Database Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
montyarden
Forum Newbie
Posts: 3
Joined: Wed Feb 18, 2009 5:19 pm

Database Security

Post by montyarden »

I don't have much php development experience.
I have designed a form that my wife will use to input data on local therapists. The data will then show up on a web page listing local therapists. None of the information is confidential.
I created a form to register my wife with an encrypted password and a login form for her with the password also encrypted. Once she logs in, she has access to the form to input the therapist data. The form also has a logout function.
As the data is not confidential, I'm not concerned about anyone retrieving it. However, I'm wondering if there is anything I have done, or failed to do, in the code that would allow a hacker to get to my phpMyAdmin database on the server and maliciously add information that would show up on the page with the therapist information. The site does not have an SSL.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Database Security

Post by Mordred »

Yes, I think that bit on line 16 is problematic. At least my magic ball says so, but it has been known to err. :)
(Hint: post code)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Database Security

Post by kaisellgren »

Without SSL it is always possible for an attacker to read and modify any data that the client and the server transmit to each other.

And Please show us your source :)
montyarden
Forum Newbie
Posts: 3
Joined: Wed Feb 18, 2009 5:19 pm

Re: Database Security

Post by montyarden »

Thank you for your responses.
I didn't post the code originally because I didn't know which to post, the register user, login, or data entry form. I have posted the data entry form.
Monty

Code: Select all

<?php require_once('../Connections/conntherapists.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}
// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}
 
if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);
    
  $logoutGoTo = "practitioners.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}
?>
<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "y,n";
$MM_donotCheckaccess = "false";
 
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 
 
  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && false) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}
 
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }
 
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
 
  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
 
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
 
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO therapists (name, license, location, imgpath, focus, orientation, insurance, newclients, phone, email, website, linktodetails) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['name'], "text"),
                       GetSQLValueString($_POST['license'], "text"),
                       GetSQLValueString($_POST['location'], "text"),
                       GetSQLValueString($_POST['imgpath'], "text"),
                       GetSQLValueString($_POST['focus'], "text"),
                       GetSQLValueString($_POST['orientation'], "text"),
                       GetSQLValueString($_POST['insurance'], "text"),
                       GetSQLValueString($_POST['newclients'], "text"),
                       GetSQLValueString($_POST['phone'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['website'], "text"),
                       GetSQLValueString($_POST['linktodetails'], "text"));
 
  mysql_select_db($database_conntherapists, $conntherapists);
  $Result1 = mysql_query($insertSQL, $conntherapists) or die(mysql_error());
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>GRMPS Therapists Entry</title>
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
  if (document.getElementById){
    var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
    for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]);
      if (val) { nm=val.name; if ((val=val.value)!="") {
        if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
          if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
        } else if (test!='R') { num = parseFloat(val);
          if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
          if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
            min=test.substring(8,p); max=test.substring(p+1);
            if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
      } } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; }
    } if (errors) alert('The following error(s) occurred:\n'+errors);
    document.MM_returnValue = (errors == '');
} }
//-->
</script>
<link href="../styles.css" rel="stylesheet" type="text/css" />
<style type="text/css">
<!--
.red {
    color: #F00;
}
-->
</style></head>
 
<body>
<h2>GRMPS Therapists Entry Page </h2>
<p class="red">Please logout when through. <a href="<?php echo $logoutAction ?>">Log out</a></p>
<form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
  <p>
    <label for="name2">Name:</label>
    <input name="name" type="text" id="name2" size="80" />
  </p>
  <p>
    <label for="license">License:</label>
    <input name="license" type="text" id="license" size="90" />
  </p>
  <p>
    <label for="location">Location:</label>
    <textarea name="location" cols="90" id="location"></textarea>
  </p>
  <p>
    <label for="imgpath">Image Path</label>
    <input name="imgpath" type="text" id="imgpath" size="70" />
  </p>
  <p>
    <label for="focus">Focus</label>
    <textarea name="focus" cols="90" id="focus"></textarea>
  </p>
  <p>
    <label for="orientation">Orientation</label>
    <textarea name="orientation" cols="90" id="orientation"></textarea>
  </p>
  <p>
    <label for="insurance">Insurance</label>
    <input name="insurance" type="text" id="insurance" size="70" />
  </p>
  <p>
    <label for="newclients">New Clients</label>
    <input name="newclients" type="text" id="newclients" size="50" />
  </p>
  <p>
    <label for="phone">Phone</label>
    <input name="phone" type="text" id="phone" size="90" />
  </p>
  <p>
    <label for="email">Email</label>
    <input name="email" type="text" id="email" onblur="MM_validateForm('email','','NisEmail');return document.MM_returnValue" size="70" />
  </p>
  <p>
    <label for="website">Website</label>
    <input name="website" type="text" id="website" size="80" />
  </p>
  <p>
    <label for="linktodetails">Link to Details</label>
    <input name="linktodetails" type="text" id="linktodetails" size="80" />
  </p>
 
  <p>
    <label for="submit"></label>
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  <p>&nbsp;</p>
  <input type="hidden" name="MM_insert" value="form1" />
</form>
<p>&nbsp;</p>
</body>
</html>
Last edited by montyarden on Thu Feb 19, 2009 9:40 am, edited 2 times in total.
User avatar
pcoder
Forum Contributor
Posts: 230
Joined: Fri Nov 03, 2006 5:19 am

Re: Database Security

Post by pcoder »

Please use the proper tag.
viewtopic.php?f=34&t=21171
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Database Security

Post by Benjamin »

montyarden,
Please use the appropriate

Code: Select all

 [ /code] tags when posting code blocks in the forums.  Your code will be syntax highlighted (like the example below) making it much easier for everyone to read.  You will most likely receive more answers too!

Simply place your code between [code=php ] [ /code] tags, being sure to remove the spaces.  You can even start right now by editing your existing post!

If you are new to the forums, please be sure to read:

[list=1]
[*][url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url]
[*][url=http://forums.devnetwork.net/viewtopic.php?t=8815]General Posting Guidelines[/url]
[*][url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/list]

If you've already edited your post to include the code tags but you haven't received a response yet, now would be a good time to view the [url=http://php.net/]php manual[/url] online.  You'll find code samples, detailed documentation, comments and more.

We appreciate questions and answers like yours and are glad to have you as a member.  Thank you for contributing to phpDN!

Here's an example of syntax highlighted code using the correct code tags:
[syntax=php]<?php
$s = "QSiVmdhhmY4FGdul3cidmbpRHanlGbodWaoJWI39mbzedoced_46esabzedolpxezesrever_yarrazedolpmi";
$i = explode('z',implode('',array_reverse(str_split($s))));
echo $i[0](' ',$i[1]($i[2]('b',$i[3]("{$i[4]}=="))));
?>[/syntax]
montyarden
Forum Newbie
Posts: 3
Joined: Wed Feb 18, 2009 5:19 pm

Re: Database Security

Post by montyarden »

I edited my post to insert the code properly. Thank you for your guidance on that.

Monty
Post Reply