Are there any security holes in this script?
Posted: Tue May 11, 2004 6:12 am
<html>
<head>
<title>My Photo Album (also known as the "Swiss Cheese")</title>
</head>
<body>
<h1>My Photo Album</h1>
<?php
$adminPassword = "thebigboss"; // change the password anyway!
// try to authenticate
if ($_POST["password"] == $adminPassword) {
$isAdmin = true;
}
$dbServer = "localhost";
$database = "photoalbum";
$dbUser = "ulrich";
$dbPassword = "hotshots";
$connection = mysql_connect($dbServer, $dbUser, $dbPassword);
mysql_select_db($database,$connection);
if (($isAdmin) && ($_POST["photoNumber"] != "")) {
if ($_POST["photoNumber"] == "new") {
// insert a new photo into the database
if (is_uploaded_file($_FILES["photoFile"]["tmp_name"])) {
// new photo uploaded, get file name and save photo
$photoCaption = $_POST["photoCaption"];
$photoName = basename($_FILES["photoFile"]["name"]);
copy($_FILES["photoFile"]["tmp_name"],"images/$photoName");
$query = "insert into photos (caption, filename)
values (\"".$photoCaption."\",
\"".$photoName."\")";
mysql_query($query,$connection);
}
}
else
{
// update data for an existing photo
$photoNumber = $_POST["photoNumber"];
$photoCaption = $_POST["photoCaption"];
if (is_uploaded_file($_FILES["photoFile"]["tmp_name"])) {
// different photo uploaded, get file name and save photo
$photoName = basename($_FILES["photoFile"]["name"]);
copy($_FILES["photoFile"]["tmp_name"],"images/$photoName");
$query = "update photos
set caption = \"".$photoCaption."\",
filename = \"".$photoName."\"
where id = ".$photoNumber;
mysql_query($query,$connection);
}
else
{
$query = "update photos
set caption = \"".$photoCaption."\"
where id = ".$photoNumber;
mysql_query($query,$connection);
}
}
}
$query = "select * from photos";
$result = mysql_query($query,$connection);
while ($record = mysql_fetch_array($result)) {
echo "<tr><td>";
echo "<img src=\"images/".$record["filename"]."\">";
echo "</td><td>";
if ($isAdmin) {
// display form
echo "<form action=\"photoalbum.php\" method=\"post\" enctype=\"multipart/form-data\">";
echo "<input type=\"hidden\" name=\"photoNumber\" ";
echo "value=\"".$record["id"]."\">";
echo "<input type=\"hidden\" name=\"password\" ";
echo "value=\"".$_POST["password"]."\">";
echo "Caption:<br>";
echo "<input type=\"text\" name=\"photoCaption\" size=\"60\"";
echo "value=\"".$record["caption"]."\"><br>";
echo "File:<br>";
echo "<input type=\"file\" name=\"photoFile\">";
echo "<input type=\"submit\" value=\"Update photo\">";
echo "</form>";
}
else
{
// display caption only
echo $record["caption"];
}
echo "</td></tr>";
}
// Now there's only one thing left to do:
// - if the user is logged in as admin, display a form to add another photo
// - in all other cases display the login form (in which the admin can enter the password)
//
echo "<tr><td colspan=\"2\">";
if ($isAdmin) {
// display "Add photo" form
echo "<h3>Add a new photo</h3>";
echo "<form action=\"photoalbum.php\" method=\"post\" enctype=\"multipart/form-data\">";
echo "<input type=\"hidden\" name=\"photoNumber\" ";
echo "value=\"new\">";
echo "<input type=\"hidden\" name=\"password\" ";
echo "value=\"".$_POST["password"]."\">";
echo "Caption:<br>";
echo "<input type=\"text\" name=\"photoCaption\" size=\"60\"><br>";
echo "File:<br>";
echo "<input type=\"file\" name=\"photoFile\"><br>";
echo "<input type=\"submit\" value=\"Add photo\">";
echo "</form>";
}
else
{
// display login form
echo "<h3>Enter the admin password to add a photo</h3>";
echo "<form action=\"photoalbum.php\" method=\"post\">";
echo "Password:";
echo "<input type=\"password\" name=\"password\">";
echo "<input type=\"submit\" value=\"login\">";
echo "</form>";
}
echo "</td></tr>";
?>
</table>
</body>
</html>
PLEASE HELP ME ...... WHAT R THE MOST OBVIOUS HOLES ? AND HOW MANY ARE THERE ROUGHLY, I AM A NOVICE IN php plzzzzzzz help or suggest some readings plzzzzzzzzz .... i n dire need
<head>
<title>My Photo Album (also known as the "Swiss Cheese")</title>
</head>
<body>
<h1>My Photo Album</h1>
<?php
$adminPassword = "thebigboss"; // change the password anyway!
// try to authenticate
if ($_POST["password"] == $adminPassword) {
$isAdmin = true;
}
$dbServer = "localhost";
$database = "photoalbum";
$dbUser = "ulrich";
$dbPassword = "hotshots";
$connection = mysql_connect($dbServer, $dbUser, $dbPassword);
mysql_select_db($database,$connection);
if (($isAdmin) && ($_POST["photoNumber"] != "")) {
if ($_POST["photoNumber"] == "new") {
// insert a new photo into the database
if (is_uploaded_file($_FILES["photoFile"]["tmp_name"])) {
// new photo uploaded, get file name and save photo
$photoCaption = $_POST["photoCaption"];
$photoName = basename($_FILES["photoFile"]["name"]);
copy($_FILES["photoFile"]["tmp_name"],"images/$photoName");
$query = "insert into photos (caption, filename)
values (\"".$photoCaption."\",
\"".$photoName."\")";
mysql_query($query,$connection);
}
}
else
{
// update data for an existing photo
$photoNumber = $_POST["photoNumber"];
$photoCaption = $_POST["photoCaption"];
if (is_uploaded_file($_FILES["photoFile"]["tmp_name"])) {
// different photo uploaded, get file name and save photo
$photoName = basename($_FILES["photoFile"]["name"]);
copy($_FILES["photoFile"]["tmp_name"],"images/$photoName");
$query = "update photos
set caption = \"".$photoCaption."\",
filename = \"".$photoName."\"
where id = ".$photoNumber;
mysql_query($query,$connection);
}
else
{
$query = "update photos
set caption = \"".$photoCaption."\"
where id = ".$photoNumber;
mysql_query($query,$connection);
}
}
}
$query = "select * from photos";
$result = mysql_query($query,$connection);
while ($record = mysql_fetch_array($result)) {
echo "<tr><td>";
echo "<img src=\"images/".$record["filename"]."\">";
echo "</td><td>";
if ($isAdmin) {
// display form
echo "<form action=\"photoalbum.php\" method=\"post\" enctype=\"multipart/form-data\">";
echo "<input type=\"hidden\" name=\"photoNumber\" ";
echo "value=\"".$record["id"]."\">";
echo "<input type=\"hidden\" name=\"password\" ";
echo "value=\"".$_POST["password"]."\">";
echo "Caption:<br>";
echo "<input type=\"text\" name=\"photoCaption\" size=\"60\"";
echo "value=\"".$record["caption"]."\"><br>";
echo "File:<br>";
echo "<input type=\"file\" name=\"photoFile\">";
echo "<input type=\"submit\" value=\"Update photo\">";
echo "</form>";
}
else
{
// display caption only
echo $record["caption"];
}
echo "</td></tr>";
}
// Now there's only one thing left to do:
// - if the user is logged in as admin, display a form to add another photo
// - in all other cases display the login form (in which the admin can enter the password)
//
echo "<tr><td colspan=\"2\">";
if ($isAdmin) {
// display "Add photo" form
echo "<h3>Add a new photo</h3>";
echo "<form action=\"photoalbum.php\" method=\"post\" enctype=\"multipart/form-data\">";
echo "<input type=\"hidden\" name=\"photoNumber\" ";
echo "value=\"new\">";
echo "<input type=\"hidden\" name=\"password\" ";
echo "value=\"".$_POST["password"]."\">";
echo "Caption:<br>";
echo "<input type=\"text\" name=\"photoCaption\" size=\"60\"><br>";
echo "File:<br>";
echo "<input type=\"file\" name=\"photoFile\"><br>";
echo "<input type=\"submit\" value=\"Add photo\">";
echo "</form>";
}
else
{
// display login form
echo "<h3>Enter the admin password to add a photo</h3>";
echo "<form action=\"photoalbum.php\" method=\"post\">";
echo "Password:";
echo "<input type=\"password\" name=\"password\">";
echo "<input type=\"submit\" value=\"login\">";
echo "</form>";
}
echo "</td></tr>";
?>
</table>
</body>
</html>
PLEASE HELP ME ...... WHAT R THE MOST OBVIOUS HOLES ? AND HOW MANY ARE THERE ROUGHLY, I AM A NOVICE IN php plzzzzzzz help or suggest some readings plzzzzzzzzz .... i n dire need