Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Registered User
    Join Date
    Feb 2010
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Securing PHP+Mysql

    Hi, i have a code - but I have no idea is this secure or not. So I'm asking help for professionals that means You!

    PHP Code:
    <?php
    include 'mysql.php';

    $access 'bcdefiju';
    $flags 'a';
    $show '1';
    $serverid '1'
    $sec '2592000'
      if(!
    in_array($_SERVER['REMOTE_ADDR'],
          array(
    '81.20.151.38''81.20.148.122'))) {
        die(
    "Error: Unknown IP");
      }
      
    $secret '';
      if(!empty(
    $secret) && !check_signature($_GET$secret)) {
        die(
    "Error: Invalid signature");
      }
      
    $sender $_GET['sender'];
      
    $message $_GET['message'];

    function 
    createRandomPassword() {
    $chars "abcdefghijkmnopqrstuvwxyz023456789";
    srand((double)microtime()*1000000);
    $i 0;
    $pass '' ;
    while (
    $i <= 7) {
    $num rand() % 33;
    $tmp substr($chars$num1);
    $pass $pass $tmp;
    $i++;
    }
    return 
    $pass;
    }
    $password createRandomPassword();

    $username $message;
    //get timestamp for past/future date I want
    $pf_time strtotime("+30 days");
    //format the date using the timestamp generated
    $kehtib date("Y-m-d"$pf_time);
    $password createRandomPassword();
    $oigused Admin;
    mysql_connect("$dbhost""$dbuser""$dbpass") or die(mysql_error()); mysql_select_db("$dbname") or die(mysql_error());

    $query5 mysql_query("SELECT * FROM amx_amxadmins WHERE username LIKE '%$username%'") or die(mysql_error());
    if(
    mysql_num_rows($query5)) {
       echo 
    " Error! {$username} exists";exit;
    }

      
    $reply "Username: $username Password: $password.";

      echo(
    $reply);
      function 
    check_signature($params_array$secret) {
        
    ksort($params_array);
        
    $str '';
        foreach (
    $params_array as $k=>$v) {
          if(
    $k != 'sig') {
            
    $str .= "$k=$v";
          }
        }
        
    $str .= $secret;
        
    $signature md5($str);
        return (
    $params_array['sig'] == $signature);
      }

    if(!
    $username){echo 'Username not inserted!!';exit;}
    if(!
    $username){echo 'Password not inserted!';exit;} 

    $v time();

    mysql_query("INSERT INTO amx_amxadmins (username,password,access,flags,steamid,nickname,date,ashow,oigused,kehtib) VALUES('$username','$password','$access','$flags','','$username', {$v}, '$show','$oigused','$kehtib')");

    mysql_query("INSERT INTO amx_admins_servers (server_id) VALUES ('$serverid')");

    ?>
    Is this secure or how can i make this more secure? I mean like if someone posts to this code like " ' DROP ALL " or smth(mysql command) then it wont delete anything from database, just inserting data to database.

    8-)

  • #2
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,133
    Thanks
    12
    Thanked 332 Times in 328 Posts
    the code is not secure at all. at the very least use mysql_real_escape_string() or (better) Prepared (or Parameterized) Statements.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #3
    Registered User
    Join Date
    Feb 2010
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts
    U mean like this:
    PHP Code:
    $sender $_GET['sender'] = mysql_real_escape_string$sender 
    Or I found this code too:
    PHP Code:
    <?php
    function safe($value){
       return 
    mysql_real_escape_string($value);
    }
    ?>

    Then, when I am using my code, I simply use:

    <?php
    $sender 
    safe($_GET["sender"]);
    ?>
    Or how you mean?

  • #4
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    I read the title as "how to secure the PHP / MySQL server platform". Might want to change that.

    As per the comment Dormilich made, try Google.

    What is this script supposed to do?
    PHP Code:
    $message $_GET['message'];

    $password createRandomPassword();

    $username $message
    huh? You pass a username as the GET string?

    General comments on your original post / code
    • Your 'mysql.php' script, which must contain the server authentication information, is in the same directory as your called script, i.e. in a publicly web-accessible directory. It's A Good Idea to always push that up to a directory outside of the web root, and include it using a hardcoded value. For that matter, the script should perform the connection and push a database handler into any script that calls it. In other words, don't reinvent the wheel (connection code) in every script you write.
    • Never use GET for anything other than pulling data from the server. Use POST when sending login information or otherwise.
    • You seem to be creating pseudo-random password values and storing them as plaintext.
    • Never rely on IP addresses for authentication.


    Try this random password generation function:
    PHP Code:
    <?php
    function createRandomPassword($length=null) {
        
    // password length
        
    if ( is_null($length) ) $length 20;

        
    // lower / upper / numbers / symbols
        
    $chars "abcdefghijkmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-+={}[];':?";

        
    // seed random generator
        
    srand((double)microtime()*1000000);

        
    // for loop, iterate through $length times
        
    for ($i=0$i<=$length$i++) {
            
    // use the $chars length, not a set value
            
    $num rand() % strlen($chars);
            
    // pull a random value from the string of allowed characters
            
    $tmp substr($chars$num1);
            
    // no repeated chars
            
    if ( strpos($pass$tmp) !== FALSE ) continue;
            
    // add the current random character to the password string
            
    $pass.= $tmp;

            
    // debug
            //echo "{$i} : rand {$num} : tmp {$tmp} : pass {$pass} <br>";
        
    }

        return 
    $pass;
    }

    echo 
    '<br><p style="font-weight:bold;">' createRandomPassword() .'</p>';
    ?>
    Of course, if you do choose to use this function, be sure to either a) change the `password` field length to accomodate the longer value, or (preferred) b) hash the password using SHA256 or another hashing algo, or use bcrypt. Of course this changes your script logic altogether, but it would be better to store a hashed value.

  • #5
    Registered User
    Join Date
    Feb 2010
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Okei, the script must be like.

    It's dynamic sms service. I send like SMS with: TXT ADDME Username then it will sends automically generated password to user and then add to database. If in database there are this username then will show error example "Username exsist". But i thought on securing that, if I send like TXT ADDME ' where="numberoranything" SET id=1" then it would'nt crack my database. Just adds then this line AS username.

  • #6
    Registered User
    Join Date
    Feb 2010
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Please delete this topic!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •