Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Aug 2012
    Location
    Kalamazoo, MI
    Posts
    39
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Is this script secure?

    Hi everyone,

    For the past few days I have programming a VERY simple shopping cart onto my website. I am not an expert with PHP (though I am learning very quickly) so I was just wondering if someone could tell me if the following PHP is secure?

    Please tell me what I need to fix if it is not secure, but please don't bash on me for anything, as I said, I am fairly new to PHP.

    PHP Code:
    // check if a template was submitted
    if(!isset($_FILES['template']))
    {
        echo 
    '';
    }
    else
    {
        try {
        
    $msgupload(); 
        echo 
    $msg;  //Message showing success or failure.
        
    }
        catch(
    Exception $e) {
        echo 
    $e->getMessage();
        echo 
    'Sorry, could not upload template';
        }
    }

    // the upload function

    function upload() {
        include(
    'includes/template.config.php'); 
     
    $allowedExts = array("jpg""jpeg""png");
    $extension end(explode("."$_FILES["template"]["name"]));
    if (((
    $_FILES["template"]["type"] == "image/jpeg")
    || (
    $_FILES["template"]["type"] == "image/jpg")
    || (
    $_FILES["template"]["type"] == "image/gif")
    || (
    $_FILES["template"]["type"] == "image/png"))
    && (
    $_FILES["template"]["size"] < 12582912)
    && 
    in_array($extension$allowedExts))
    {
      if (
    $_FILES["template"]["error"] > 0)
        {
        echo 
    "Return Code: " $_FILES["template"]["error"] . "<br />";
        }
      else
        {
        if (
    FILE_exists("templateshop/uploads/templates/" $_FILES["template"]["name"]))
          {
          echo 
    $_FILES["template"]["name"] . " already exists. ";
          }
        else
          {
          
    move_uploaded_file($_FILES["template"]["tmp_name"],
          
    "templateshop/uploads/templates/" $_FILES["template"]["name"]);
          echo 
    "Stored in: " "templateshop/uploads/templates/" $_FILES["template"]["name"];
          
          
    $path $_FILES["template"]["name"];
          
    $temp $_POST["temp"];
          
    $price $_POST["price"];
          
    $short_description $_POST["short_description"];
          
    $description $_POST["description"];
        
          
    //db connection                
          
    mysqli_connect($db_host$db_user$db_pass) OR DIE (mysqli_error());
          
    mysqli_select_db ($link$db_name) OR DIE ("Unable to select db".mysqli_error($db_name));

          
    // our sql query
          
    $sql "INSERT INTO templates(path, temp_name, price, short_description, description)
                  VALUES('"
    .$path."', '".$temp."', '".$price."', '".$short_description."', '".$description."');";

          
    // insert the id
          
    $insert_id mysqli_insert_id($link);
           
    mysqli_query($link$sql) or die("Error in Query: " mysqli_error($link));
          
    $msg='<p>Image successfully saved in database at path ='$path.' </p>';
           }

        function 
    template_upload_error_message($error_code) {
            switch (
    $error_code) {
                case 
    UPLOAD_ERR_INI_SIZE:
                    return 
    'The uploaded template exceeds the upload_max_FILESize directive in php.ini';
                case 
    UPLOAD_ERR_FORM_SIZE:
                    return 
    'The uploaded template exceeds the MAX_FILE_SIZE directive that was specified in the HTML form';
                case 
    UPLOAD_ERR_PARTIAL:
                    return 
    'The uploaded template was only partially uploaded';
                case 
    UPLOAD_ERR_NO_template:
                    return 
    'No template was uploaded';
                case 
    UPLOAD_ERR_NO_TMP_DIR:
                    return 
    'Missing a temporary folder';
                case 
    UPLOAD_ERR_CANT_WRITE:
                    return 
    'Failed to write template to disk';
                case 
    UPLOAD_ERR_EXTENSION:
                    return 
    'template upload stopped by extension';
                default:
                    return 
    'Unknown upload error';
            }
        }

         }
        }

    else
      {
      echo 
    "Invalid template";
      }
     } 
    PHP Code:
    if(isset($_GET['id']))
    {
        
    $id=$_GET['id'];
        
    $sql "SELECT * FROM templates WHERE id=$id";
        
    $result $link->query($sql);
        
    $row mysqli_fetch_assoc($result);

        
    $image $link->real_escape_string($row['path']);
        
    $name $link->real_escape_string($row['temp_name']);
        
    $description $link->real_escape_string($row['description']);
        
    $price $link->real_escape_string($row['price']);


    PHP Code:
    // check if a template was submitted
    if(!isset($_FILES['template']))
    {
        echo 
    'Oops! You forgot to upload yourt emplate! Please click <a href="template-purchase.php">here</a> to return.';
    }
    else
    {
        try {
        
    $msgupload();  
        echo 
    $msg;  // Message showing success or failure.
        
    }
        catch(
    Exception $e) {
        echo 
    $e->getMessage();
        echo 
    'Sorry, could not upload template';
        }
    }

    // make sure form fields are filled out and sanitize them from special characters to eliminate XSS hacks
    function check_input($data$problem='')
    {
        
    $data trim($data);
        
    $data stripslashes($data);
        
    $data htmlspecialchars($data);
        if (
    $problem && strlen($data) == 0)
        {
            die(
    $problem);
        }
            return 
    $data;
        }

    // the upload function
    function upload() {
        include(
    'includes/template.config.php'); 
        
    $allowedExts = array("pdf""doc""docx");
        
    $extension end(explode("."$_FILES["template"]["name"]));
        if (((
    $_FILES["template"]["type"] == "application/pdf")
            || (
    $_FILES["template"]["type"] == "application/msword")
            || (
    $_FILES["template"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"))
            && (
    $_FILES["template"]["size"] < 12582912)
            && 
    in_array($extension$allowedExts))
        {
            if (
    $_FILES["template"]["error"] > 0)
        {
            echo 
    "Return Code: " $_FILES["template"]["error"] . "<br />";
        }
        else
        {
            
    move_uploaded_file($_FILES["template"]["tmp_name"],
            
    "templateshop/uploads/user_template/" $_FILES["template"]["name"]);
          
              
    $path $_FILES["template"]["name"];
              
    $photoPath $_FILES["photo"]["name"];
              
    $id $_GET['id'];
              
    $cname check_input($_POST['cname'], "Oops! You forgot to enter your name!");
              
    $email check_input($_POST['email'], "Oops! You forgot to enter your email!");
              
    $phone check_input($_POST['phone'], "Oops! You forgot to enter your phone number!");
              
    $template check_input($_POST['template'], "Oops! You forgot to upload your template!");
            
              
    // sanitize email address -- check to make sure it is in valid format.
              
    if(filter_var($email,FILTER_VALIDATE_EMAIL) === false)
                {
                    echo 
    'Email is not valid';
                }
                else
                {
            
            
    // db connection
            
    mysqli_connect($db_host$db_user$db_pass) OR DIE (mysqli_error());
            
    mysqli_select_db ($link$db_name) OR DIE ("Unable to select db".mysqli_error($db_name));

            
    // sql query
            
    $sql "INSERT INTO customers(name, email, phone, template_path, photo_path, template_purchased)
                  VALUES('"
    .$cname."', '".$email."', '".$phone."', '".$path."', '".$photoPath."', '".$template."');";

            
    // insert the ID
            
    $insert_id mysqli_insert_id($link);
            
    mysqli_query($link$sql) or die("Error in Query: " mysqli_error($link));
           
            
    header("Location: purchase-thankyou.php");
           }
        }
    }

    I know it's kind of a lot to go through, but just a quick run down of the sanitizing/stripping tags would be sufficient enough. I just want to make sure I am doing everything I can to eliminate the possibility of XSS or SQL injections.

  • #2
    Regular Coder
    Join Date
    Jun 2010
    Location
    Earth
    Posts
    305
    Thanks
    27
    Thanked 2 Times in 2 Posts
    No its not very secure, you need to do more then sanitize and strip.

    Here is what felgall told me when I asked about security

    The order of processing a given field should be:

    read from the form
    validate
    database escape call (if not using prepare/bind and if the data can contain values that could affect the database command)
    write to database

    read from database
    sanitize
    format
    HTML escape (if the data can contain text that might be mistaken for HTML)
    output as HTML


    The validate and sanitize steps are what provides the security. The validate step also ensures that what you are processing isn't meaningless grabage.
    Hope it helps

  • #3
    New Coder
    Join Date
    Aug 2012
    Location
    Kalamazoo, MI
    Posts
    39
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Awesome, thanks for the tip!


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •