Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
rebelt
Worker
Worker


Joined: May 07, 2006
Posts: 172

PostPosted: Sat Nov 01, 2008 11:46 am Reply with quote

I must admit I am rubbish at writing scripts so look for programs to do it for me Embarassed

For example, I need to collect results so turned to PHP-Form Wizard for help.

It produced this as a result.
Code:
<?php

# ----------------------------------------------------
# -----
# ----- This script was generated by PHP-Form Wizard 1.2.5
# -----
# ----- http://www.tools4php.com
# -----
# ----------------------------------------------------


// Receiving variables
@$DateOfMatch = addslashes($_POST['DateOfMatch']);
@$Division = addslashes($_POST['Division']);
@$Home_Team = addslashes($_POST['Home_Team']);
@$Home_Score = addslashes($_POST['Home_Score']);
@$Away_Team = addslashes($_POST['Away_Team']);
@$Away_Score = addslashes($_POST['Away_Score']);
@$Submitted_By = addslashes($_POST['Submitted_By']);
@$Email = addslashes($_POST['Email']);
@$Comments = addslashes($_POST['Comments']);

// Validation
//Sending Email to form owner
$pfw_header = "From: $Email\n"
  . "Reply-To: $Email\n";
$pfw_subject = "League Result";
$pfw_email_to = "results@*********.org.uk";
$pfw_message = "DateOfMatch: $DateOfMatch\n"
. "Division: $Division\n"
. "Home_Team: $Home_Team\n"
. "Home_Score: $Home_Score\n"
. "Away_Team: $Away_Team\n"
. "Away_Score: $Away_Score\n"
. "Submitted_By: $Submitted_By\n"
. "Email: $Email\n"
. "Comments: $Comments\n";
@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;

//Sending auto respond Email to visitor
$pfw_header = "From: results@*********.org.uk\n"
  . "Reply-To: results@**********.org.uk\n";
$pfw_subject = "League Result";
$pfw_email_to = "$Email";
$pfw_message = "Just to confirm your result as\n"
. "Division $Division\n"
. "Home_Team $Home_Team\n"
. "Home_Score $Home_Score\n"
. "Away_Team$Away_Team\n"
. "Away_Score $Away_Score\n"
. "\n"
. "Please check the live results link to check your result is there.\n"
. "\n"
. "Regards\n"
. "P";
@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;

//saving record to MySQL database
//changing date formats


@$pfw_strQuery = "INSERT INTO `*****`(`DateOfMatch`,`Division`,`Home_Team`,`Home_Score`,`Away_Team`,`Away_Score`,`Submitted_By`,`Email`,`Comments`)VALUES (\"$DateOfMatch\",\"$Division\",\"$Home_Team\",\"$Home_Score\",\"$Away_Team\",\"$Away_Score\",\"$Submitted_By\",\"$Email\",\"$Comments\")" ;
@$pfw_host = "host";
@$pfw_user = "user";
@$pfw_pw = "password.";
@$pfw_db = "database";
$pfw_link = mysql_connect($pfw_host, $pfw_user, $pfw_pw);
if (!$pfw_link) {
 die('Could not connect: ' . mysql_error());
}
$pfw_db_selected = mysql_select_db($pfw_db, $pfw_link);
if (!$pfw_db_selected) {
die ('Can not use $pfw_db : ' . mysql_error());
}

//insert new record
$pfw_result = mysql_query($pfw_strQuery);
if (!$pfw_result) {
 die('Invalid query: ' . mysql_error());
}
mysql_close($pfw_link);

 echo("<p align='center'><font face='Arial' size='3' color='#FF0000'>Thank You<br>Please click the back button on your browser</font></p>");
?>


Does anyone know of a programme which will check scripts for security as I obviously don't want to leave a way in for someone to hack away.

Hope that makes sense. Very Happy
 
View user's profile Send private message Visit poster's website
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sat Nov 01, 2008 12:50 pm Reply with quote

The only way you are going to do that is by reading something Smile
Sorry but there are just so many things to consider that it would be impractical to give you any decent advice without writing a book on it.
As a breif example, the database connection variables should be single quoted not double quoted, in fact the whole script should be single quoted, I definitely wouldn't use it as it is now.
Your recieving variables are prepended by ampersands which is good as it should prevent an error being generated and possibly giving away useful information to a would be script kiddie.
The problem though, there is next to no validation of the data being processed;
How do you know the email field contains an email address?
How do you know that only plain text is being passed in the fields that only require plain text?
.....
 
View user's profile Send private message Send e-mail
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Nov 01, 2008 2:16 pm Reply with quote

Quote:
the database connection variables should be single quoted not double quoted, in fact the whole script should be single quoted

I don't understand why that would be a security issue. A string is a string, unless you want to parse $variables inside the string then double quotes will work.

Guardian is correct about the validation.
I see nothing obvious for SQL injections, as everything is escaped with addslashes. Doesn't mean there couldn't be other vulnerabilities, esp using the mail function.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
rebelt
PostPosted: Sat Nov 01, 2008 2:56 pm Reply with quote

Thanks for the quick replies guys.

I understand what you say about reading Guardian, but find that after learning something, I don't use it for months, by which time I've forgotten Rolling Eyes So I have to try and re-learn. (must be my age Very Happy )

I tried using validation within the program but received an error
Quote:
Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\html\forms\index.php on line 25

with this
Code:
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $Email))

{
die('<p align='center'><font face='Arial' size='3' color='#FF0000'>Please enter a valid email</font></p>');
}


Quote:
other vulnerabilities, esp using the mail function.


Again I wouldn't know the problem with the mail function.

I can't expect you guys to sort out the many problems which may exist.

If there is no program to examin code, do you know of an idiots guide?
 
evaders99
PostPosted: Sun Nov 02, 2008 12:47 am Reply with quote

No idiot's guide exists. But there are many PHP security books and online references
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Tue Nov 04, 2008 6:07 pm Reply with quote

And a good one is called PHP Pro Security I believe.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
rebelt
PostPosted: Fri Nov 07, 2008 11:16 am Reply with quote

Thanks Guys Very Happy
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©