Help check PHP code

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
pdoersch
Forum Newbie
Posts: 12
Joined: Sun Mar 06, 2005 1:09 pm

Help check PHP code

Post by pdoersch »

Hello all, I am somewhat new to PHP, but I have created a PHP magazine site for my high school. I was very carfull about security, but they don't really trust my knowledge, and will not put it up unless they are sure it is secure. So I would ask if one or two of you experts could look it over and give me any suggestions.

the entire site is available at:
http://67.86.56.86:85/~paul/phpsite.zip


admins access the "new article" and "edit article" pages by typing "brand new" and "edit a file" respectively, into the search field. Password is "jesuit123"

Thankyou for your help
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

my comments:

- there is an access log thing... while your webserver has better facilities for this...

- asking for a password in a text input field is usually unwanted. make this a password input field

- with op=edit you simply output the contents of a textfile. minimal requirement is that you run htmlspecialchars on it... and probably also want to strip javascript etc... might want to lookup what file_get_contents and file functions can do for you.

- for the else part you probably want to lookup how empty/isset/array_key_exists (for testing $_GET['input']) and in_array (for testing the1Humanities.txt, 1Culture.txt etc)



conclusion: might want to check the php api/manual to discover some nice functions that allow you to do stuff more elegant. and have a look at for example owasp php filters to sanitize the input...
pdoersch
Forum Newbie
Posts: 12
Joined: Sun Mar 06, 2005 1:09 pm

Post by pdoersch »

Thank you for the input. What i am most worried about right now is security. In the version you saw, i used the text string "jesuit123" but now i have a much more complicated method where the server effectively sends the client a random number, the client enters a big prime(passnumber) and then, passnumber mod random# = current password. The server does the calculation on its end, and if they are the same, then it works. The idea is that not only isn't the origional password being send through the internet, but one cant work backwards from the one that was sent, and the're different every time. Trap Door Function is what this is called i think.

Any way, i have a question, pardon me if it is too simple, but i want to edit a text file, in the middle, a specified number of lines down. How do i do this? By edit, i mean just as if you were using word or sumthing, insert 3 lines, 4 lines down. Thanks
Post Reply