How secure is this site?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
condoravenue1
Forum Commoner
Posts: 30
Joined: Fri Dec 03, 2010 10:24 pm

How secure is this site?

Post by condoravenue1 »

bible-help.com

It's like a simple forum.

I'm new and don't know lots of php and script language.

Let me know how easy/difficult it would be for someone to hack in and screw things up.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How secure is this site?

Post by Mordred »

You have some sort of intrusion detection that somewhat helps, but I wouldn't bet my ass on it.
You have multiple problems with your SQL queries, go read about SQL injection.
condoravenue1
Forum Commoner
Posts: 30
Joined: Fri Dec 03, 2010 10:24 pm

Re: How secure is this site?

Post by condoravenue1 »

What problems with my sql queries? What is one page that needs this? If you tell me I will post the code to that page so you can tell me what needs to be different.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How secure is this site?

Post by Mordred »

in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string

Example: http://bible-help.com/view_question.php ... r%20id='55

Read any introductory article on SQL injection, and then read the one in my sig (or go for it directly, see if you can follow it as it is)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: How secure is this site?

Post by social_experiment »

This error is displayed on a page : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/brecke5/public_html/bible-help.com/view_question.php on line 86. it reveals information about your file system.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
condoravenue1
Forum Commoner
Posts: 30
Joined: Fri Dec 03, 2010 10:24 pm

Re: How secure is this site?

Post by condoravenue1 »

Thanks for your help, I am learning some things.
Mordred wrote:in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string
Ok, I understand my problem. I tried to solve it a different way. I created a table (questions) that lists all the question id's. I figured if $_GET['question'] includes things it shouldn't (like you guys put in there), the following would fix any problems:

Code: Select all

$question_id = $_GET['question_id'];
$result5 = mysql_query("SELECT * FROM questions");
while ($row = mysql_fetch_array($result5)) 
{
if($row['id'] == $question_id) {$real = 1;}
}

if($real != 1) {header('Location: http://www.google.com/');}
Does that sufficiently fix this one problem? - >
social_experiment wrote: it reveals information about your file system.
I am going to read about mysql_real_escape_string more and put it in where I think it needs to be.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: How secure is this site?

Post by social_experiment »

Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:

Code: Select all

<?php
 $foo = @mysql_query($bar) or die('Users will see a custom error');
?>
Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: How secure is this site?

Post by flying_circus »

social_experiment wrote:Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:

Code: Select all

<?php
 $foo = @mysql_query($bar) or die('Users will see a custom error');
?>
Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.
Wouldn't this be better accomplished by setting display_errors to false?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: How secure is this site?

Post by social_experiment »

It probably could but personally i stick with @, i don't normally set anything during runtime (php.ini related that is). The @ isn't a better / worse approach, just a different one.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: How secure is this site?

Post by flying_circus »

Doesn't it make debugging a bear? In the dev environment I want to see any errors that crop up, so that I can handle them, rather than just shush them. Also, you'd have to be pretty vigilant, it seems it would be easy to forget to suppress an error generation function in a large project?


The approach I take is to add the following code at the top of my bootstrap:

Code: Select all

<?php
  error_reporting(E_ALL);
  ini_set('display_errors', 1);
?>
when I mirgrate from a development environment to a production environment, I only have to toggle display_errors to 0 in one place, and its done application wide. Also makes it easy to toggle back to showing errors when changing the code at a later date.

You're right though, it is just different. I like to set everything at runtime, so I am certain of the environment I am working in and for portability.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: How secure is this site?

Post by social_experiment »

flying_circus wrote:Doesn't it make debugging a bear?
It could do that but i limit my use of it to mysql functions and things like file_get_contents, things where potential information about a script / database / etc could be revealed. I also let the error message /report happen gracefully so it's not completely unnoticed.

Honestly, i've tried the approach of error reporting you mentioned and it doesn't work as well for me. I use exceptions where things can go seriously wrong and that's how i normally debug.

Good point about the ease of it, I can definitely see why you prefer it :)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
condoravenue1
Forum Commoner
Posts: 30
Joined: Fri Dec 03, 2010 10:24 pm

Re: How secure is this site?

Post by condoravenue1 »

I've been told I should deny access to http://bible-help.com/operations/. How do I do that?
Do I need to create a index file in that folder?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: How secure is this site?

Post by social_experiment »

You could create an index file or use .htaccess, with at least this line IndexIgnore *
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How secure is this site?

Post by Mordred »

condoravenue1 wrote:

Code: Select all

$question_id = $_GET['question_id'];
$result5 = mysql_query("SELECT * FROM questions");
while ($row = mysql_fetch_array($result5)) 
{
if($row['id'] == $question_id) {$real = 1;}
}

if($real != 1) {header('Location: http://www.google.com/');}
No. You're getting the entire table in memory, then searching through it in PHP. Just No.

Code: Select all

$question_id = isset($_GET['question_id']) ? (int)$_GET['question_id'] : 0; //make a shortcut function for this if you want
$result5 = mysql_query("SELECT * FROM questions WHERE id='$question_id'");
Did you check the article about SQL injection in my sig? Download the examples and play with them.
Post Reply