php-general Digest 8 Feb 2006 06:26:31 -0000 Issue 3951
Topics (messages 230049 through 230065):
PHP Application Vuln. Testing
230049 by: Jason Gerfen
230050 by: Richard Davey
230051 by: Jason Gerfen
230053 by: John Nichel
230059 by: Matt Stone
230061 by: Ligaya Turmelle
Re: Window close.
230052 by: Jason Petersen
str_replace ? \r
230054 by: Sam Smith
230055 by: Jay Paulson
230060 by: Curt Zirzow
230064 by: Matty Sarro
echo date("l");
230056 by: Khristian Hamilton-Bailey
230057 by: John Nichel
230058 by: Stut
image location hiding techniques
230062 by: hbeaumont hbeaumont
Re: How to user curl_setopt?
230063 by: Hybau Leu
which version fixes bug 29922
230065 by: Daniel Bondurant
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
I have a question which as of yet I am unable to find any information
about from googling. Lets say you have just written a fairly robust
PHP/MySQL application and would like to put it on your production server.
For reasons of clarification lets say this application handles sensitive
customer data including credit infromation, so it is imperitive that the
data remain secure and during the development process at every turn you
went through great lengths to filter data on forms, URL's file uploads etc.
Is there any product available, commercial or free which performs source
code auditing which *specificly searches PHP code for SQL, XSS type of
attacks or vulnerabilities? TIA.
--
Jason Gerfen
"the life you live ignoring who, ignoring who you're giving money to.
and you, you support the corrupt industries and companies who dont think to
care.
guilty...guilty...guilty by ignorance.
no feeling... no substance... killing... you're killing through your ignorance."
~ Snapcase
--- End Message ---
--- Begin Message ---
On 7 Feb 2006, at 16:54, Jason Gerfen wrote:
Is there any product available, commercial or free which performs
source code auditing which *specificly searches PHP code for SQL,
XSS type of attacks or vulnerabilities? TIA.
No. But there are people who can perform the service for you
(Brainbulb, Hardened PHP, etc)
Cheers,
Rich
--
http://www.corephp.co.uk
Zend Certified Engineer
PHP Development Services
--- End Message ---
--- Begin Message ---
Richard Davey wrote:
On 7 Feb 2006, at 16:54, Jason Gerfen wrote:
Is there any product available, commercial or free which performs
source code auditing which *specificly searches PHP code for SQL,
XSS type of attacks or vulnerabilities? TIA.
No. But there are people who can perform the service for you
(Brainbulb, Hardened PHP, etc)
Cheers,
Rich
--
http://www.corephp.co.uk
Zend Certified Engineer
PHP Development Services
Hmm, I found one but it seems it is still in beta.
http://www.codescan.com/product.html
I have done some of my own auditing but the application I have been
working on is nothing but form after form. At each point the form is
submitted I do sanity checks on the data to ensure that 1) it is being
submitted from a page on the server. 2) that it doesn't contain
<script>|<object>|<embed> type of code or SQL syntax. 3) that the
specified length of the submitted data is of a certain length.
Can anyone on this list perhaps engage this conversation? I am bringing
up this topic, not just for the application I am working on but for the
information to be spread to other developers. Any code examples, tips,
resources etc., is appreciated.
--
Jason Gerfen
"the life you live ignoring who, ignoring who you're giving money to.
and you, you support the corrupt industries and companies who dont think to
care.
guilty...guilty...guilty by ignorance.
no feeling... no substance... killing... you're killing through your ignorance."
~ Snapcase
--- End Message ---
--- Begin Message ---
Jason Gerfen wrote:
I have a question which as of yet I am unable to find any information
about from googling. Lets say you have just written a fairly robust
PHP/MySQL application and would like to put it on your production server.
For reasons of clarification lets say this application handles sensitive
customer data including credit infromation, so it is imperitive that the
data remain secure and during the development process at every turn you
went through great lengths to filter data on forms, URL's file uploads etc.
Is there any product available, commercial or free which performs source
code auditing which *specificly searches PHP code for SQL, XSS type of
attacks or vulnerabilities? TIA.
Product, I don't know. But talk to Chris Shiflett on this list. I
*think* his company performs this service.
http://shiflett.org/
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
----- Original Message -----
From: "Jason Gerfen" <[EMAIL PROTECTED]>
To: "PHP General (E-mail)" <php-general@lists.php.net>
Sent: Tuesday, February 07, 2006 4:54 PM
Subject: [PHP] PHP Application Vuln. Testing
>
> Is there any product available, commercial or free which performs source
> code auditing which *specificly searches PHP code for SQL, XSS type of
> attacks or vulnerabilities? TIA.
>
http://www.parosproxy.org/index.shtml doesn't audit source code but if you
can dump your code on a test box you can test it from another machine.
Cheers
Matt
--- End Message ---
--- Begin Message ---
Have you looked over phpsec.org site? read over the security guide, and
the various articles?
Jason Gerfen wrote:
Richard Davey wrote:
On 7 Feb 2006, at 16:54, Jason Gerfen wrote:
Is there any product available, commercial or free which performs
source code auditing which *specificly searches PHP code for SQL,
XSS type of attacks or vulnerabilities? TIA.
No. But there are people who can perform the service for you
(Brainbulb, Hardened PHP, etc)
Cheers,
Rich
--
http://www.corephp.co.uk
Zend Certified Engineer
PHP Development Services
Hmm, I found one but it seems it is still in beta.
http://www.codescan.com/product.html
I have done some of my own auditing but the application I have been
working on is nothing but form after form. At each point the form is
submitted I do sanity checks on the data to ensure that 1) it is being
submitted from a page on the server. 2) that it doesn't contain
<script>|<object>|<embed> type of code or SQL syntax. 3) that the
specified length of the submitted data is of a certain length.
Can anyone on this list perhaps engage this conversation? I am bringing
up this topic, not just for the application I am working on but for the
information to be spread to other developers. Any code examples, tips,
resources etc., is appreciated.
--
life is a game... so have fun.
--- End Message ---
--- Begin Message ---
On 2/7/06, Miles Thompson <[EMAIL PROTECTED]> wrote:
>
>
> Actually, expand it a little bit, and you avoid the JS Alert.
>
> function close_opener(){
> parentwin = window.self; // Make handle for current
> window named "parentwin"
> parentwin.opener = window.self; // Tell current window that it
> opened itself
> parentwin.close(); // Close window's parent (e.g.
> the current window)
> }
Interesting, but this code seems to be exploiting a flaw in certain browsers
(Internet Explorer). I believe the window.opener property is read-only in
Firefox and probably other browsers. At the very least, I wouldn't rely on
this method.
Jason
--- End Message ---
--- Begin Message ---
>From a <textarea> on a web form I'm attempting to convert all returns(\r),
from the users input, to "<br />", for db INSERT, and then back again for
display in the <textarea>. (They remain as <br />s for normal HTML web page
display.)
code:
// From textarea to db UPDATE
function addBR($tv) {
$tv = addslashes($tv);
$tv = str_replace("\r","<br />",$tv);
// $tv = preg_replace("/(\r\n|\n|\r)/", "<br />", $tv);
// $tv = preg_replace("/(\r\n|\n|\r)/", "", $tv);
return $tv;}
// For display in <textarea>
function remBR($tv) {
$tv = str_replace("<br />","\r",$tv);
$tv = stripslashes($tv);
return $tv;
}
IT ALL works fine accept if a return is entered in the form's <textarea> at
the very beginning:
mysql> SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
*************************** 1. row ***************************
jbs_jobDesA: <br />[the return is still here]
Lesequam coreet la feum nulla feu facil iriure faccummolut ulput num augait
1 row in set (0.00 sec)
the return is converted to <br />\r (leaving the return). AND then when
converted back for for the <textarea> both are stripped out, that is, there
is nothing in front of the first character. When resubmitted for UPDATE:
mysql> SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
*************************** 1. row ***************************
jbs_jobDesA: Lesequam coreet la feum nulla feu facil iriure faccummolut
ulput num augait
1 row in set (0.00 sec)
Q. Why is that first return treated differently? All other returns are
treated as expected.
Thanks,
sam
--- End Message ---
--- Begin Message ---
http://us3.php.net/manual/en/function.nl2br.php
Instead of using <br /> I would use <p></p> tags. That's just me though. :)
On 2/7/06 12:38 PM, "Sam Smith" <[EMAIL PROTECTED]> wrote:
>
> From a <textarea> on a web form I'm attempting to convert all returns(\r),
> from the users input, to "<br />", for db INSERT, and then back again for
> display in the <textarea>. (They remain as <br />s for normal HTML web page
> display.)
>
> code:
> // From textarea to db UPDATE
> function addBR($tv) {
> $tv = addslashes($tv);
> $tv = str_replace("\r","<br />",$tv);
> // $tv = preg_replace("/(\r\n|\n|\r)/", "<br />", $tv);
> // $tv = preg_replace("/(\r\n|\n|\r)/", "", $tv);
> return $tv;}
>
> // For display in <textarea>
> function remBR($tv) {
> $tv = str_replace("<br />","\r",$tv);
> $tv = stripslashes($tv);
> return $tv;
> }
>
> IT ALL works fine accept if a return is entered in the form's <textarea> at
> the very beginning:
>
> mysql> SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
> *************************** 1. row ***************************
> jbs_jobDesA: <br />[the return is still here]
> Lesequam coreet la feum nulla feu facil iriure faccummolut ulput num augait
> 1 row in set (0.00 sec)
>
> the return is converted to <br />\r (leaving the return). AND then when
> converted back for for the <textarea> both are stripped out, that is, there
> is nothing in front of the first character. When resubmitted for UPDATE:
>
> mysql> SELECT jbs_jobDesA FROM jobs WHERE jbs_ID=77 \G
> *************************** 1. row ***************************
> jbs_jobDesA: Lesequam coreet la feum nulla feu facil iriure faccummolut
> ulput num augait
> 1 row in set (0.00 sec)
>
> Q. Why is that first return treated differently? All other returns are
> treated as expected.
>
> Thanks,
> sam
--- End Message ---
--- Begin Message ---
On Tue, Feb 07, 2006 at 10:38:37AM -0800, Sam Smith wrote:
>
> From a <textarea> on a web form I'm attempting to convert all returns(\r),
> from the users input, to "<br />", for db INSERT, and then back again for
> display in the <textarea>. (They remain as <br />s for normal HTML web page
> display.)
You really shouldnt convert the data to br's into the database,
just do it at the time at displaying it in html, and keep the raw
data in the database.
// add to database (prepare avoiding sql injection)
$field = mysql_real_escape_string($_POST['textarea']);
$sql = "update jobs set jbs_jobDesA = '$field' WHERE jbs_ID=77";
// output to html, removing xxs ablity and add html br's
$field_from_db = $row['jbs_jobDesA'];
echo "<div>" . nl2br(htmlentities($field_from_db)) . "</div>";
// output to a textarea, removing xxs ability
$field_from_db = $row['jbs_jobDesA'];
echo "<textarea>" . htmlentities($field_from_db) . "</textarea>";
This would work much nicer. No need to do any two-way convertion of
your data.
Curt.
--
cat .signature: No such file or directory
--- End Message ---
--- Begin Message ---
Agreed - try to think of it as a filter and less of something that needs to
be computed both ways... much easier in the long run, and more efficient :)
On 2/7/06, Curt Zirzow <[EMAIL PROTECTED]> wrote:
>
> On Tue, Feb 07, 2006 at 10:38:37AM -0800, Sam Smith wrote:
> >
> > From a <textarea> on a web form I'm attempting to convert all
> returns(\r),
> > from the users input, to "<br />", for db INSERT, and then back again
> for
> > display in the <textarea>. (They remain as <br />s for normal HTML web
> page
> > display.)
>
> You really shouldnt convert the data to br's into the database,
> just do it at the time at displaying it in html, and keep the raw
> data in the database.
>
> // add to database (prepare avoiding sql injection)
> $field = mysql_real_escape_string($_POST['textarea']);
> $sql = "update jobs set jbs_jobDesA = '$field' WHERE jbs_ID=77";
>
> // output to html, removing xxs ablity and add html br's
> $field_from_db = $row['jbs_jobDesA'];
> echo "<div>" . nl2br(htmlentities($field_from_db)) . "</div>";
>
> // output to a textarea, removing xxs ability
> $field_from_db = $row['jbs_jobDesA'];
> echo "<textarea>" . htmlentities($field_from_db) . "</textarea>";
>
> This would work much nicer. No need to do any two-way convertion of
> your data.
>
> Curt.
> --
> cat .signature: No such file or directory
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Hi,
I currently use the date function as follows:
<?php
$day= date("l");
?>
so I can then use this to call records from a database where todays day
matches that of a record, however I would also like to call records for
tomorrow, is there a way in which I could use the date function to add one
day so that as well as the above i could also use something like $tomorrow=
xxxxxxxxxxxxxxxxx
Many thanks for any help.
Khristian
--- End Message ---
--- Begin Message ---
Khristian Hamilton-Bailey wrote:
Hi,
I currently use the date function as follows:
<?php
$day= date("l");
?>
so I can then use this to call records from a database where todays day
matches that of a record, however I would also like to call records for
tomorrow, is there a way in which I could use the date function to add one
day so that as well as the above i could also use something like $tomorrow=
xxxxxxxxxxxxxxxxx
Many thanks for any help.
Khristian
http://us3.php.net/date
Look at example 3
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
John Nichel wrote:
Khristian Hamilton-Bailey wrote:
Hi,
I currently use the date function as follows:
<?php
$day= date("l");
?>
so I can then use this to call records from a database where todays day
matches that of a record, however I would also like to call records for
tomorrow, is there a way in which I could use the date function to add
one
day so that as well as the above i could also use something like
$tomorrow=
xxxxxxxxxxxxxxxxx
Many thanks for any help.
Khristian
http://us3.php.net/date
Look at example 3
While that would work surely it's more efficient to call date('l',
strtotime('+1 day')), 1 date call and 1 strtotime call than to call date
three times? It would need a test script to find out, but even if
they're almost the same I find the strtotime solution easier to read.
-Stut
--- End Message ---
--- Begin Message ---
Hi,
I have a site with images that I want people to download but not have
the direct path to. ie. I do not want them to be able to just view the
source, find the dir and then download everything or direct link to
them.
However I can see no way to do this other than keeping the images on
disk, having a php script read them and then spit them out. example:
view.php?92348924 where 92348924 is a code that translates to the
image on disk.
Can anyone think of a better method? If not, what is the most
efficient way to do this (ie. avoid the most i/o)
Thanks!
P.S. I also realize I could use .htaccess to stop direct linking and
turn off directory indexes. Still I think there might be some other
problems with .htaccess
--- End Message ---
--- Begin Message ---
Thanks for your input.
However, I still can't get it work.
Do you have success examples?
I really don't know how to set the curl options.
I am confusing to the options of CURLOPT_CAINFO, CURLOPT_SSLCERT,
CURLOPT_SSLKEY, etc.
lhb
"James Benson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> should it not be:-
> G:\\test\ssl\mes1.cer'
>
> notice how I changed the path to reflect a proper windows drive path!
>
>
> James
>
>
>
>
>
> lhb wrote:
>> Hello,
>>
>> Now I need to use curl to connect to a secure website,
>> I have three certificates files, two .cer files and one .pfx file.
>> After I import the certificates into IE browser, the visit is OK.
>> However, when I use curl_setopt to configure the certificates, it failed.
>> Can anybody help me?
>> Thanks.
>>
>> The code is below:
>> <?
>> $ch = curl_init();
>>
>> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
>> curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
>> curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes1.cer');
>> curl_setopt($ch, CURLOPT_SSLCERT,'G:\test\ssl\mes2.cer');
>> curl_setopt($ch, CURLOPT_SSLKEY, 'G:\test\ssl\xxxx.pfx');
>> curl_setopt($ch, CURLOPT_SSLKEYPASSWD,'password');
>> curl_setopt($ch, CURLOPT_URL, $host.$uri);
>>
>> curl_setopt($ch, CURLOPT_POST, 1);
>> curl_setopt($ch,CURLOPT_HEADER,1);
>> curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
>>
>> $returned = curl_exec($ch);
>>
>> echo $returned;
>> ?>
>>
>> lhb
--- End Message ---
--- Begin Message ---
I am trying to track down which version of php4 has the fix for bug
29922.
I am running 4.3.11 which came out after the bug was fixed in CVS,
but I seem to be having the problem listed in the bug.
For various reason, I can't upgrade to a later version very easily.
thanks
- daniel
--- End Message ---
