How secure is this site?
Moderator: General Moderators
-
condoravenue1
- Forum Commoner
- Posts: 30
- Joined: Fri Dec 03, 2010 10:24 pm
How secure is this site?
bible-help.com
It's like a simple forum.
I'm new and don't know lots of php and script language.
Let me know how easy/difficult it would be for someone to hack in and screw things up.
It's like a simple forum.
I'm new and don't know lots of php and script language.
Let me know how easy/difficult it would be for someone to hack in and screw things up.
Re: How secure is this site?
You have some sort of intrusion detection that somewhat helps, but I wouldn't bet my ass on it.
You have multiple problems with your SQL queries, go read about SQL injection.
You have multiple problems with your SQL queries, go read about SQL injection.
-
condoravenue1
- Forum Commoner
- Posts: 30
- Joined: Fri Dec 03, 2010 10:24 pm
Re: How secure is this site?
What problems with my sql queries? What is one page that needs this? If you tell me I will post the code to that page so you can tell me what needs to be different.
Re: How secure is this site?
in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string
Example: http://bible-help.com/view_question.php ... r%20id='55
Read any introductory article on SQL injection, and then read the one in my sig (or go for it directly, see if you can follow it as it is)
Example: http://bible-help.com/view_question.php ... r%20id='55
Read any introductory article on SQL injection, and then read the one in my sig (or go for it directly, see if you can follow it as it is)
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: How secure is this site?
This error is displayed on a page : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/brecke5/public_html/bible-help.com/view_question.php on line 86. it reveals information about your file system.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
-
condoravenue1
- Forum Commoner
- Posts: 30
- Joined: Fri Dec 03, 2010 10:24 pm
Re: How secure is this site?
Thanks for your help, I am learning some things.
Does that sufficiently fix this one problem? - >
Ok, I understand my problem. I tried to solve it a different way. I created a table (questions) that lists all the question id's. I figured if $_GET['question'] includes things it shouldn't (like you guys put in there), the following would fix any problems:Mordred wrote:in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string
Code: Select all
$question_id = $_GET['question_id'];
$result5 = mysql_query("SELECT * FROM questions");
while ($row = mysql_fetch_array($result5))
{
if($row['id'] == $question_id) {$real = 1;}
}
if($real != 1) {header('Location: http://www.google.com/');}
I am going to read about mysql_real_escape_string more and put it in where I think it needs to be.social_experiment wrote: it reveals information about your file system.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: How secure is this site?
Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:
Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.
Code: Select all
<?php
$foo = @mysql_query($bar) or die('Users will see a custom error');
?>“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: How secure is this site?
Wouldn't this be better accomplished by setting display_errors to false?social_experiment wrote:Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.Code: Select all
<?php $foo = @mysql_query($bar) or die('Users will see a custom error'); ?>
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: How secure is this site?
It probably could but personally i stick with @, i don't normally set anything during runtime (php.ini related that is). The @ isn't a better / worse approach, just a different one.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: How secure is this site?
Doesn't it make debugging a bear? In the dev environment I want to see any errors that crop up, so that I can handle them, rather than just shush them. Also, you'd have to be pretty vigilant, it seems it would be easy to forget to suppress an error generation function in a large project?
The approach I take is to add the following code at the top of my bootstrap:
when I mirgrate from a development environment to a production environment, I only have to toggle display_errors to 0 in one place, and its done application wide. Also makes it easy to toggle back to showing errors when changing the code at a later date.
You're right though, it is just different. I like to set everything at runtime, so I am certain of the environment I am working in and for portability.
The approach I take is to add the following code at the top of my bootstrap:
Code: Select all
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
?>You're right though, it is just different. I like to set everything at runtime, so I am certain of the environment I am working in and for portability.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: How secure is this site?
It could do that but i limit my use of it to mysql functions and things like file_get_contents, things where potential information about a script / database / etc could be revealed. I also let the error message /report happen gracefully so it's not completely unnoticed.flying_circus wrote:Doesn't it make debugging a bear?
Honestly, i've tried the approach of error reporting you mentioned and it doesn't work as well for me. I use exceptions where things can go seriously wrong and that's how i normally debug.
Good point about the ease of it, I can definitely see why you prefer it
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
-
condoravenue1
- Forum Commoner
- Posts: 30
- Joined: Fri Dec 03, 2010 10:24 pm
Re: How secure is this site?
I've been told I should deny access to http://bible-help.com/operations/. How do I do that?
Do I need to create a index file in that folder?
Do I need to create a index file in that folder?
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: How secure is this site?
You could create an index file or use .htaccess, with at least this line IndexIgnore *
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: How secure is this site?
No. You're getting the entire table in memory, then searching through it in PHP. Just No.condoravenue1 wrote:Code: Select all
$question_id = $_GET['question_id']; $result5 = mysql_query("SELECT * FROM questions"); while ($row = mysql_fetch_array($result5)) { if($row['id'] == $question_id) {$real = 1;} } if($real != 1) {header('Location: http://www.google.com/');}
Code: Select all
$question_id = isset($_GET['question_id']) ? (int)$_GET['question_id'] : 0; //make a shortcut function for this if you want
$result5 = mysql_query("SELECT * FROM questions WHERE id='$question_id'");