Well, off the top of my head, some good pointers are: *NEVER* use any unchecked/unquoted vars in system() or database calls. ever. i mean it :-)
never assume that you'll get correct data from a form. validate everything. never be careless with user passwords or sesitive data. never put them in GET strings, or store them in HIDDEN fields on the form or in cookies. and make sure you check the error status of every function that bothers to return one. time and time again, simple errors that go unchecked can balloon into huge errors that completely baffle you and drag the script into bug hell. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 > -----Original Message----- > From: Jas [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 3:48 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Re: Anyone? > > > Ok, I think you have gotten my point... I simply want to make > sure that the > code I am writting is "up to par" on security issues such as > you listed. > Maybe there are some examples of what to do vs. what not to > do when writting > code that would be near impossible to exploit. I simply do > not need some > script kiddie messing with the time and research I have put > into making this > application. Any resources would be appreciated! > Jas > > "Scott Hurring" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > No language is "secure".... becuase there's no such thing. > > even supposedly secure Java VM sandboxes have well-known > > security exploits. > > > > PHP code is as secure as you write it. > > Bad programmer = bad code > > > > Name any language or program and there are > > well-documented ways to subvert it. Buffer > > overflows in "C", and flawed Double-byte char > > support in "IIS", to name a few recent and > > better-known exploits. > > > > --- > > Scott Hurring > > Systems Programmer > > EAC Corporation > > [EMAIL PROTECTED] > > Voice: 201-462-2149 > > Fax: 201-288-1515 > > > > > -----Original Message----- > > > From: Adam Voigt [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 1:22 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [PHP] Re: Anyone? > > > > > > > > > Yes, PHP is a secure programming language. > > > > > > On Thu, 2002-06-06 at 13:18, Jas wrote: > > > > I cannot believe that no one with alot of PHP and MySQL > > > experience has not > > > > replied to this post yet. Is PHP not a secure scripting > > > language? I would > > > > really like a little insight into this question, anyone? > > > > > > > > "Jas" <[EMAIL PROTECTED]> wrote in message > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > I posted this yesterday and did not get any response > at all? Just > > > > wondering > > > > > if someone can give me some insight into some security > > > measures for a > > > > > content management application... > > > > > > > > > > Posted 06/05/2002 > > > > > Ok, I am not a security expert so I would like to know if > > > my security > > > > > measures I have implimented is adequate enough to keep > > > people out. Any > > > > > pointers on this would be very helpful as I am trying to > > > impliment a > > > > secure > > > > > way for people to update a website through the use of a > > > content management > > > > > application. Example of code is as follows > > > > > > > > > > // Login form - index.php > > > > > <form name="authenticate" method="post" > action="auth_done.php"> > > > > > <input type="text" name="user" size="20" maxlength="20"><br> > > > > > <input type="password" name="pw" size="20" > maxlength="20"><br> > > > > > Select an image to identify yourself as an administrator.<br> > > > > > <select name="image"> > > > > > <option value="image01.jpg">image01</option> > > > > > <option value="image02.jpg">image02</option> > > > > > <option value="image03.jpg">image03</option> > > > > > <option value="image04.jpg">image04</option> > > > > > <option value="image05.jpg">image05</option> > > > > > </select><br><br> > > > > > <input type="submit" name="Login" value="Login"> > > > > > <input type="reset" name="Reset" value="Reset"> > > > > > </form> > > > > > > > > > > // Authentication checker - auth_done.php > > > > > #############check fields for valid entries in > form############ > > > > > if ((!$u_name) || (!$p_word) || (!$image)){ > > > > > header("Location: index.php"); > > > > > exit; > > > > > } > > > > > ############connects to database############ > > > > > require '/path/to/database/connection/script/dbcon.php'; > > > > > #############selects database table containing users > > > that are allowed to > > > > > use application############ > > > > > $db_table = 'users'; > > > > > $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw = > > > > > password(\"$pw\")"; > > > > > $result = @mysql_query($sql,$dbh) or die("Couldn't > > > execute query"); > > > > > #############loops through all records to find a > > > match############ > > > > > $num = mysql_numrows($result); > > > > > if ($num !=0) { > > > > > #############creates variables for sessions############ > > > > > $p_hash = "$p_word"; > > > > > $to_hash = "$image"; > > > > > #############creates md5 hash of image user > selected############ > > > > > $pstring = md5($to_hash); > > > > > #############creates md5 hash of password user > > > entered############ > > > > > $image_sel = md5(uniqid(microtime($p_word),1)); > > > > > #############starts session for user############ > > > > > session_start(); > > > > > #############registers variables created (md5 of > > > password, username, & > > > > > image) in session############ > > > > > session_register('user'); > > > > > session_register('$pstring'); > > > > > session_register('$image_sel'); > > > > > #############captures users ip address (logging stuff, > > > not listed in > > > > this > > > > > code for security reasons)############ > > > > > $ipaddy = $REMOTE_ADDR; > > > > > #############echoes success message to authenticated > > > user############ > > > > > $msg_success = "<b>You have been authorized to make > > > changes to the > > > > > website! Your IP address has been recorded and sent to > > > the administrator: > > > > > $ipaddy</b>"; > > > > > } else { > > > > > #############this prints if user name and password > > > combination is not > > > > > found in database############ > > > > > print "<p>You are not authorized to use this > application!</p>"; > > > > > exit; > > > > > } > > > > > > > > > > Now on each page in the content management app I have > > > these lines of code: > > > > > #############Start the session############# > > > > > session_start(); > > > > > #############check session variables############# > > > > > if (isset($HTTP_SESSION_VARS['user']) || > > > > > isset($HTTP_SESSION_VARS['$image_sel']) || > > > > > isset($HTTP_SESSION_VARS['$pstring'])) { > > > > > $main = "Some kinda message for page in question"; > > > > > #############connects to database############# > > > > > require '/path/to/database/connection/script/dbcon.php'; > > > > > #############if session variables not registered kick > > > the user back to > > > > > login form############# > > > > > } else { > > > > > header ("Location: index.php"); > > > > > } > > > > > > > > > > Now just so you know I have changed all the variables to > > > something other > > > > > than what I am currently using, however I have made sure > > > that this is a > > > > > working example so everything should work as is. Also I > > > have tested this > > > > a > > > > > few different ways, including: creating a page that > > > tries to include one > > > > of > > > > > the pages I have my security checks on from another > > > website, linking > > > > > directly to a script within the application etc. In any > > > event, I also > > > > have > > > > > logging setup on each and every script which I have not > > > included here > > > > > (different topic), just in case someone does get in I can > > > at least "try" > > > > to > > > > > find them. Any help, pointers, tutorials, examples, > etc. would be > > > > > appreciated!!! > > > > > TIA > > > > > Jas > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > PHP General Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
