mysql_error());
$row = mysql_fetch_array($sql);
?>
[/code]
Link to comment
Share on other sites

You could do like uhhh:

[code=php:0]
<?php
$dbHost = "localhost";    //Location Of Database usually its localhost
$dbUser = "xxxxx";        //Database User Name
$dbPass = "xxxxx";        //Database Password
$dbDatabase = "file_host";      //Database Name

function dbconn($str) {
if($str == "corbin345") {
$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");
}
}
?>
[/code]

and then on a page you use it

[code=php:0]
<?php
include"db.php";
dbconn('corbin345');
$sql = mysql_query("SELECT * FROM users WHERE id='{$_SESSION['id']}'")or die(mysql_error());
$row = mysql_fetch_array($sql);
?>
[/code]

That way if you called to the function and the string was incorrect it would not execute... Only problem with this is, if they can include the file they can also fopen it, which would output the raw file and they would see the 'password'.

Another way you could do it would be
[code=php:0]
<?php
$dbHost = "localhost";    //Location Of Database usually its localhost
$dbUser = "xxxxx";        //Database User Name
$dbPass = "xxxxx";        //Database Password
$dbDatabase = "file_host";      //Database Name

function dbconn($str) {
if(!preg_match("/uploads_folder/", $_SERVER['SCRIPT_NAME'])) {
$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");
}
}
?>
[/code]

The only problem with that is... All the sudden someone uploads a file that has:

[code=php:0]
<?php
$content = "<?php include('db.php'); mysql_query("DO SOMETHING BAD"); ?>";
$han = fopen("../badfile.php", "w+");
fwrite($han, $content);
?>
[/code]
Then they simply go to the file they created in their browser and you're badword'd

Basically, if you allow users to upload PHP files be VERY VERY VERY careful... If you do not wish for users to be able to execute them, I suggest you do as someone already said and replace all <'s and >'s with &lt; and &gt; or something...

In my not so humble opinion, if you allow users to upload and execute PHP files, you're asking to be screwed over.
Link to comment
Share on other sites

I was given this:


[code]<?php

if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) send_404(); 

$dbHost = "localhost";        //Location Of Database usually its localhost
$dbUser = "xxxxx";                        //Database User Name
$dbPass = "xxxxx";                        //Database Password
$dbDatabase = "file_host";              //Database Name

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

function send_404()
{
    header('HTTP/1.x 404 Not Found');
    print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."\n".
    '<html><head>'."\n".
    '<title>404 Not Found</title>'."\n".
    '</head><body>'."\n".
    '<h1>Not Found</h1>'."\n".
    '<p>The requested URL '.
    str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
    ' was not found on this server.</p>'."\n".
    '</body></html>'."\n";
    exit;
}

?> [/code]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.