Is this script secure?

[TylerB]

Hi everyone,

For the past few days I have programming a VERY simple shopping cart onto my website. I am not an expert with PHP (though I am learning very quickly) so I was just wondering if someone could tell me if the following PHP is secure?

Please tell me what I need to fix if it is not secure, but please don't bash on me for anything, as I said, I am fairly new to PHP.

PHP Code:

// check if a template was submitted
if(!isset($_FILES['template']))
{
    echo '';
}
else
{
    try {
    $msg= upload(); 
    echo $msg;  //Message showing success or failure.
    }
    catch(Exception $e) {
    echo $e->getMessage();
    echo 'Sorry, could not upload template';
    }
}

// the upload function

function upload() {
    include('includes/template.config.php'); 
 $allowedExts = array("jpg", "jpeg", "png");
$extension = end(explode(".", $_FILES["template"]["name"]));
if ((($_FILES["template"]["type"] == "image/jpeg")
|| ($_FILES["template"]["type"] == "image/jpg")
|| ($_FILES["template"]["type"] == "image/gif")
|| ($_FILES["template"]["type"] == "image/png"))
&& ($_FILES["template"]["size"] < 12582912)
&& in_array($extension, $allowedExts))
{
  if ($_FILES["template"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["template"]["error"] . "<br />";
    }
  else
    {
    if (FILE_exists("templateshop/uploads/templates/" . $_FILES["template"]["name"]))
      {
      echo $_FILES["template"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["template"]["tmp_name"],
      "templateshop/uploads/templates/" . $_FILES["template"]["name"]);
      echo "Stored in: " . "templateshop/uploads/templates/" . $_FILES["template"]["name"];
      
      $path = $_FILES["template"]["name"];
      $temp = $_POST["temp"];
      $price = $_POST["price"];
      $short_description = $_POST["short_description"];
      $description = $_POST["description"];
    
      //db connection                
      mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error());
      mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name));

      // our sql query
      $sql = "INSERT INTO templates(path, temp_name, price, short_description, description)
              VALUES('".$path."', '".$temp."', '".$price."', '".$short_description."', '".$description."');";

      // insert the id
      $insert_id = mysqli_insert_id($link);
       mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
      $msg='<p>Image successfully saved in database at path ='. $path.' </p>';
       }

    function template_upload_error_message($error_code) {
        switch ($error_code) {
            case UPLOAD_ERR_INI_SIZE:
                return 'The uploaded template exceeds the upload_max_FILESize directive in php.ini';
            case UPLOAD_ERR_FORM_SIZE:
                return 'The uploaded template exceeds the MAX_FILE_SIZE directive that was specified in the HTML form';
            case UPLOAD_ERR_PARTIAL:
                return 'The uploaded template was only partially uploaded';
            case UPLOAD_ERR_NO_template:
                return 'No template was uploaded';
            case UPLOAD_ERR_NO_TMP_DIR:
                return 'Missing a temporary folder';
            case UPLOAD_ERR_CANT_WRITE:
                return 'Failed to write template to disk';
            case UPLOAD_ERR_EXTENSION:
                return 'template upload stopped by extension';
            default:
                return 'Unknown upload error';
        }
    }

     }
    }

else
  {
  echo "Invalid template";
  }
 } 


PHP Code:

if(isset($_GET['id']))
{
    $id=$_GET['id'];
    $sql = "SELECT * FROM templates WHERE id=$id";
    $result = $link->query($sql);
    $row = mysqli_fetch_assoc($result);

    $image = $link->real_escape_string($row['path']);
    $name = $link->real_escape_string($row['temp_name']);
    $description = $link->real_escape_string($row['description']);
    $price = $link->real_escape_string($row['price']);

} 


PHP Code:

// check if a template was submitted
if(!isset($_FILES['template']))
{
    echo 'Oops! You forgot to upload yourt emplate! Please click <a href="template-purchase.php">here</a> to return.';
}
else
{
    try {
    $msg= upload();  
    echo $msg;  // Message showing success or failure.
    }
    catch(Exception $e) {
    echo $e->getMessage();
    echo 'Sorry, could not upload template';
    }
}

// make sure form fields are filled out and sanitize them from special characters to eliminate XSS hacks
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
        return $data;
    }

// the upload function
function upload() {
    include('includes/template.config.php'); 
    $allowedExts = array("pdf", "doc", "docx");
    $extension = end(explode(".", $_FILES["template"]["name"]));
    if ((($_FILES["template"]["type"] == "application/pdf")
        || ($_FILES["template"]["type"] == "application/msword")
        || ($_FILES["template"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"))
        && ($_FILES["template"]["size"] < 12582912)
        && in_array($extension, $allowedExts))
    {
        if ($_FILES["template"]["error"] > 0)
    {
        echo "Return Code: " . $_FILES["template"]["error"] . "<br />";
    }
    else
    {
        move_uploaded_file($_FILES["template"]["tmp_name"],
        "templateshop/uploads/user_template/" . $_FILES["template"]["name"]);
      
          $path = $_FILES["template"]["name"];
          $photoPath = $_FILES["photo"]["name"];
          $id = $_GET['id'];
          $cname = check_input($_POST['cname'], "Oops! You forgot to enter your name!");
          $email = check_input($_POST['email'], "Oops! You forgot to enter your email!");
          $phone = check_input($_POST['phone'], "Oops! You forgot to enter your phone number!");
          $template = check_input($_POST['template'], "Oops! You forgot to upload your template!");
        
          // sanitize email address -- check to make sure it is in valid format.
          if(filter_var($email,FILTER_VALIDATE_EMAIL) === false)
            {
                echo 'Email is not valid';
            }
            else
            {
        
        // db connection
        mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error());
        mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name));

        // sql query
        $sql = "INSERT INTO customers(name, email, phone, template_path, photo_path, template_purchased)
              VALUES('".$cname."', '".$email."', '".$phone."', '".$path."', '".$photoPath."', '".$template."');";

        // insert the ID
        $insert_id = mysqli_insert_id($link);
        mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
       
        header("Location: purchase-thankyou.php");
       }
    }
}
} 


I know it's kind of a lot to go through, but just a quick run down of the sanitizing/stripping tags would be sufficient enough. I just want to make sure I am doing everything I can to eliminate the possibility of XSS or SQL injections.

[harkly]

No its not very secure, you need to do more then sanitize and strip.

Here is what felgall told me when I asked about security

Quote:

The order of processing a given field should be:

read from the form
validate
database escape call (if not using prepare/bind and if the data can contain values that could affect the database command)
write to database

read from database
sanitize
format
HTML escape (if the data can contain text that might be mistaken for HTML)
output as HTML


The validate and sanitize steps are what provides the security. The validate step also ensures that what you are processing isn't meaningless grabage.

Hope it helps

[TylerB]

Awesome, thanks for the tip!