Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-14 Thread Marcus Bointon 

On 14 Oct 2005, at 04:48, David Robley wrote:

That is incorrect. mysql_real_escape_string is a php function, not  
mysql.


Mostly true: mysql_real_escape_string is a php function, but it's  
provided by the mysql extension as part of the mysql client libraries  
(which explains the name). It doesn't do anything significantly  
different to addslashes(), which is purely a PHP internal function.  
If you are writing database independent code, you should probably  
prefer addslashes (or things like adodb::qstr).


Marcus
--
Marcus Bointon
Synchromedia Limited: Putting you in the picture
[EMAIL PROTECTED] | http://www.synchromedia.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-14 Thread John Nichel 

David Robley wrote:

Ben wrote:

snip

My understanding is that mysql_real_escape_string will only work while
you are connected to mysql.  Not sure if that is the case in your
situation.



That is incorrect. mysql_real_escape_string is a php function, not mysql.


Actually, it's both.  And yes, you *do* have to be connected to the 
mysql server.


--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-14 Thread John Nichel 

Marcus Bointon wrote:

On 14 Oct 2005, at 04:48, David Robley wrote:

That is incorrect. mysql_real_escape_string is a php function, not  
mysql.



Mostly true: mysql_real_escape_string is a php function, but it's  
provided by the mysql extension as part of the mysql client libraries  
(which explains the name). It doesn't do anything significantly  
different to addslashes(), which is purely a PHP internal function.  If 
you are writing database independent code, you should probably  prefer 
addslashes (or things like adodb::qstr).


mysql_real_escape_string() takes into account the current characterset 
of the database.  addslashes() does not.


--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-14 Thread David Robley 
John Nichel wrote:

 David Robley wrote:
 Ben wrote:
 snip
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql.  Not sure if that is the case in your
situation.
 
 
 That is incorrect. mysql_real_escape_string is a php function, not mysql.
 
 Actually, it's both.  And yes, you *do* have to be connected to the
 mysql server.
 
Blush Note to self - engage brain before typing.



Cheers
-- 
David Robley

Hummingbirds never remember the words to songs.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder[this better?]

2005-10-14 Thread Norbert Wenzel 

Ben wrote:
My understanding is that mysql_real_escape_string will only work while 
you are connected to mysql.  Not sure if that is the case in your 
situation.


At least it requires a connection to mysql. I had an error, when using 
it without any connection opened before, that mysql_real_escape_string 
wants to connect to the DB as [EMAIL PROTECTED] without any password.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-14 Thread Richard Lynch 
On Fri, October 14, 2005 8:20 am, John Nichel wrote:
 David Robley wrote:
 Ben wrote:
 snip
My understanding is that mysql_real_escape_string will only work
 while
you are connected to mysql.  Not sure if that is the case in your
situation.


 That is incorrect. mysql_real_escape_string is a php function, not
 mysql.

 Actually, it's both.  And yes, you *do* have to be connected to the
 mysql server.

There is, however, mysql_escape_string() which does not require a
connection -- but which also can't take into account the
language/locale settings *OF* the connection, which is why it's not a
real escape.  It might, however, be useful in some circumstances.

I missed the beginning of this thread, so apologies it that's a repeat.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-13 Thread Graham Anderson 

Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and  
mysql_real_escape_string.


thanks for everyone's patience as I am starting at ground zero  
concerning security.



if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
// decrypt and santize variables
$cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST 
['cmd'])) : $cmd=null;
$path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST 
['path'])) : $path=null;

.
.
.

the cleanser script:
function cleanser( $value )
{
return mysql_real_escape_string( trim( $value ) ) ;
}

the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored  
outside the web folder.


many thanks :)
g


On Oct 13, 2005, at 2:36 PM, Graham Anderson wrote:



Ok, I just heard back from him and feel like an idiot

my htaccess file for the folder containing  the php script  was not  
set properly
guess at this point, I'll take all of the advice you guys gave and  
implement it :)


g

On Oct 13, 2005, at 2:21 PM, Robert Cummings wrote:



On Thu, 2005-10-13 at 17:05, Graham Anderson wrote:



How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...




Ummm, the obvious thing to do is ask your friend how he did it, then
we'll tell you how to prevent it in the future. Otherwise we're  
all just

shooting in the dark.

Cheers,
Rob.






all of my crucial function were called by:
require_once(/home/siren/includes/fonovisa.inc);
the 'encrypt' functions are MCRYPT_RIJNDAEL_256

He was able to get access to the 'fonovisa.inc'  php script [outside
the web folder] and all the stuff inside
Based on my current knowledge, my security breaches are probably big
enough to drive a truck through :(


how can I prevent this ?
I am VERY new at the whole 'security' thing so any help is  
appreciated




this is the script within the web folder:
?php
require_once(/home/siren/includes/fonovisa.inc);
$thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER
['SCRIPT_NAME']);
qtversiondetect($_SERVER['HTTP_USER_AGENT']);




//
//   This PHP script is performing three tasks
//   1)  Creates a SMIL playlist of Quicktime movies from a database
call
//   2)  Reads each requested movie file from outside the web folder
//Movies are downloaded by passing the GET variable, 'path',
to the 'freadMovie()' function
//This function is located in the script,
'fonovisa.inc', located outside the web folder
//The movie files are fread chunk  by chunk  in
binary format and loaded into the the Quicktime Player
//   3) Build the Actual Quicktime Media Link with all the EMBED
attributes like KIOSKMODE and QUITWHENDONE
//
//

//   Flow of the Code:
//   If the GET variable, 'cmd', equals 'makesmil'
// Build the  SMIL playlist
//   ElseIf the GET variable, 'cmd', equals 'getmovie'
//  Send the requested url [with the encrypted movie file
path] to the freadmovie() function
//  which freads the requested movie file data  to the
Quicktime Player
//   Else
//Build the Quicktime Media Link that generated the
Headers and Embed  tags
//where the 'src' attribute points to the  SMIL Playlist
Movie function in THIS script
//   Endif
//


// any variable there ?
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{

 
 // Ok, there is a 'cmd' and/or 'path' variable, what are they ?
 

 //make the SMIL playlist of movie
 if(trim(decrypt( $_REQUEST['cmd'])) ==makesmil)
makesmil($thisScriptURL);

  //fread a movie file in the playlist and send to QuickTime
 elseif(trim(decrypt($_REQUEST['cmd']))==getmovie)
freadMovie($_REQUEST['path']);


 }else{
 ///
 //  No commands were given
 //  So make the Quicktime Media Link with all the EMBED  
attributes

 //  The 'src' attribute  is going to call the 'makesmil'
function to generate the SMIL playlist movie
 //
 buildQTMediaLinkForSMILPlaylist( $autoplay=true,

$cache=false,

$kioskmode=true,

$quitwhendone=true,

$movieid=md5(time()),

$moviename=Commercial Reel 2005,

$src=$thisScriptURL?cmd=.encrypt('makesmil')
 );

 ///
 // Output the Correct QuickTime Headers and the Embed Tags
and send the movie to QuickTime
 ///
 OutputHeaders($_SERVER['HTTP_USER_AGENT']);
 echo $finalQTMovie;


 }


/
// Local Functions
/

function makesmil($thisScriptURL)
{
 buildSMILArray($thisScriptURL,$d='siren',$playlist=Show  
Reel);


 // format the SMIL playlist
 buildSMILPlaylist(   $timeslider=true,

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-13 Thread Ben 

Graham Anderson said the following on 10/13/05 15:31:

Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and  
mysql_real_escape_string.


thanks for everyone's patience as I am starting at ground zero  
concerning security.



if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
// decrypt and santize variables
$cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST 
['cmd'])) : $cmd=null;
$path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST 
['path'])) : $path=null;

.
.
.

the cleanser script:
function cleanser( $value )
{
return mysql_real_escape_string( trim( $value ) ) ;
}

the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored  
outside the web folder.


many thanks :)


My understanding is that mysql_real_escape_string will only work while 
you are connected to mysql.  Not sure if that is the case in your situation.


- Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] prevent user from getting scripts outside the web folder [this better?]

2005-10-13 Thread David Robley 
Ben wrote:

 Graham Anderson said the following on 10/13/05 15:31:
 Is this a bit better ?
 As directed, I 'sanitized' all user input variables with trim and
 mysql_real_escape_string.
 
 thanks for everyone's patience as I am starting at ground zero
 concerning security.
 
 
 if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
 {
 // decrypt and santize variables
 $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST
 ['cmd'])) : $cmd=null;
 $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST
 ['path'])) : $path=null;
 .
 .
 .
 
 the cleanser script:
 function cleanser( $value )
 {
 return mysql_real_escape_string( trim( $value ) ) ;
 }
 
 the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored
 outside the web folder.
 
 many thanks :)
 
 My understanding is that mysql_real_escape_string will only work while
 you are connected to mysql.  Not sure if that is the case in your
 situation.

That is incorrect. mysql_real_escape_string is a php function, not mysql.




Cheers
-- 
David Robley

Computer programmers do it byte by byte.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php