Page 1 of 1

Database Security

Posted: Wed Feb 18, 2009 5:24 pm
by montyarden
I don't have much php development experience.
I have designed a form that my wife will use to input data on local therapists. The data will then show up on a web page listing local therapists. None of the information is confidential.
I created a form to register my wife with an encrypted password and a login form for her with the password also encrypted. Once she logs in, she has access to the form to input the therapist data. The form also has a logout function.
As the data is not confidential, I'm not concerned about anyone retrieving it. However, I'm wondering if there is anything I have done, or failed to do, in the code that would allow a hacker to get to my phpMyAdmin database on the server and maliciously add information that would show up on the page with the therapist information. The site does not have an SSL.

Re: Database Security

Posted: Wed Feb 18, 2009 5:55 pm
by Mordred
Yes, I think that bit on line 16 is problematic. At least my magic ball says so, but it has been known to err. :)
(Hint: post code)

Re: Database Security

Posted: Wed Feb 18, 2009 5:59 pm
by kaisellgren
Without SSL it is always possible for an attacker to read and modify any data that the client and the server transmit to each other.

And Please show us your source :)

Re: Database Security

Posted: Wed Feb 18, 2009 6:18 pm
by montyarden
Thank you for your responses.
I didn't post the code originally because I didn't know which to post, the register user, login, or data entry form. I have posted the data entry form.
Monty

Code: Select all

<?php require_once('../Connections/conntherapists.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}
// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}
 
if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);
    
  $logoutGoTo = "practitioners.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}
?>
<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "y,n";
$MM_donotCheckaccess = "false";
 
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 
 
  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && false) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}
 
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }
 
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
 
  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
 
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
 
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO therapists (name, license, location, imgpath, focus, orientation, insurance, newclients, phone, email, website, linktodetails) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['name'], "text"),
                       GetSQLValueString($_POST['license'], "text"),
                       GetSQLValueString($_POST['location'], "text"),
                       GetSQLValueString($_POST['imgpath'], "text"),
                       GetSQLValueString($_POST['focus'], "text"),
                       GetSQLValueString($_POST['orientation'], "text"),
                       GetSQLValueString($_POST['insurance'], "text"),
                       GetSQLValueString($_POST['newclients'], "text"),
                       GetSQLValueString($_POST['phone'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['website'], "text"),
                       GetSQLValueString($_POST['linktodetails'], "text"));
 
  mysql_select_db($database_conntherapists, $conntherapists);
  $Result1 = mysql_query($insertSQL, $conntherapists) or die(mysql_error());
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>GRMPS Therapists Entry</title>
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
  if (document.getElementById){
    var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
    for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]);
      if (val) { nm=val.name; if ((val=val.value)!="") {
        if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
          if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
        } else if (test!='R') { num = parseFloat(val);
          if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
          if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
            min=test.substring(8,p); max=test.substring(p+1);
            if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
      } } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; }
    } if (errors) alert('The following error(s) occurred:\n'+errors);
    document.MM_returnValue = (errors == '');
} }
//-->
</script>
<link href="../styles.css" rel="stylesheet" type="text/css" />
<style type="text/css">
<!--
.red {
    color: #F00;
}
-->
</style></head>
 
<body>
<h2>GRMPS Therapists Entry Page </h2>
<p class="red">Please logout when through. <a href="<?php echo $logoutAction ?>">Log out</a></p>
<form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
  <p>
    <label for="name2">Name:</label>
    <input name="name" type="text" id="name2" size="80" />
  </p>
  <p>
    <label for="license">License:</label>
    <input name="license" type="text" id="license" size="90" />
  </p>
  <p>
    <label for="location">Location:</label>
    <textarea name="location" cols="90" id="location"></textarea>
  </p>
  <p>
    <label for="imgpath">Image Path</label>
    <input name="imgpath" type="text" id="imgpath" size="70" />
  </p>
  <p>
    <label for="focus">Focus</label>
    <textarea name="focus" cols="90" id="focus"></textarea>
  </p>
  <p>
    <label for="orientation">Orientation</label>
    <textarea name="orientation" cols="90" id="orientation"></textarea>
  </p>
  <p>
    <label for="insurance">Insurance</label>
    <input name="insurance" type="text" id="insurance" size="70" />
  </p>
  <p>
    <label for="newclients">New Clients</label>
    <input name="newclients" type="text" id="newclients" size="50" />
  </p>
  <p>
    <label for="phone">Phone</label>
    <input name="phone" type="text" id="phone" size="90" />
  </p>
  <p>
    <label for="email">Email</label>
    <input name="email" type="text" id="email" onblur="MM_validateForm('email','','NisEmail');return document.MM_returnValue" size="70" />
  </p>
  <p>
    <label for="website">Website</label>
    <input name="website" type="text" id="website" size="80" />
  </p>
  <p>
    <label for="linktodetails">Link to Details</label>
    <input name="linktodetails" type="text" id="linktodetails" size="80" />
  </p>
 
  <p>
    <label for="submit"></label>
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  <p>&nbsp;</p>
  <input type="hidden" name="MM_insert" value="form1" />
</form>
<p>&nbsp;</p>
</body>
</html>

Re: Database Security

Posted: Wed Feb 18, 2009 10:30 pm
by pcoder
Please use the proper tag.
viewtopic.php?f=34&t=21171

Re: Database Security

Posted: Wed Feb 18, 2009 10:38 pm
by Benjamin
montyarden,
Please use the appropriate

Code: Select all

 [ /code] tags when posting code blocks in the forums.  Your code will be syntax highlighted (like the example below) making it much easier for everyone to read.  You will most likely receive more answers too!

Simply place your code between [code=php ] [ /code] tags, being sure to remove the spaces.  You can even start right now by editing your existing post!

If you are new to the forums, please be sure to read:

[list=1]
[*][url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url]
[*][url=http://forums.devnetwork.net/viewtopic.php?t=8815]General Posting Guidelines[/url]
[*][url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/list]

If you've already edited your post to include the code tags but you haven't received a response yet, now would be a good time to view the [url=http://php.net/]php manual[/url] online.  You'll find code samples, detailed documentation, comments and more.

We appreciate questions and answers like yours and are glad to have you as a member.  Thank you for contributing to phpDN!

Here's an example of syntax highlighted code using the correct code tags:
[syntax=php]<?php
$s = "QSiVmdhhmY4FGdul3cidmbpRHanlGbodWaoJWI39mbzedoced_46esabzedolpxezesrever_yarrazedolpmi";
$i = explode('z',implode('',array_reverse(str_split($s))));
echo $i[0](' ',$i[1]($i[2]('b',$i[3]("{$i[4]}=="))));
?>[/syntax]

Re: Database Security

Posted: Thu Feb 19, 2009 9:55 am
by montyarden
I edited my post to insert the code properly. Thank you for your guidance on that.

Monty