Author Topic: My first steps in the marvellous world of PHP/MYSQL :D (Read 14166 times)

Hezad · « **on:** September 27, 2009 »

Hey everybody ! Spent my sunday afternoon to learn some stuff about PHP, mysql and setting up my own webserver

For now, I coded some kind of whiteboard/chat system with users managing and some kind of minimal statistics. That would be very cool if you could try it out

You only need to register your account (no activation per mail or anything, just a pseudo and a pass, and you'll be ready to post

).

Of course, if there are some php gurus here, don't hesitate to tell me if you see some kind of dangerous security flaws since the page is hosted on my computer

Here is the link :
http://hezadserver.no-ip.org/PhpProject1/index.php

Shockwave · « **Reply #1 on:** September 27, 2009 »

Hi Hezad, it's easy when you get into it eh?

Seems like I can't post, perhaps I have to wait for you to activate my account

Hezad · « **Reply #2 on:** September 27, 2009 »

yeah it's easier than I thought in fact

For the activation, it's done

Normally, it's done automatically, there were a little bug in the query sent to the DB but it's resolved

You can post now

Hezad · « **Reply #3 on:** September 28, 2009 »

uhuh thanks everyone for your tests

Hezad · « **Reply #4 on:** September 28, 2009 »

Added links saving

Hezad · « **Reply #5 on:** September 28, 2009 »

A little question ! In my code, I'm adding dynamically some suppressing submit icons next to each added link. The name of those "buttons" are also generated dynamically ("supprlinkXX") where XX is the ID of the link.

How can I get all those names to effectively suppress the link ? Here is some code for a better understanding of the problem :

Code for adding dynamically the links and the suppress buttons :

Code: [Select]

$sqltxt = 'SELECT * FROM links_collection WHERE link_poster= "'.$_SESSION['login'].'"';
$result = mysql_query($sqltxt) or die("erreur...");
while(($row=mysql_fetch_array($result)))
{
   echo '<A href='.$row[1].'>'.$row[1].'</A>';
   echo '<a href="#" onclick="javascript:document.linksform.submit();"><img src="img/icons/delete.png" alt="Supprimer"/></a>';
   echo '<input type="hidden" name="supprlink'.$row[0].'" value="Supprimer lien" />';
   echo '<br />';
                        }

(linksform is the form containing all the dynamically added links and suppress buttons)

the function to suppress a link :

Code: [Select]

function supprimer_lien($id_lien)
 {
  $base = mysql_connect ('localhost', 'rootlogin', 'rootpassword');
  mysql_select_db ('mybase', $base);

  if(empty($id_lien)){
  return false;

  }else{
   return mysql_query("DELETE FROM links_collection WHERE link_ID = ".$id_lien) or die(mysql_error());
  }
 }

In fact I'd like to use something like :

Code: [Select]

if (isset($_POST['suppr_linkID'])) { supprimer_lien($_POST['suppr_linkID']); }
but I don't know how to get the good $_POST['suppr_linkID'] !!

I hope what I'm saying is understandable :S

Shockwave · « **Reply #6 on:** September 28, 2009 »

I don't understand what you mean by suppress, do you mean delete?

Anyway, there are a few things I'd reccommend that perhaps can help you here.

Firstly you don't have to use forms to pass variables between pages, you can do something like this;

(just as an example);

Code: [Select]

http://www.dbfinteractive.com/downloadshow.php?dl_id=8

This is just a straight forward url, after the ? you have a variable called;
dl_id
I put a value of 8 into it in this case.
So the url points to a script called downloadshow.php, you can grab the contents with;
$_GET

For example;

Code: [Select]

$somevariable =$_GET['dl_id'];

And execute a query to delete that record from your database.

A few other things that are quite important.
It is good practice to never trust any data submitted to your scripts so always use mysqli_real_escape_string to clean your queries before you execute them.
Put your database connection script outside the area where it can be directly accessed by a browser (below the level of public_html directory if possible).

Use the @ operator to suppress errors to avoid revealing too much information about your database to hackers.

I hope that that answered your query, if not, please post more about what you mean by suppress.

Shockwave · « **Reply #7 on:** September 28, 2009 »

You need to close the vulnerability of people injecting executable code into your site too..

Try logging in as shockwave with a password of shockwave and you'll see that I managed to inject javascript into your site.

Use striptags or htmlentities to stop this problem

This is important as I could use javascript to redirect your page and much much worse. Remember, javascript is executable code.

Jim · « **Reply #8 on:** September 28, 2009 »

http://en.wikipedia.org/wiki/SQL_injection

Jim

Hezad · « **Reply #9 on:** September 28, 2009 »

Thanks ! Yeah I really should take a deep look into security .. I just don't understand all those concepts yet. I have a problem with html_entities : it also transforms the accents (widely used in french) is chr() code ... I guess the problem comes from some character sets used in the db but I tried some changes and it didn't resolved the problem.

Also, what do you mean by

Quote

Put your database connection script outside the area where it can be directly accessed by a browser (below the level of public_html directory if possible).

?

Maybe it's a shame but I don't have a public_html folder. All my php projects are stored in the root of the server : the www folder.

Just a question, excepted for the database/server files, is there a real risk with sql injection on my computer ? (for now, I don't care losing www/ files or database data, but if the risk extends to my computer, well ... :S)

I logged with your account and well ... Yeah it's worrying.

Anyway, I also coded something interresting but I guess it's way more dangerous for my computer ... I'll pm you the link shockie, maybe you'll find it useful

Jim · « **Reply #10 on:** September 28, 2009 »

With sql injection someone could delete your entire database contents in one web call is the risk. With the type of injection Shockwave did they could rewrite your website. Are they able to view your php code in the browser with the right url?

There's a smaller, but still real, risk that they can get out of the IIS/Apache sandbox and attack the rest of your PC.

For the extended character set, you need to set the database to utf8 or unicode.

Jim

Hezad · « **Reply #11 on:** September 29, 2009 »

Quote

Are they able to view your php code in the browser with the right url?

I tried and I don't think it's possible, users only see generated html code. Anyway, I deleted the thing since it was totally insecure and ugly-written

I'm working on something else right now, I'll try to make it way more secure

thanks

Shockwave · « **Reply #12 on:** September 29, 2009 »

Quote from: Hezad on September 28, 2009

Also, what do you mean by
Quote
Put your database connection script outside the area where it can be directly accessed by a browser (below the level of public_html directory if possible).
?

Maybe it's a shame but I don't have a public_html folder. All my php projects are stored in the root of the server : the www folder.

On a web server the doccuments are stored in the www folder, typically on a live installation of a site you would never normally store a connection script in that folder, instead you should store it outside that directory and access it like;

Code: [Select]

	require_once ('../somedir/mysql_live_connect.php');

Because regardless of what you think, there are some means where scripts can be viewed in a browser, storing it outside the www or public_html directory makes it inaccessible to people who would try and access it in your browser.

Other things about mysql injection, if I was to try and hack a website that used a mysql database then the way I would first try and do this would be by trying to supply it with an invalid query to cause an error and thereby try to reveal something about the database.

Typically this could be done by cross site scripting, I would write a script on my own server which would call one of your php scripts, if you have a form in your page it is easy to see which script it actions when you click submit so my form would just call the same script, furthermore I would know the variable names in your form from the HTML, I could pass my own values into these variables and try to escape your sql query string (i am not going to post this in public) and add my own commands to the sql query.

SQL injection is something you should take very seriously, preferably you should use prepared statements, at the very least use mysqli_real_escape_string, htmlentities converts any html tags eg; < to < etc to prevent the kind of javascript thing I did, striptags is another good function to remove potentially harmful code.

Finally I am kind of sad that you took the site down, it was looking good.

Hezad · « **Reply #13 on:** September 30, 2009 »

Thanks a lot for all those explanations !

Quote

Finally I am kind of sad that you took the site down, it was looking good.

Well I'm working on something new

The site was a testplace, but a friend asked me to try to code something for him. It'll be a very good exercise, and I'll have to secure it immediately. I'll post a link here once there will be something you can use.
Also, since security will be pretty important, I guess I'll ask you guys to try to hack it to see if it IS secure

Shockwave · « **Reply #14 on:** September 30, 2009 »

please do post it and I'llsee if I can H4XX0R it for you

Hezad · « **Reply #15 on:** September 30, 2009 »

hehe thanks, I'll do it ! But before, I must build it ! And I already have a problem ...

here it is :
If I write this, it works perfectly :

Code: [Select]

if (isset($_POST['creerfacture']))
{
    header('Location: creer_facture.php');
}

but if I want to put some security, I write this, but it gives me an error oO :

Code: [Select]

if (isset(htmlspecialchars($_POST['creerfacture'])))
{
    header('Location: creer_facture.php');
}

error :

Quote

Fatal error: Can't use function return value in write context in C:\wamp\www\autoFacture\index.php on line 4

(line 4 is the first line in the posted codes)

The point is I tried htmlspecialchars() and htmlentities() and both give me exactly the same error ... Is there something I forgot to do ?

(here is the form used if necessary

Code: [Select]

<form action="index.php" method="post">

            <input type="submit" name="creerfacture" value="Cr�er facture" />

        </form>

Shockwave · « **Reply #16 on:** September 30, 2009 »

I don't tend to use isset a lot myself as it's behaviour seems kind of unpredictable, I prefer to use empty().

This should do what you want;

Code: [Select]

<?
$grab =htmlspecialchars($_GET['creerfacture']);
if (!empty($grab)){
  header('Location: creer_facture.php');
} else {
  echo 'Not Set';
}
?>

combatking0 · « **Reply #17 on:** September 30, 2009 »

Try setting the form method to "POST" instead of "post". Not the greatest of differences, but it may have an effect, as some PHP builds are pickey.

The isset function is used for checking if variables are set - regardless of its content, $_POST['creerfacture'] will be either set or not.

htmlspecialchars is not a variable, which is why it is not compatible with isset.

try:

Code: [Select]

if (isset($_POST['creerfacture']))
{
if ($_POST['creerfacture'] == htmlspecialchars($_POST['creerfacture']))
{
    header('Location: creer_facture.php');
}
}

I'm assuming you want to write the header if no html special characters are found. If you want to change this behaviour, change the first "=" in the second "if" statement to a "!".

Please let us know if this works.

(edit) If Shockwave's suggestion works, don't bother with mine - he knows PHP better than I do.

Hezad · « **Reply #18 on:** September 30, 2009 »

thanks for your answers guys

Shockie >
I tried to copy and paste your snippet and I have this return :

Quote

Notice: Undefined index: creerfacture in C:\wamp\www\autoFacture\index.php on line 4
Not Set

(I tried with $_POST and $_GET, I get the same error)

combatking >
it worked perfectly ! Okay, so I must NOT use isset() or empty/!empty with htmlspecialchars function, got it !

A last question though : Since 'creerfacture' is "posted" when a user clicks on a button ('creerfacture' is the name of the button), is it also important to prevent specialchars in this case ? Of should I just use htmlspecialchars when the user can introduce stuff (like textareas/textbox/...) ?

Thanks again !

Shockwave · « **Reply #19 on:** September 30, 2009 »

Quote

A last question though : Since 'creerfacture' is "posted" when a user clicks on a button ('creerfacture' is the name of the button), is it also important to prevent specialchars in this case ? Of should I just use htmlspecialchars when the user can introduce stuff (like textareas/textbox/...) ?

It's important to never trust the variables passed from your forms or pages because who's to say that it's your form that is calling the script?

It would be easy for someone to have a script on some other site that can call your page and have it's own values for your variables so you need to check to see if the variable is what you expect, eg. a string or a number and also to check it for illegal tags and characters and as well as that, any queries you do on your database should first be either sent as prepared statements (preferable) or at least cleaned with mysqli_real_escape_string to prevent people escaping the query and running their own queries on your database.