Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
On 14 Oct 2005, at 04:48, David Robley wrote: That is incorrect. mysql_real_escape_string is a php function, not mysql. Mostly true: mysql_real_escape_string is a php function, but it's provided by the mysql extension as part of the mysql client libraries (which explains the name). It doesn't do anything significantly different to addslashes(), which is purely a PHP internal function. If you are writing database independent code, you should probably prefer addslashes (or things like adodb::qstr). Marcus -- Marcus Bointon Synchromedia Limited: Putting you in the picture [EMAIL PROTECTED] | http://www.synchromedia.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
David Robley wrote: Ben wrote: snip My understanding is that mysql_real_escape_string will only work while you are connected to mysql. Not sure if that is the case in your situation. That is incorrect. mysql_real_escape_string is a php function, not mysql. Actually, it's both. And yes, you *do* have to be connected to the mysql server. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
Marcus Bointon wrote: On 14 Oct 2005, at 04:48, David Robley wrote: That is incorrect. mysql_real_escape_string is a php function, not mysql. Mostly true: mysql_real_escape_string is a php function, but it's provided by the mysql extension as part of the mysql client libraries (which explains the name). It doesn't do anything significantly different to addslashes(), which is purely a PHP internal function. If you are writing database independent code, you should probably prefer addslashes (or things like adodb::qstr). mysql_real_escape_string() takes into account the current characterset of the database. addslashes() does not. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
John Nichel wrote: David Robley wrote: Ben wrote: snip My understanding is that mysql_real_escape_string will only work while you are connected to mysql. Not sure if that is the case in your situation. That is incorrect. mysql_real_escape_string is a php function, not mysql. Actually, it's both. And yes, you *do* have to be connected to the mysql server. Blush Note to self - engage brain before typing. Cheers -- David Robley Hummingbirds never remember the words to songs. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder[this better?]
Ben wrote: My understanding is that mysql_real_escape_string will only work while you are connected to mysql. Not sure if that is the case in your situation. At least it requires a connection to mysql. I had an error, when using it without any connection opened before, that mysql_real_escape_string wants to connect to the DB as [EMAIL PROTECTED] without any password. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
On Fri, October 14, 2005 8:20 am, John Nichel wrote: David Robley wrote: Ben wrote: snip My understanding is that mysql_real_escape_string will only work while you are connected to mysql. Not sure if that is the case in your situation. That is incorrect. mysql_real_escape_string is a php function, not mysql. Actually, it's both. And yes, you *do* have to be connected to the mysql server. There is, however, mysql_escape_string() which does not require a connection -- but which also can't take into account the language/locale settings *OF* the connection, which is why it's not a real escape. It might, however, be useful in some circumstances. I missed the beginning of this thread, so apologies it that's a repeat. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
Is this a bit better ? As directed, I 'sanitized' all user input variables with trim and mysql_real_escape_string. thanks for everyone's patience as I am starting at ground zero concerning security. if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] )) { // decrypt and santize variables $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST ['cmd'])) : $cmd=null; $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST ['path'])) : $path=null; . . . the cleanser script: function cleanser( $value ) { return mysql_real_escape_string( trim( $value ) ) ; } the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored outside the web folder. many thanks :) g On Oct 13, 2005, at 2:36 PM, Graham Anderson wrote: Ok, I just heard back from him and feel like an idiot my htaccess file for the folder containing the php script was not set properly guess at this point, I'll take all of the advice you guys gave and implement it :) g On Oct 13, 2005, at 2:21 PM, Robert Cummings wrote: On Thu, 2005-10-13 at 17:05, Graham Anderson wrote: How does a hacker get access to your scripts located outside the web folder? I asked a friend to hack my php script within the web folder... Ummm, the obvious thing to do is ask your friend how he did it, then we'll tell you how to prevent it in the future. Otherwise we're all just shooting in the dark. Cheers, Rob. all of my crucial function were called by: require_once(/home/siren/includes/fonovisa.inc); the 'encrypt' functions are MCRYPT_RIJNDAEL_256 He was able to get access to the 'fonovisa.inc' php script [outside the web folder] and all the stuff inside Based on my current knowledge, my security breaches are probably big enough to drive a truck through :( how can I prevent this ? I am VERY new at the whole 'security' thing so any help is appreciated this is the script within the web folder: ?php require_once(/home/siren/includes/fonovisa.inc); $thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER ['SCRIPT_NAME']); qtversiondetect($_SERVER['HTTP_USER_AGENT']); // // This PHP script is performing three tasks // 1) Creates a SMIL playlist of Quicktime movies from a database call // 2) Reads each requested movie file from outside the web folder //Movies are downloaded by passing the GET variable, 'path', to the 'freadMovie()' function //This function is located in the script, 'fonovisa.inc', located outside the web folder //The movie files are fread chunk by chunk in binary format and loaded into the the Quicktime Player // 3) Build the Actual Quicktime Media Link with all the EMBED attributes like KIOSKMODE and QUITWHENDONE // // // Flow of the Code: // If the GET variable, 'cmd', equals 'makesmil' // Build the SMIL playlist // ElseIf the GET variable, 'cmd', equals 'getmovie' // Send the requested url [with the encrypted movie file path] to the freadmovie() function // which freads the requested movie file data to the Quicktime Player // Else //Build the Quicktime Media Link that generated the Headers and Embed tags //where the 'src' attribute points to the SMIL Playlist Movie function in THIS script // Endif // // any variable there ? if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] )) { // Ok, there is a 'cmd' and/or 'path' variable, what are they ? //make the SMIL playlist of movie if(trim(decrypt( $_REQUEST['cmd'])) ==makesmil) makesmil($thisScriptURL); //fread a movie file in the playlist and send to QuickTime elseif(trim(decrypt($_REQUEST['cmd']))==getmovie) freadMovie($_REQUEST['path']); }else{ /// // No commands were given // So make the Quicktime Media Link with all the EMBED attributes // The 'src' attribute is going to call the 'makesmil' function to generate the SMIL playlist movie // buildQTMediaLinkForSMILPlaylist( $autoplay=true, $cache=false, $kioskmode=true, $quitwhendone=true, $movieid=md5(time()), $moviename=Commercial Reel 2005, $src=$thisScriptURL?cmd=.encrypt('makesmil') ); /// // Output the Correct QuickTime Headers and the Embed Tags and send the movie to QuickTime /// OutputHeaders($_SERVER['HTTP_USER_AGENT']); echo $finalQTMovie; } / // Local Functions / function makesmil($thisScriptURL) { buildSMILArray($thisScriptURL,$d='siren',$playlist=Show Reel); // format the SMIL playlist buildSMILPlaylist( $timeslider=true,
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
Graham Anderson said the following on 10/13/05 15:31: Is this a bit better ? As directed, I 'sanitized' all user input variables with trim and mysql_real_escape_string. thanks for everyone's patience as I am starting at ground zero concerning security. if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] )) { // decrypt and santize variables $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST ['cmd'])) : $cmd=null; $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST ['path'])) : $path=null; . . . the cleanser script: function cleanser( $value ) { return mysql_real_escape_string( trim( $value ) ) ; } the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored outside the web folder. many thanks :) My understanding is that mysql_real_escape_string will only work while you are connected to mysql. Not sure if that is the case in your situation. - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] prevent user from getting scripts outside the web folder [this better?]
Ben wrote: Graham Anderson said the following on 10/13/05 15:31: Is this a bit better ? As directed, I 'sanitized' all user input variables with trim and mysql_real_escape_string. thanks for everyone's patience as I am starting at ground zero concerning security. if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] )) { // decrypt and santize variables $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST ['cmd'])) : $cmd=null; $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST ['path'])) : $path=null; . . . the cleanser script: function cleanser( $value ) { return mysql_real_escape_string( trim( $value ) ) ; } the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored outside the web folder. many thanks :) My understanding is that mysql_real_escape_string will only work while you are connected to mysql. Not sure if that is the case in your situation. That is incorrect. mysql_real_escape_string is a php function, not mysql. Cheers -- David Robley Computer programmers do it byte by byte. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php