Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
Christopher
Site Administrator
Posts: 13596 Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US
Post
by Christopher » Wed Apr 19, 2006 3:03 pm
I edited the PHP to add closing ']' to the $_POST vars.
Code: Select all
<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', (isset($_POST['submitted']) ? $_POST['submitted'] : null));
$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
$username = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['username']) ? $_POST['username'] : null));
$password = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['password']) ? $_POST['password'] : null));
if ($username == 'John' && $password == 'password') {
$valid = true;
} else {
$errmsg = 'You must login to view logfile.txt';
}
}
if ($valid) {
?>
The text.
<?php
} else {
?>
<html>
<span style="color:red"><?php echo $errmsg; ?></span>
<form action="loginhandler.php" method="post">
<input type="hidden" name="submitted" value="yes">
<p><input type="text" name="username" size="24"></p>
<p><input type="password" name="password" size="24"></p>
<p><input type="submit"></p>
</form>
</html>
<?php
}
(#10850)
m0u53m4t
Forum Contributor
Posts: 101 Joined: Wed Apr 19, 2006 7:47 am
Location: Wales
Post
by m0u53m4t » Wed Apr 19, 2006 4:05 pm
Ive been talking to my friend and he made me a script and it works. Here it is:
Code: Select all
<?php
$username = $_GET["username"];
$password = $_GET["password"];
if ($username == 'John' && $password == 'password') {
//display text file
}
else {
echo 'You must login to view logfile.txt';
}
?>
With the html:
Code: Select all
<html>
<form action="loginhandler.php" method="get">
<input type="text" name="username">
<p><input type="password" name="password"></p>
<p><input type="submit"></p>
</form>
</html>
Now, this is my first idea on how to stop people accessing my file:
I make a file like this-
Code: Select all
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com.*$ [NC]
RewriteRule \.(txt)$ - [F]
and saved it as .htaccess.txt , based on this script:
http://lissaexplains.com/html6.shtml#direct , but it still doesn't seem to be working.
andym01480
Forum Contributor
Posts: 390 Joined: Wed Apr 19, 2006 5:01 pm
Post
by andym01480 » Wed Apr 19, 2006 5:43 pm
You are using Apache as a server aren't you - htaccess doesn't work with windows servers!
.htaccess not .htaccess.txt
Also add
<Files .htaccess>
order allow,deny
deny from all
</Files>
which stops people looking at your .htaccess file to see what you are stopping them do!
Never used the Rewrite code, so couldn't tell if you that would work once .htaccess named right. Sorry!
Maugrim_The_Reaper
DevNet Master
Posts: 2704 Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland
Post
by Maugrim_The_Reaper » Thu Apr 20, 2006 3:05 am
Forms should use the POST method unless there's a specific reason not to. Also bear in mind you must validate the username and password (or for simplicity amend it such as in aborint's example). Failing to do so, while not immediately a security threat is bad practice - it's not a habit you should fall into. aborint's example is far more robust IMO.
m0u53m4t
Forum Contributor
Posts: 101 Joined: Wed Apr 19, 2006 7:47 am
Location: Wales
Post
by m0u53m4t » Thu Apr 20, 2006 8:35 am
Whenever i call something .htaccess or .logfile.txt they just dissapear
d3ad1ysp0rk
Forum Donator
Posts: 1661 Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA
Post
by d3ad1ysp0rk » Thu Apr 20, 2006 9:17 am
They don't really disappear. They are hidden, like any file that begins with a period.
m0u53m4t
Forum Contributor
Posts: 101 Joined: Wed Apr 19, 2006 7:47 am
Location: Wales
Post
by m0u53m4t » Thu Apr 20, 2006 3:36 pm
Im using t35 hosting. I dont think I can do that. Any ideas how else I can do it?
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098 Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia
Post
by Chris Corbyn » Fri Apr 21, 2006 6:32 am
m0u53m4t wrote: Im using t35 hosting. I dont think I can do that. Any ideas how else I can do it?
In unix/linux files that begin with a dot are hidden files. You should still be able to access them over FTP if you check you FTP client's settings to show dot files or show hidden files.
Maugrim_The_Reaper
DevNet Master
Posts: 2704 Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland
Post
by Maugrim_The_Reaper » Fri Apr 21, 2006 6:32 am
If you have ssh you can run the command:
ls -la
A fair number of FTP clients should have View settings to enable the viewing of hidden files. A google search for your ftp client and "view hidden files" should turn up the relevant tips.
m0u53m4t
Forum Contributor
Posts: 101 Joined: Wed Apr 19, 2006 7:47 am
Location: Wales
Post
by m0u53m4t » Sat Apr 22, 2006 10:52 am
I did that, but I still cant see it. how else can I block the viewing of the file? The only solution so far is with CHMOD.