PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Aug 04, 2020 3:43 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: How secure is this site?
PostPosted: Tue Aug 16, 2011 12:36 pm 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30
bible-help.com

It's like a simple forum.

I'm new and don't know lots of php and script language.

Let me know how easy/difficult it would be for someone to hack in and screw things up.


Top
 Profile  
 
PostPosted: Wed Aug 17, 2011 6:15 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
You have some sort of intrusion detection that somewhat helps, but I wouldn't bet my ass on it.
You have multiple problems with your SQL queries, go read about SQL injection.


Top
 Profile  
 
PostPosted: Thu Aug 18, 2011 3:30 am 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30
What problems with my sql queries? What is one page that needs this? If you tell me I will post the code to that page so you can tell me what needs to be different.


Top
 Profile  
 
PostPosted: Thu Aug 18, 2011 4:32 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string

Example: http://bible-help.com/view_question.php ... r%20id='55

Read any introductory article on SQL injection, and then read the one in my sig (or go for it directly, see if you can follow it as it is)


Top
 Profile  
 
PostPosted: Thu Aug 18, 2011 4:25 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
This error is displayed on a page : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/brecke5/public_html/bible-help.com/view_question.php on line 86. it reveals information about your file system.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Aug 19, 2011 7:05 am 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30


Top
 Profile  
 
PostPosted: Fri Aug 19, 2011 10:18 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:
Syntax: [ Download ] [ Hide ]
<?php
 $foo = @mysql_query($bar) or die('Users will see a custom error');
?>

Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Aug 19, 2011 10:56 am 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Fri Aug 19, 2011 11:09 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
It probably could but personally i stick with @, i don't normally set anything during runtime (php.ini related that is). The @ isn't a better / worse approach, just a different one.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Aug 19, 2011 12:45 pm 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
Doesn't it make debugging a bear? In the dev environment I want to see any errors that crop up, so that I can handle them, rather than just shush them. Also, you'd have to be pretty vigilant, it seems it would be easy to forget to suppress an error generation function in a large project?


The approach I take is to add the following code at the top of my bootstrap:
Syntax: [ Download ] [ Hide ]
<?php
  error_reporting(E_ALL);
  ini_set('display_errors', 1);
?>


when I mirgrate from a development environment to a production environment, I only have to toggle display_errors to 0 in one place, and its done application wide. Also makes it easy to toggle back to showing errors when changing the code at a later date.

You're right though, it is just different. I like to set everything at runtime, so I am certain of the environment I am working in and for portability.


Top
 Profile  
 
PostPosted: Fri Aug 19, 2011 2:32 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sat Aug 20, 2011 10:42 am 
Offline
Forum Commoner

Joined: Fri Dec 03, 2010 11:24 pm
Posts: 30
I've been told I should deny access to http://bible-help.com/operations/. How do I do that?
Do I need to create a index file in that folder?


Top
 Profile  
 
PostPosted: Sat Aug 20, 2011 12:10 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
You could create an index file or use .htaccess, with at least this line IndexIgnore *

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Aug 22, 2011 4:36 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group