Page 1 of 1

How secure is this site?

Posted: Tue Aug 16, 2011 12:36 pm
by condoravenue1
bible-help.com

It's like a simple forum.

I'm new and don't know lots of php and script language.

Let me know how easy/difficult it would be for someone to hack in and screw things up.

Re: How secure is this site?

Posted: Wed Aug 17, 2011 6:15 am
by Mordred
You have some sort of intrusion detection that somewhat helps, but I wouldn't bet my ass on it.
You have multiple problems with your SQL queries, go read about SQL injection.

Re: How secure is this site?

Posted: Thu Aug 18, 2011 3:30 am
by condoravenue1
What problems with my sql queries? What is one page that needs this? If you tell me I will post the code to that page so you can tell me what needs to be different.

Re: How secure is this site?

Posted: Thu Aug 18, 2011 4:32 am
by Mordred
in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string

Example: http://bible-help.com/view_question.php ... r%20id='55

Read any introductory article on SQL injection, and then read the one in my sig (or go for it directly, see if you can follow it as it is)

Re: How secure is this site?

Posted: Thu Aug 18, 2011 4:25 pm
by social_experiment
This error is displayed on a page : Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/brecke5/public_html/bible-help.com/view_question.php on line 86. it reveals information about your file system.

Re: How secure is this site?

Posted: Fri Aug 19, 2011 7:05 am
by condoravenue1
Thanks for your help, I am learning some things.
Mordred wrote:in view_question.php, I see you've added quotes to the id in the query, but you still haven't run it through intval()/(int) or mysql_real_escape_string
Ok, I understand my problem. I tried to solve it a different way. I created a table (questions) that lists all the question id's. I figured if $_GET['question'] includes things it shouldn't (like you guys put in there), the following would fix any problems:

Code: Select all

$question_id = $_GET['question_id'];
$result5 = mysql_query("SELECT * FROM questions");
while ($row = mysql_fetch_array($result5)) 
{
if($row['id'] == $question_id) {$real = 1;}
}

if($real != 1) {header('Location: http://www.google.com/');}
Does that sufficiently fix this one problem? - >
social_experiment wrote: it reveals information about your file system.
I am going to read about mysql_real_escape_string more and put it in where I think it needs to be.

Re: How secure is this site?

Posted: Fri Aug 19, 2011 10:18 am
by social_experiment
Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:

Code: Select all

<?php
 $foo = @mysql_query($bar) or die('Users will see a custom error');
?>
Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.

Re: How secure is this site?

Posted: Fri Aug 19, 2011 10:56 am
by flying_circus
social_experiment wrote:Look at the error control operator or '@'. If you place it infront of a function (like mysql_fetch_array()) any errors result from the function will not be displayed to the browser. Here is an example of it in practise:

Code: Select all

<?php
 $foo = @mysql_query($bar) or die('Users will see a custom error');
?>
Should the query go awry for some reason, instead of the sort of error displayed on the page, anyone accessing the page will see 'Users will see a custom error'. The error still exists, but now the script dies quietly and no-one is the wiser.
Wouldn't this be better accomplished by setting display_errors to false?

Re: How secure is this site?

Posted: Fri Aug 19, 2011 11:09 am
by social_experiment
It probably could but personally i stick with @, i don't normally set anything during runtime (php.ini related that is). The @ isn't a better / worse approach, just a different one.

Re: How secure is this site?

Posted: Fri Aug 19, 2011 12:45 pm
by flying_circus
Doesn't it make debugging a bear? In the dev environment I want to see any errors that crop up, so that I can handle them, rather than just shush them. Also, you'd have to be pretty vigilant, it seems it would be easy to forget to suppress an error generation function in a large project?


The approach I take is to add the following code at the top of my bootstrap:

Code: Select all

<?php
  error_reporting(E_ALL);
  ini_set('display_errors', 1);
?>
when I mirgrate from a development environment to a production environment, I only have to toggle display_errors to 0 in one place, and its done application wide. Also makes it easy to toggle back to showing errors when changing the code at a later date.

You're right though, it is just different. I like to set everything at runtime, so I am certain of the environment I am working in and for portability.

Re: How secure is this site?

Posted: Fri Aug 19, 2011 2:32 pm
by social_experiment
flying_circus wrote:Doesn't it make debugging a bear?
It could do that but i limit my use of it to mysql functions and things like file_get_contents, things where potential information about a script / database / etc could be revealed. I also let the error message /report happen gracefully so it's not completely unnoticed.

Honestly, i've tried the approach of error reporting you mentioned and it doesn't work as well for me. I use exceptions where things can go seriously wrong and that's how i normally debug.

Good point about the ease of it, I can definitely see why you prefer it :)

Re: How secure is this site?

Posted: Sat Aug 20, 2011 10:42 am
by condoravenue1
I've been told I should deny access to http://bible-help.com/operations/. How do I do that?
Do I need to create a index file in that folder?

Re: How secure is this site?

Posted: Sat Aug 20, 2011 12:10 pm
by social_experiment
You could create an index file or use .htaccess, with at least this line IndexIgnore *

Re: How secure is this site?

Posted: Mon Aug 22, 2011 4:36 pm
by Mordred
condoravenue1 wrote:

Code: Select all

$question_id = $_GET['question_id'];
$result5 = mysql_query("SELECT * FROM questions");
while ($row = mysql_fetch_array($result5)) 
{
if($row['id'] == $question_id) {$real = 1;}
}

if($real != 1) {header('Location: http://www.google.com/');}
No. You're getting the entire table in memory, then searching through it in PHP. Just No.

Code: Select all

$question_id = isset($_GET['question_id']) ? (int)$_GET['question_id'] : 0; //make a shortcut function for this if you want
$result5 = mysql_query("SELECT * FROM questions WHERE id='$question_id'");
Did you check the article about SQL injection in my sig? Download the examples and play with them.