...

View Full Version : Can someone please check this script to make sure it's alright?



Acid
06-22-2005, 05:13 PM
Hey,

I've written a script so staff in the Training department at work can upload, edit and delete their own course flyers and are required to login, users just see the list of these flyers. Could someone just have a quick look through this script and let me know if it's alright? I'd just like to make sure there aren't any problems in there that could cause it to go haywire later on.

Cheers.

Scripts attached.

mattyod
06-22-2005, 07:53 PM
I haven't read through all your code (I'm assuming it works in your initial testing) but one thing does leap right out and smack me between the eyes.

You are including your database username & password etc in the body of your main file! eek.

These should be set as variables in an included file that is either above the root i.e. cgi-bin or "chmod"ed to prevent user access.

Probably a bad idea to be posting this information on public forums as well to be honest :)

Acid
06-23-2005, 12:58 AM
I'd agree with you except that the user name and password i entered in that text file is not actually the user name and password of my MySQL database, it's just place holder. In addition this is on a closed intranet within a secure network so unless people trying to hack it have Kevin Mitnick type skills and are a wizz at cracking 128bit encryption I don't really need to worry about it. ;)

Also yes this does all work during my testing, just wanted to make sure there isn't anything I've used that is likely to fall over and cause problems later on etc.

Also there's no CHMOD functionality on the server, it's a Windows 2003 box with IIS 6.0.

mattyod
06-23-2005, 01:28 AM
Yes, I saw it was an intranet site but lets be honest it's the people inside that you need to worry about more than the ones outside.

Why on earth would I want to adjust the figures in your database?

Why would one of the users?

Acid
06-23-2005, 09:05 AM
ROFLMFAO!!!! Sorry that first line of your post had me in hysterics. I REALLY don't need to worry about the users within the intranet, most of them can't figure out a pencil sharpner between them, the only ones capable of doing anything at all is the guys in the IT department, but they have access to the MySQL database anyway.

mattyod
06-23-2005, 03:25 PM
That's a very interesting attitude to security you have.

Perhaps you should know that until a few months ago I also worked for the NHS.

You work for an organisation that needs to treat its data with particular care and you have given us:

your email address.
your telephone number.
your name.
your root server IP.
2 sets of username and password (not that it would take long to guess "admin").

I really would suggest to take your security a little bit more seriously and take down this information from the forums - it's exactly the sort of thing crackers trawl the internet looking for.

Acid
06-23-2005, 04:23 PM
I actually do take security seriously but as I said, the user name and password provided for the MySQL isn't the user name and password, it is place holder text.

Also I haven't provided the root server IP, the only reference to any server is for the MySQL connection which is down as localhost.

As for my name, email and telephone number, not exactly sensitive information, it's actually published on the public site for my Trust as part of the freedom of information act.

delinear
06-23-2005, 05:10 PM
I REALLY don't need to worry about the users within the intranet


I actually do take security seriously

:rolleyes:

JamieR
06-23-2005, 05:20 PM
In addition this is on a closed intranet within a secure network so unless people trying to hack it have Kevin Mitnick type skills and are a wizz at cracking 128bit encryption I don't really need to worry about it. ;)


Don't kid yourself with all this "I have 128-bit encryption etc" - I would say that stuff like that is pretty secure, but isn't *totally* unhackable if you know how to get around it :D

Like a little saying I heard of a while back - "Nothing's uncrackable" :p

Acid
06-23-2005, 05:57 PM
:rolleyes:
Yes I'm aware that seems contradictory, however the users within the Trust can barely login to their own account without needing to call IT for assistance.


Don't kid yourself with all this "I have 128-bit encryption etc" - I would say that stuff like that is pretty secure, but isn't *totally* unhackable if you know how to get around it :D

Like a little saying I heard of a while back - "Nothing's uncrackable" :p
Don't get me wrong I tend to agree with that, I've been saying for years that if it was created by a human it can be cracked by a human, however it's a common fact that even 64 bit has something like 37 trillion possible combinations so for a guy to sit at his computer and try and crack it it could take somewhere like 100 years.

Yes there is an on-going project to crack 128 bit but it wont be happening any time soon, however this would be the exact same security risk regardless as to whether i supplied the passwords or not, which I haven't anyway.

Back onto the topic though, has anyone noticed anything that could be a problem later on or is the script OK?

JamieR
06-23-2005, 06:23 PM
Back onto the topic though, has anyone noticed anything that could be a problem later on or is the script OK?

I can't see anything really wrong with it after a quick glance....

I think the topic of security has been discussed well enough now and we should just stick to the topc :)

Jamie.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum