...
PDA

Securing PHP+Mysql

Garrey
03-13-2010, 10:59 AM
Hi, i have a code - but I have no idea is this secure or not. So I'm asking help for professionals that means You!

<?php
include 'mysql.php';

$access = 'bcdefiju';
$flags = 'a';
$show = '1';
$serverid = '1';
$sec = '2592000';
if(!in_array($_SERVER['REMOTE_ADDR'],
array('81.20.151.38', '81.20.148.122'))) {
die("Error: Unknown IP");
}
$secret = '';
if(!empty($secret) && !check_signature($_GET, $secret)) {
die("Error: Invalid signature");
}
$sender = $_GET['sender'];
$message = $_GET['message'];

function createRandomPassword() {
$chars = "abcdefghijkmnopqrstuvwxyz023456789";
srand((double)microtime()*1000000);
$i = 0;
$pass = '' ;
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($chars, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
$password = createRandomPassword();

$username = $message;
//get timestamp for past/future date I want
$pf_time = strtotime("+30 days");
//format the date using the timestamp generated
$kehtib = date("Y-m-d", $pf_time);
$password = createRandomPassword();
$oigused = Admin;
mysql_connect("$dbhost", "$dbuser", "$dbpass") or die(mysql_error()); mysql_select_db("$dbname") or die(mysql_error());

$query5 = mysql_query("SELECT * FROM amx_amxadmins WHERE username LIKE '%$username%'") or die(mysql_error());
if(mysql_num_rows($query5)) {
echo " Error! {$username} exists";exit;
}

$reply = "Username: $username Password: $password.";

echo($reply);
function check_signature($params_array, $secret) {
ksort($params_array);
$str = '';
foreach ($params_array as $k=>$v) {
if($k != 'sig') {
$str .= "$k=$v";
}
}
$str .= $secret;
$signature = md5($str);
return ($params_array['sig'] == $signature);
}

if(!$username){echo 'Username not inserted!!';exit;}
if(!$username){echo 'Password not inserted!';exit;}

$v = time();

mysql_query("INSERT INTO amx_amxadmins (username,password,access,flags,steamid,nickname,date,ashow,oigused,kehtib) VALUES('$username','$password','$access','$flags','','$username', {$v}, '$show','$oigused','$kehtib')");

mysql_query("INSERT INTO amx_admins_servers (server_id) VALUES ('$serverid')");

?>

Is this secure or how can i make this more secure? I mean like if someone posts to this code like " ' DROP ALL " or smth(mysql command) then it wont delete anything from database, just inserting data to database.

8-)
Dormilich
03-13-2010, 12:21 PM
the code is not secure at all. at the very least use mysql_real_escape_string() or (better) Prepared (or Parameterized) Statements.
Garrey
03-13-2010, 02:56 PM
U mean like this:
$sender = $_GET['sender'] = mysql_real_escape_string( $sender )

Or I found this code too:
<?php
function safe($value){
return mysql_real_escape_string($value);
}
?>

Then, when I am using my code, I simply use:

<?php
$sender = safe($_GET["sender"]);
?>

Or how you mean?
bdl
03-13-2010, 05:15 PM
I read the title as "how to secure the PHP / MySQL server platform". Might want to change that.

As per the comment Dormilich made, try Google (http://tinyurl.com/ykzyxbx).

What is this script supposed to do?

$message = $_GET['message'];

$password = createRandomPassword();

$username = $message;


huh? You pass a username as the GET string?

General comments on your original post / code

Your 'mysql.php' script, which must contain the server authentication information, is in the same directory as your called script, i.e. in a publicly web-accessible directory. It's A Good Idea to always push that up to a directory outside of the web root, and include it using a hardcoded value. For that matter, the script should perform the connection and push a database handler into any script that calls it. In other words, don't reinvent the wheel (connection code) in every script you write.
Never use GET for anything other than pulling data from the server. Use POST when sending login information or otherwise.
You seem to be creating pseudo-random password values and storing them as plaintext.
Never rely on IP addresses for authentication.


Try this random password generation function:

<?php
function createRandomPassword($length=null) {
// password length
if ( is_null($length) ) $length = 20;

// lower / upper / numbers / symbols
$chars = "abcdefghijkmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-+={}[];':?";

// seed random generator
srand((double)microtime()*1000000);

// for loop, iterate through $length times
for ($i=0; $i<=$length; $i++) {
// use the $chars length, not a set value
$num = rand() % strlen($chars);
// pull a random value from the string of allowed characters
$tmp = substr($chars, $num, 1);
// no repeated chars
if ( strpos($pass, $tmp) !== FALSE ) continue;
// add the current random character to the password string
$pass.= $tmp;

// debug
//echo "{$i} : rand {$num} : tmp {$tmp} : pass {$pass} <br>";
}

return $pass;
}

echo '<br><p style="font-weight:bold;">' . createRandomPassword() .'</p>';
?>


Of course, if you do choose to use this function, be sure to either a) change the `password` field length to accomodate the longer value, or (preferred) b) hash the password using SHA256 or another hashing algo, or use bcrypt. Of course this changes your script logic altogether, but it would be better to store a hashed value.
Garrey
03-13-2010, 05:42 PM
Okei, the script must be like.

It's dynamic sms service. I send like SMS with: TXT ADDME Username then it will sends automically generated password to user and then add to database. If in database there are this username then will show error example "Username exsist". But i thought on securing that, if I send like TXT ADDME ' where="numberoranything" SET id=1" then it would'nt crack my database. Just adds then this line AS username.
Garrey
03-21-2010, 10:55 PM
Please delete this topic! :)

EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum