complete php noobie looking for some assistance

[Bethrezen]

hi all

 

due to my inexperience with php my last attempt to get help with securing my site was somewhat less than fruitful as I just didn't understand

 

I have read up on this in an effort to try and understand but I'm getting no where its all so complicated and confusing and i was wondering is any one could explain this is a way I might actually understand

 

anyway starting really simple

 

i have my main index page index.php and inside this are 2 includes content.php and navigation.php and it looks like this

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

</head> 

<body>

<div id="sidebar">

<?php include("navigation.php");?>

</div>

<div class="contents">

<?php include("content.php"); ?>

</div>

</body>

</html>

 

anyway at present this is susceptible to attack as there is no input checking

 

so my first step is to create file that is going to filter out user input so that any attempt to input anything other than a valid url in to the address bar will result in them getting a bad input error

 

so my first question is what is the easiest noob friendly way to go about doing this

[farkewie]

You need to explain a bit more?

 

what kind of attack it that prone to? i don't have huge knowledge in security but there doesnt seem to be a risk there?

 

 

[Aureole]

There is no security risk provided that no-one else has access to your files via FTP other than yourself.

[Bethrezen]

hi

 

I was thinking along the lines of XSS (cross site scripting attacks)

 

coz there is no input checking if some one where to type some evil input into the adress bar say something like this

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Switch/page-switcher.php/%3Cmarquee%3E%3Ch1%3ESOME_EVIL_INPUT_OR_SOME_EVIL_SCRIPT%3Chr%3E

 

they could potently cause havoc possibly causing problems for visitors or for me

 

i know the above example was overly simple that was deliberate on my part as i really don't understand php very well so i need to keep thing as simple as possible or ill just get lost

 

here is my site

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Index.php

[Crew-Portal]

As long as you dont have MySQL running on your site, and no Fwrite and Fclose in your website then there really isnt much a hacker can do! Your site is Attacker safe if you dont have those things running... Sometimes no knowledge in PHP can make your website actually safer! lolz... Also dont give out your FTP info and choose a good username and pass noone will think of. Otherwise ya.. Its safe!

[Aureole]

It's only XSS if it affects the page permanently. I could go to any PHP page and type a load of junk into the url

 

www.somesite.com/index.php?stuffhere

 

But unless that script is actually using $_GET then there's not really anything they can do... as far as I know.

[gtal3x]

hi

 

I was thinking along the lines of XSS (cross site scripting attacks)

 

coz there is no input checking if some one where to type some evil input into the adress bar say something like this

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Switch/page-switcher.php/%3Cmarquee%3E%3Ch1%3ESOME_EVIL_INPUT_OR_SOME_EVIL_SCRIPT%3Chr%3E

 

they could potently cause havoc possibly causing problems for visitors or for me

 

i know the above example was overly simple that was deliberate on my part as i really don't understand php very well so i need to keep thing as simple as possible or ill just get lost

 

here is my site

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Index.php

xss is very usefull when you can store in something like SQL, so whenever a page loads wich gets data from sql... it will show the xss... since you dont have sql, whatever the hacker does, hes gonna see it alone and nobody else lol

[Bethrezen]

unless that script is actually using $_GET then there's not really anything they can do... as far as I know.

 

I see well then I could have a problem as I do make use if the $_GET command in my switch scripts

 

Here is an example this one controls the next previous links for the footer but I have at least another 3 scripts similar to this that handle the switching of other elements within the site

 

 <?php 

function setprevnext ($previous, $next)
{
$prevnext = "";

if ($next == "Preparation")
{$prevnext = $prevnext . "<li><a href='Index.php?page=$next'>Next</a></li>
";}

else if ($next == "")
{$prevnext = $prevnext;}

else
{$prevnext = $prevnext . "<li class='leftbar'><a href='Index.php?page=$next'>Next</a></li>
";}

if ($previous != "") 
{$prevnext = $prevnext . "<li><a href='Index.php?page=$previous'>Previous</a></li>
";}

echo $prevnext;
}

switch ($_GET["page"]) 

{
default:
setprevnext("","Preparation");
break;

/* Section 1 */

case "Section-1-Introduction":
setprevnext("","Preparation");
break;

case "Preparation":
setprevnext("Section-1-Introduction","Basic-Cleaning");
break;

case "Basic-Cleaning":
setprevnext("Preparation","Advanced-Cleaning");
break;

case "Advanced-Cleaning":
setprevnext("Basic-Cleaning","Last-Resort");
break;

case "Last-Resort":
setprevnext("Advanced-Cleaning","Troubleshooting");
break;

case "Troubleshooting":
setprevnext("Last-Resort","Support");
break;

case "Support":
setprevnext("Troubleshooting","Section-2-Introduction");
break;
}

?> 

 

so ya still recon im ok ??

 

My main concern here is that some unsavory type could end up deleting and/or defacing my hard work i have a back up on my hd but i'd rarther prevent the posibility to begin with

[aschk]

You are already forcing the input there.

By using the switch statement you are already securing your input. You are never using the variables specified in the $_GET superglobal explicitly.

What you have done is fine.

[revraz]

Also, there are no SQL entries on that page, there is nothing for a hacker to do.