Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Regular Coder
    Join Date
    Jun 2004
    Posts
    194
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Can someone please check this script to make sure it's alright?

    Hey,

    I've written a script so staff in the Training department at work can upload, edit and delete their own course flyers and are required to login, users just see the list of these flyers. Could someone just have a quick look through this script and let me know if it's alright? I'd just like to make sure there aren't any problems in there that could cause it to go haywire later on.

    Cheers.

    Scripts attached.
    Last edited by Acid; 06-24-2005 at 09:40 AM.

  • #2
    New Coder
    Join Date
    Feb 2005
    Posts
    97
    Thanks
    7
    Thanked 7 Times in 7 Posts
    I haven't read through all your code (I'm assuming it works in your initial testing) but one thing does leap right out and smack me between the eyes.

    You are including your database username & password etc in the body of your main file! eek.

    These should be set as variables in an included file that is either above the root i.e. cgi-bin or "chmod"ed to prevent user access.

    Probably a bad idea to be posting this information on public forums as well to be honest

  • #3
    Regular Coder
    Join Date
    Jun 2004
    Posts
    194
    Thanks
    5
    Thanked 0 Times in 0 Posts
    I'd agree with you except that the user name and password i entered in that text file is not actually the user name and password of my MySQL database, it's just place holder. In addition this is on a closed intranet within a secure network so unless people trying to hack it have Kevin Mitnick type skills and are a wizz at cracking 128bit encryption I don't really need to worry about it.

    Also yes this does all work during my testing, just wanted to make sure there isn't anything I've used that is likely to fall over and cause problems later on etc.

    Also there's no CHMOD functionality on the server, it's a Windows 2003 box with IIS 6.0.

  • #4
    New Coder
    Join Date
    Feb 2005
    Posts
    97
    Thanks
    7
    Thanked 7 Times in 7 Posts
    Yes, I saw it was an intranet site but lets be honest it's the people inside that you need to worry about more than the ones outside.

    Why on earth would I want to adjust the figures in your database?

    Why would one of the users?

  • #5
    Regular Coder
    Join Date
    Jun 2004
    Posts
    194
    Thanks
    5
    Thanked 0 Times in 0 Posts
    ROFLMFAO!!!! Sorry that first line of your post had me in hysterics. I REALLY don't need to worry about the users within the intranet, most of them can't figure out a pencil sharpner between them, the only ones capable of doing anything at all is the guys in the IT department, but they have access to the MySQL database anyway.

  • #6
    New Coder
    Join Date
    Feb 2005
    Posts
    97
    Thanks
    7
    Thanked 7 Times in 7 Posts
    That's a very interesting attitude to security you have.

    Perhaps you should know that until a few months ago I also worked for the NHS.

    You work for an organisation that needs to treat its data with particular care and you have given us:

    your email address.
    your telephone number.
    your name.
    your root server IP.
    2 sets of username and password (not that it would take long to guess "admin").

    I really would suggest to take your security a little bit more seriously and take down this information from the forums - it's exactly the sort of thing crackers trawl the internet looking for.

  • #7
    Regular Coder
    Join Date
    Jun 2004
    Posts
    194
    Thanks
    5
    Thanked 0 Times in 0 Posts
    I actually do take security seriously but as I said, the user name and password provided for the MySQL isn't the user name and password, it is place holder text.

    Also I haven't provided the root server IP, the only reference to any server is for the MySQL connection which is down as localhost.

    As for my name, email and telephone number, not exactly sensitive information, it's actually published on the public site for my Trust as part of the freedom of information act.

  • #8
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Acid
    I REALLY don't need to worry about the users within the intranet
    Quote Originally Posted by Acid
    I actually do take security seriously

  • #9
    Senior Coder JamieR's Avatar
    Join Date
    Oct 2004
    Location
    United Kingdom
    Posts
    3,161
    Thanks
    0
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Acid
    In addition this is on a closed intranet within a secure network so unless people trying to hack it have Kevin Mitnick type skills and are a wizz at cracking 128bit encryption I don't really need to worry about it.
    Don't kid yourself with all this "I have 128-bit encryption etc" - I would say that stuff like that is pretty secure, but isn't *totally* unhackable if you know how to get around it

    Like a little saying I heard of a while back - "Nothing's uncrackable"

  • #10
    Regular Coder
    Join Date
    Jun 2004
    Posts
    194
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by delinear
    Yes I'm aware that seems contradictory, however the users within the Trust can barely login to their own account without needing to call IT for assistance.

    Quote Originally Posted by weazel
    Don't kid yourself with all this "I have 128-bit encryption etc" - I would say that stuff like that is pretty secure, but isn't *totally* unhackable if you know how to get around it

    Like a little saying I heard of a while back - "Nothing's uncrackable"
    Don't get me wrong I tend to agree with that, I've been saying for years that if it was created by a human it can be cracked by a human, however it's a common fact that even 64 bit has something like 37 trillion possible combinations so for a guy to sit at his computer and try and crack it it could take somewhere like 100 years.

    Yes there is an on-going project to crack 128 bit but it wont be happening any time soon, however this would be the exact same security risk regardless as to whether i supplied the passwords or not, which I haven't anyway.

    Back onto the topic though, has anyone noticed anything that could be a problem later on or is the script OK?

  • #11
    Senior Coder JamieR's Avatar
    Join Date
    Oct 2004
    Location
    United Kingdom
    Posts
    3,161
    Thanks
    0
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Acid
    Back onto the topic though, has anyone noticed anything that could be a problem later on or is the script OK?
    I can't see anything really wrong with it after a quick glance....

    I think the topic of security has been discussed well enough now and we should just stick to the topc

    Jamie.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •