making a web app - is my core file secure?
Posted: Sat Jun 30, 2007 4:02 pm
feyd | Please use
anyhow, i just wanted to get some feedback on the code, and hopefully uncover any problems that might exist.
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
im working on a web app, and i wanted to get some feedback on a script that is run whenever any page is parsed ( ie its just required at the beginning of any php script)...
if the below code were saved as 'core.php' in a folder outside the html doc root along with all required pages within this script, then every page can start as...Code: Select all
<?php
require "../../core/core.php"
- page contents
?>Code: Select all
<?php
// process time start; get page process begin time, assign to variable $process_start
$mtime = microtime();
$mtime = explode (" ", $mtime);
$mtime = $mtime[1] + $mtime[0];
$process_start = $mtime;
// root directory
$root_dir = 'http://localhost/html/';
// database connection file
require "mysql_connect.php";
// session handling
session_start();
if (!isset($_SESSION['username']) || !isset($_SESSION['password'])) {
$logged_in = 0;
} else {
if(!get_magic_quotes_gpc()) {
$_SESSION['username'] = addslashes($_SESSION['username']);
}
$pass = mysql_query("SELECT `password` FROM `users` WHERE `username` = '".$_SESSION['username']."'");
if(mysql_num_rows($pass) != 1) {
$logged_in = 0;
unset($_SESSION['username']);
unset($_SESSION['password']);
}
$db_pass = mysql_fetch_assoc($pass);
$db_pass['password'] = stripslashes($db_pass['password']);
$_SESSION['password'] = stripslashes($_SESSION['password']);
if($_SESSION['password'] == $db_pass['password']) {
$logged_in = 1;
$user_info = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_SESSION['username']."'");
$db_user_info = mysql_fetch_assoc($user_info); // load user info into array $db_user_info
unset($db_pass['password']);
} else {
$logged_in = 0;
unset($_SESSION['username']);
unset($_SESSION['password']);
}
}
$_SESSION['username'] = stripslashes($_SESSION['username']);
// date and time variables
// - use these variables on any page to get date/time information
// - '$the_date' - day of the week, month number of day, year; ex - Friday, April 20th, 2007
// - '$epoch_stamp' - epoch timestamp (seconds since the unix epoch)
// - '$epoch_string' - general string of time and date information; ex - 12:00 on 12/03/1982
$the_date = date('l, F jS, Y');
$epoch_stamp = date("U");
$epoch_string = strftime('%I:%M on %m/%d/%y ', $epoch_stamp);
// - make_safe($variable);
// - trims and encodes html characters for safe handling
function make_safe($variable) {
if (get_magic_quotes_gpc) {
$variable = stripslashes($variable);
$variable = trim($variable);
$variable = htmlentities($variable, ENT_QUOTES);
} else {
$variable = trim($variable);
$variable = htmlentities($variable, ENT_QUOTES);
$variable = addslashes($variable);
}
return $variable;
}
// perform security functions on POST and GET data
// - perform functions and save as shortnames: $p for POST and $g for GET
if ($_POST) {
if (is_array($_POST)) {
$_POST = array_map("make_safe", $_POST);
} else {
$_POST = make_safe($_POST);
}
$p = $_POST; // rename the superglobal $_POST to $p
}
if ($_GET) {
if (is_array($_GET)) {
$_GET = array_map("make_safe", $_GET);
} else {
$_GET = make_safe($_GET);
}
$g = $_GET; // rename the superglobal $_GET to $g
}
?>feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]