[PHP-DB] Security Issues
Does anybody know if the security issues outlined in http://www.securereality.com.au/archives/studyinscarlet.txt are still salient or not? My boss wants a technical document outlining the security risks of using PHP in an attempt to get it approved for general use by Security. I just bought Mohammed Kabir's Secure PHP Development (Wiley 2003) but would like some background white papers before delving into it. To that end, I'm using Google, but would appreciate references to any recent documents covering the subject. tia, Mark -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Security Issues
From: Galbreath, Mark A [EMAIL PROTECTED] Does anybody know if the security issues outlined in http://www.securereality.com.au/archives/studyinscarlet.txt are still salient or not? My boss wants a technical document outlining the security risks of using PHP in an attempt to get it approved for general use by Security. I just bought Mohammed Kabir's Secure PHP Development (Wiley 2003) but would like some background white papers before delving into it. To that end, I'm using Google, but would appreciate references to any recent documents covering the subject. Yes, they are still relevant for the most part. There have been actions taken to reduce some of them, though, like having register_globals OFF by default, the move_uploaded_file() function, etc. I would contend that these security issues are the fault of bad programming, though, not the language. Some could argue that the langauge should do more to get rid of these issues by default, though. I can't say that I'd disagree with that, but I'd still hold the programmers responsible instead of the language. Bottom line, if you've actually read that page and implement what it says, then you'll be fine. You can write completely safe programs without taking any of the protective measures outlined on the site, though. You just have to know what you're doing. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] RE :I thought 4 didn't equal 456456456%20%20OR%2012
It doesn't. What you're seeing is an SQL injection attack. If you *trust* the SQL code you allow from POST or GET requests, your SQL server will be own3d in due course. That URL actually translates to 456456456 OR 12 Which is always true. So If you use this verbatim, you'll get a true result (if you were using it as part of a login process, the user would be in without providing a login and password :-p ) I always, *always* apply $result=(integer) $_GET[uid] to these strings : That way you are guaranteed it's a number not a string. Cheers - Neil Message-ID: [EMAIL PROTECTED] From: Dan Bowkley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 9 May 2004 15:17:19 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DB] supernoob strikes again I thought 4 didn't equal 456456456%20%20OR%2012 CaptionKit http://www.captionkit.com : Production tools for accessible subtitled internet media, transcripts and searchable video. Supports Real Player, Quicktime and Windows Media Player. VideoChat with friends online, get Freshly Toasted every day at http://www.fresh-toast.net : NetMeeting solutions for a connected world. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Subject: Edit with notepad
Send before any content, an MS-Word header : header(Content-type: application/vnd-ms.word); Then output your HTML. Cheers - Neil. At 07:41 10/05/2004 +, you wrote: Message-ID: [EMAIL PROTECTED] From: Ng Hwee Hwee [EMAIL PROTECTED] To: DBList [EMAIL PROTECTED] Date: Mon, 10 May 2004 15:40:27 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_00D2_01C436A5.1E3B4100 Subject: Edit with notepad Hi My customers would like to save my php outputs in a word document file and so I have added a meta tag META NAME=ProgID CONTENT=word.document in my php files. However, my File-Edit button in IE6 is greyed out. why? i see that other php files on other websites allow Edit, why is it that my programs don't allow it?? thanx for any insights!! regards, Hwee Hwee CaptionKit http://www.captionkit.com : Production tools for accessible subtitled internet media, transcripts and searchable video. Supports Real Player, Quicktime and Windows Media Player. VideoChat with friends online, get Freshly Toasted every day at http://www.fresh-toast.net : NetMeeting solutions for a connected world. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Need some HELP
Hi, I am a new to php. I am using php ver 4.0.3 and MySQL. I have wrote two files and I'd like to pass some varaibles from first file to use them in the second file. but the values did not displayed in the second file(nothing print out). and also I want to pass them to anothr file ... here is what I've wrote : file1.php** ?php . $username=A; $user_num=123; $user_addres=User Address; print FORM action='file2.php' method=post; print input type=submit value='send'; print INPUT TYPE='hidden' NAME='UserName' VALUE='$username'\n; print input type=hidden name=UserNum' value='$user_num'; print input type=hidden name='Addrress' value='$user_addres'; print /td; print /FORM/tr; ? ** second file file2.php ?php ? FORM action='anothrfile.php' method=post table ? print INPUT TYPE='hidden' NAME='User_name' VALUE='$UserName'; print input type=hidden name=User_Num' value='$UserNum'; print input type=hidden name='User_Addres' value='$Address'; ? trth align=left Name:/thtd ? print $User_name; ?/td/tr trth align=left User Number:/thtd ? print $User_Num; ?/td/tr trth align=left Address:/th td ? print$User_Addres; ?/td/tr ... input type=submit value='submit' /table /FORM .. Kind Regrads Adam I hope someone can help me. Thanks _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Need some HELP
It looks like register_globals is off. You'll have to access the variables in the post array on your second page: print INPUT TYPE='hidden' NAME='User_name' VALUE='$_POST['UserName']'; and so on... Try that first. Ryan -Original Message- From: Adam Farid [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: [PHP-DB] Need some HELP Hi, I am a new to php. I am using php ver 4.0.3 and MySQL. I have wrote two files and I'd like to pass some varaibles from first file to use them in the second file. but the values did not displayed in the second file(nothing print out). and also I want to pass them to anothr file ... here is what I've wrote : file1.php** ?php . $username=A; $user_num=123; $user_addres=User Address; print FORM action='file2.php' method=post; print input type=submit value='send'; print INPUT TYPE='hidden' NAME='UserName' VALUE='$username'\n; print input type=hidden name=UserNum' value='$user_num'; print input type=hidden name='Addrress' value='$user_addres'; print /td; print /FORM/tr; ? ** second file file2.php ?php ? FORM action='anothrfile.php' method=post table ? print INPUT TYPE='hidden' NAME='User_name' VALUE='$UserName'; print input type=hidden name=User_Num' value='$UserNum'; print input type=hidden name='User_Addres' value='$Address'; ? trth align=left Name:/thtd ? print $User_name; ?/td/tr trth align=left User Number:/thtd ? print $User_Num; ?/td/tr trth align=left Address:/th td ? print$User_Addres; ?/td/tr ... input type=submit value='submit' /table /FORM .. Kind Regrads Adam I hope someone can help me. Thanks _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: RE :I thought 4 didn't equal 456456456%20%20OR%2012
DING! That's the sound of a little lightbulb turning on... Thanks so much for that tidbit...I could certainly see myself getting screwed by not using such a thing. Dan - Original Message - From: Neil Smith [MVP, Digital media] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:21 AM Subject: RE :I thought 4 didn't equal 456456456%20%20OR%2012 It doesn't. What you're seeing is an SQL injection attack. If you *trust* the SQL code you allow from POST or GET requests, your SQL server will be own3d in due course. That URL actually translates to 456456456 OR 12 Which is always true. So If you use this verbatim, you'll get a true result (if you were using it as part of a login process, the user would be in without providing a login and password :-p ) I always, *always* apply $result=(integer) $_GET[uid] to these strings : That way you are guaranteed it's a number not a string. Cheers - Neil Message-ID: [EMAIL PROTECTED] From: Dan Bowkley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 9 May 2004 15:17:19 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DB] supernoob strikes again I thought 4 didn't equal 456456456%20%20OR%2012 CaptionKit http://www.captionkit.com : Production tools for accessible subtitled internet media, transcripts and searchable video. Supports Real Player, Quicktime and Windows Media Player. VideoChat with friends online, get Freshly Toasted every day at http://www.fresh-toast.net : NetMeeting solutions for a connected world. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Need some HELP
unless you have Globals turned on, I think you and $_POST['variable_name_here'] in the second page. print INPUT TYPE='hidden' NAME='UserName' VALUE='$_POST['username']\n; Hi, I am a new to php. I am using php ver 4.0.3 and MySQL. I have wrote two files and I'd like to pass some varaibles from first file to use them in the second file. but the values did not displayed in the second file(nothing print out). and also I want to pass them to anothr file ... here is what I've wrote : file1.php** ?php . $username=A; $user_num=123; $user_addres=User Address; print FORM action='file2.php' method=post; print input type=submit value='send'; print INPUT TYPE='hidden' NAME='UserName' VALUE='$username'\n; print input type=hidden name=UserNum' value='$user_num'; print input type=hidden name='Addrress' value='$user_addres'; print /td; print /FORM/tr; ? ** second file file2.php ?php ? FORM action='anothrfile.php' method=post table ? print INPUT TYPE='hidden' NAME='User_name' VALUE='$UserName'; print input type=hidden name=User_Num' value='$UserNum'; print input type=hidden name='User_Addres' value='$Address'; ? trth align=left Name:/thtd ? print $User_name; ?/td/tr trth align=left User Number:/thtd ? print $User_Num; ?/td/tr trth align=left Address:/th td ? print$User_Addres; ?/td/tr ... input type=submit value='submit' /table /FORM .. Kind Regrads Adam I hope someone can help me. Thanks _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Need some HELP (not works)
Thanks pepole. I've tried but still does not work. when I put the varaibles name between ' ' I found this error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING'. I typed in this way print INPUT TYPE='hidden' NAME='User_name' VALUE='$_POST[UserName]'; but nothing a new. I have checked register_globals is on. in my first page I used session_start(); and global $HTTP_SESSION_VARS; I dont know if this cause the problem that I had. Thanks again and more help please. Adam _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Need some HELP (not works)
Is it User_name or UserName? Also try this string with 'UserName' in single quotes. print INPUT TYPE=\hidden\ NAME=\User_name\ VALUE=$_POST['UserName']\; I've tried but still does not work. when I put the varaibles name between ' ' I found this error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING'. I typed in this way print INPUT TYPE='hidden' NAME='User_name' VALUE='$_POST[UserName]'; but nothing a new. I have checked register_globals is on. in my first page I used session_start(); and global $HTTP_SESSION_VARS; I dont know if this cause the problem that I had. Thanks again and more help please. Adam -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Need some HELP (not works)
Thanks pepole. I've tried but still does not work. when I put the varaibles name between ' ' I found this error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING'. I typed in this way print INPUT TYPE='hidden' NAME='User_name' VALUE='$_POST[UserName]'; This is pre register_global concerns... try .. print INPUT TYPE='hidden' NAME='User_name' VALUE='{$_POST[UserName]}'; or print INPUT TYPE=\hidden\ NAME=\User_name\ VALUE=\{$_POST[UserName]} \; for a little better HTML. HTH Jeff _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Need some HELP (not works)
Thanks. I tried your suggestion, but the values still did not displayed in second page. nothing printed out. I put my files in db-list (Need some HELP). regards Adam _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Need some HELP (not works)
- Original message - From: Adam Farid [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Mon, 10 May 2004 19:54:51 + Subject: [PHP-DB] Need some HELP (not works) Thanks pepole. I've tried but still does not work. when I put the varaibles name between ' ' I found this error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING'. I typed in this way print INPUT TYPE='hidden' NAME='User_name' VALUE='$_POST[UserName]'; but nothing a new. I have checked register_globals is on. in my first page I used session_start(); and global $HTTP_SESSION_VARS; I dont know if this cause the problem that I had. Thanks again and more help please. Adam _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Try using print INPUT TYPE='hidden' NAME='User_name' VALUE='.$_POST[UserName].'; Actually, if you're using 4.0.x, you can't use $_POST[UserName]. It was implemented in 4.1.0. http://ca.php.net/manual/en/reserved.variables.php#reserved.variables.post Read about it here. -- Marcjon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Serious Problem: Eval'ing conditioned blocks!
Hi there, I (still :-) ) have the code of my php pages stored in a database. A main page parses this code using the eval_html function postet at php.net. This used to work fine, but then I tried to employ conditioned blocks, e.g. ? while (foo) { ? pHello World/p ? }? The function I use seperates this code in three parts (1st: ? while (foo) { ?) and tries to eval every single one. This of course causes an error because neither while (foo) { nor } is valid statement. Anybody knows a workaround (that doesn't mean putting all HTML output in PHP echo commands) ?? Thanks -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] No user table access to phpMyAdmin - How?
Hi all, Installed software/os: Win NT 4.0 IIS 4.0 PHP 4.3.1 MySQL 4.1.1 phpMyAdmin 2.5.6 I'm wondering how I can hide phpMyAdmin access via a webpage to the mysql.mysql tablespecifically the user table. I don't want anyone using phpMyAdmin to have access to the user table. I only want to control that db table through the command line on the server itself. How/What do I need to configure?? Thanks, Gary
Re: [PHP-DB] Serious Problem: Eval'ing conditioned blocks!
I had something like this too. I used something other for the start and ending blocks. # # Then had a replace() section. Hi there, I (still :-) ) have the code of my php pages stored in a database. A main page parses this code using the eval_html function postet at php.net. This used to work fine, but then I tried to employ conditioned blocks, e.g. ? while (foo) { ? pHello World/p ? }? The function I use seperates this code in three parts (1st: ? while (foo) { ?) and tries to eval every single one. This of course causes an error because neither while (foo) { nor } is valid statement. Anybody knows a workaround (that doesn't mean putting all HTML output in PHP echo commands) ?? Thanks -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Edit with notepad
hi, header(Content-type: application/vnd-ms.word); is not what my customers want. They may or may not want to save it in their harddisk.. but having the header at the beginning of my page will force them to save it in their harddisk. Some of the customers just want to view it on the web while others want to view it in Word and possibly edit it and then save it.. how can i achieve such flexibility for them? thank you!! regards, hwee - Original Message - From: Neil Smith [MVP, Digital media] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 2:25 AM Subject: [PHP-DB] Re: Subject: Edit with notepad Send before any content, an MS-Word header : header(Content-type: application/vnd-ms.word); Then output your HTML. Cheers - Neil. At 07:41 10/05/2004 +, you wrote: Message-ID: [EMAIL PROTECTED] From: Ng Hwee Hwee [EMAIL PROTECTED] To: DBList [EMAIL PROTECTED] Date: Mon, 10 May 2004 15:40:27 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_00D2_01C436A5.1E3B4100 Subject: Edit with notepad Hi My customers would like to save my php outputs in a word document file and so I have added a meta tag META NAME=ProgID CONTENT=word.document in my php files. However, my File-Edit button in IE6 is greyed out. why? i see that other php files on other websites allow Edit, why is it that my programs don't allow it?? thanx for any insights!! regards, Hwee Hwee -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Edit with notepad
hi, header(Content-type: application/vnd-ms.word); is not what my customers want. They may or may not want to save it in their harddisk.. but having the header at the beginning of my page will force them to save it in their harddisk. Some of the customers just want to view it on the web while others want to view it in Word and possibly edit it and then save it.. how can i achieve such flexibility for them? This box is harldy ever a single option only. There is usually both Open and Save. If you wish to give them the choice, create two links, one which goes to a page with header() and one without. Other ways i'm sure could be built...JS Popup that reloads the parent window the the appropriate action... HTH Jeff thank you!! regards, hwee - Original Message - From: Neil Smith [MVP, Digital media] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 2:25 AM Subject: [PHP-DB] Re: Subject: Edit with notepad Send before any content, an MS-Word header : header(Content-type: application/vnd-ms.word); Then output your HTML. Cheers - Neil. At 07:41 10/05/2004 +, you wrote: Message-ID: [EMAIL PROTECTED] From: Ng Hwee Hwee [EMAIL PROTECTED] To: DBList [EMAIL PROTECTED] Date: Mon, 10 May 2004 15:40:27 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_00D2_01C436A5.1E3B4100 Subject: Edit with notepad Hi My customers would like to save my php outputs in a word document file and so I have added a meta tag META NAME=ProgID CONTENT=word.document in my php files. However, my File-Edit button in IE6 is greyed out. why? i see that other php files on other websites allow Edit, why is it that my programs don't allow it?? thanx for any insights!! regards, Hwee Hwee -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Edit with notepad
Hi My customers would like to save my php outputs in a word document file and so I have added a meta tag META NAME=ProgID CONTENT=word.document in my php files. However, my File-Edit button in IE6 is greyed out. why? i see that other php files on other websites allow Edit, why is it that my programs don't allow it?? thanx for any insights!! regards, Hwee Hwee
[PHP-DB] Re: Edit with notepad
Try to set session.cache_limiter to private Ng Hwee Hwee [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi My customers would like to save my php outputs in a word document file and so I have added a meta tag META NAME=ProgID CONTENT=word.document in my php files. However, my File-Edit button in IE6 is greyed out. why? i see that other php files on other websites allow Edit, why is it that my programs don't allow it?? thanx for any insights!! regards, Hwee Hwee -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: Edit with notepad
thanx for the suggestion... it did work for a while! that's very interesting... but, what happened now is that my file is a form that post to itself... i can do an edit when it is the form, but after the user submits the form and the information is displayed again without any form fields, the Edit button is greyed out again.. why?? since it's goes to $PHP_SELF, why does it behave differently although it's the same file?? i have added session_cache_limiter(private) at the very beginning of my file, before session_start().. thanx thanx again!! - Original Message - From: Uzi Klein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 10, 2004 4:45 PM Subject: [PHP-DB] Re: Edit with notepad Try to set session.cache_limiter to private Ng Hwee Hwee [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi My customers would like to save my php outputs in a word document file and so I have added a meta tag META NAME=ProgID CONTENT=word.document in my php files. However, my File-Edit button in IE6 is greyed out. why? i see that other php files on other websites allow Edit, why is it that my programs don't allow it?? thanx for any insights!! regards, Hwee Hwee -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php