Topic: [SOLVED] Securing script??

[widget]

Hi, I need some help with making my site secure.

Using php and mysql

Im totally new to php and mysql but have been doing ok with it all so far.

Apparently my sites scripts arent secure and I have no idea where to start to fix this.

Is there anyone out there who would be willing to take a look for me and help me fix this problem?

[darkfreaks]

read up on mysql_real_escape_string, trim, strip_tags

[marksimpson884]

Rule of thumb.  Assume any input is a dangerous input.  That means using those above so someone can't delete all your information.  Beyond that its (usually) just a matter of checking to make sure people can't change post or get variables to access different parts of the site.  Beyond that you should be fine unless you want to make sure they can't inject information into cookies like ones that check session ids for example (if you have a login system).  Thats all I can think about at the moment.

[darkfreaks]

Secure Session Example:

Code: [Select]

<?php

session_start();

if (!isset($_SESSION['initiated']))
{
    session_regenerate_id();
    $_SESSION['initiated'] = true;
}

?>

[widget]

All I can tell you is that this is what someone wrote on a forum about my site.

I don't like their art, and their scripts are still buggy. I even gained temporary access to view all users in the database. Check your scripts. They can be hacked easily.

and I do use strip tags on any input areas.

[darkfreaks]

try changing the sessions like i have them? they are easily grabbing the sessions and gaining entry

[darkfreaks]

try putting

Code: [Select]

<?php
$variable= $_POST['variable'];
$variable= mysql_real_escape_string($variable); ///plugs SQL Injection Attack leaks?>

[widget]

darkfreaks that all sounds good but I have no idea what it is or where I should put it.

[darkfreaks]

copy the example code for all your post variables that you want to post into the database it will escape   code and characters used in SQL injection attacks. this way they cannot grab anything from the database.

[widget]

ok for example I have the page where a user can update their profile.

This page has the basic form elements then passes them to another page that has all the code for placing the information into the database.

Ill paste the second pages code below.

Code: [Select]

<?php

/*

Process Update Profile (update_profile.pro.php)

*/
ob_start();
include "global.inc.php";

$check_username = strtolower(ereg_replace(" ", "", $update_display_name));
if ($check_username == $username)
{
mysql_query("UPDATE members2 SET display_name = '$update_display_name' WHERE username = '$username' AND game = '$game'") or die ("Database error: ".mysql_error());
}

if (($update_mybirthmonth >= 1) AND ($update_mybirthmonth <= 12) AND ($update_mybirthday >= 1) AND ($update_mybirthday <= 31) AND ($update_mybirthyear >= 0) AND ($update_mybirthyear <= $this_year))
{
$birthday = "$update_mybirthmonth-$update_mybirthday-$update_mybirthyear";
mysql_query("UPDATE members_profiles2 SET birthday = '$birthday' WHERE username = '$username' AND game = '$game'") or die ("Database error: ".mysql_error());
}

if (($update_my_gender >= 1) OR ($update_my_gender <= 2))
{
mysql_query("UPDATE members_profiles2 SET gender = '$update_my_gender' WHERE username = '$username' AND game = '$game'") or die ("Database error: ".mysql_error());
}

if (($update_mailsettings >= 0) OR ($update_mailsettings <= 2))
{
mysql_query("UPDATE members_profiles2 SET mail_settings = '$update_mailsettings' WHERE username = '$username'") or die ("Database error: ".mysql_error());
}

if ((!$update_location) OR (!$update_myemail) OR (!$update_myname))
{
die(header(error("update_profile.php?game=$game","BOLD RED fields must not be blank!")));
}

$profile = smilies(badwords(strip_tags($update_myprofile,"<embed><b><u><a><font><img><p><br><body><table><tr><td><background><style><bg><center><bgsound><div><span>")));
$signature = badwords(strip_tags($update_signature,"<b><u><a><font>"));
$update_myemail = badwords(strip_tags($update_myemail,""));
$update_myname = badwords(strip_tags($update_myname,"<b><u>"));
$update_location = badwords(strip_tags($update_location,""));

mysql_query("UPDATE members_profiles2 SET location = '$update_location' WHERE username = '$username' AND game = '$game'");
mysql_query("UPDATE members_profiles2 SET profile = '$profile' WHERE username = '$username' AND game = '$game'");
mysql_query("UPDATE members_profiles2 SET signature = '$signature' WHERE username = '$username' AND game = '$game'");
mysql_query("UPDATE members_profiles2 SET real_name = '$update_myname' WHERE username = '$username' AND game = '$game'");
mysql_query("UPDATE members_profiles2 SET email = '$update_myemail' WHERE username = '$username' AND game = '$game'");
mysql_query("UPDATE members_profiles2 SET avatar = '$avatar_name' WHERE username = '$username'");

die(header(error("update_profile.php?game=$game","Your information has been updated successfully!")));

?>
So where on here does it go?

[php_novice2007]

Hi guys,

I'm just looking at the same topic..

at the moment I've got session_register('userid') in my loginCheck page, and then every other page I've got

Code: [Select]

session_start();
if(session_is_registered('userid')){
  session_regenerate_id();
  ...
} else {
  echo "You are not logged in";
}

Is that doing the same as what darkfreaks's code is doing?

I seem to remember being told elsewhere that "session_is_register" is not good to use, is that true?

[darkfreaks]

example Query with mysql_real_escape_string

Code: [Select]

<?php


mysql_query("UPDATE members_profiles2 SET location = '$update_location' WHERE username = '$username' AND game = '$game'",
mysql_real_escape_string($username),
mysql_real_escape_string($game));

?>

[darkfreaks]

do the rest of them like that and your set

[widget]

thank you darkfreaks your a god send!!

Hopefully this will fix up the security issues somewhat.

[darkfreaks]

feel free to hit topic solved you can always go back and hit topic unsolved or create a new topic again