Can someone please check this script to make sure it's alright?

Acid · 06-22-2005, 04:13 PM

Hey,

I've written a script so staff in the Training department at work can upload, edit and delete their own course flyers and are required to login, users just see the list of these flyers. Could someone just have a quick look through this script and let me know if it's alright? I'd just like to make sure there aren't any problems in there that could cause it to go haywire later on.

Cheers.

Scripts attached.

mattyod · 06-22-2005, 06:53 PM

I haven't read through all your code (I'm assuming it works in your initial testing) but one thing does leap right out and smack me between the eyes.

You are including your database username & password etc in the body of your main file! eek.

These should be set as variables in an included file that is either above the root i.e. cgi-bin or "chmod"ed to prevent user access.

Probably a bad idea to be posting this information on public forums as well to be honest

Acid · 06-22-2005, 11:58 PM

I'd agree with you except that the user name and password i entered in that text file is not actually the user name and password of my MySQL database, it's just place holder. In addition this is on a closed intranet within a secure network so unless people trying to hack it have Kevin Mitnick type skills and are a wizz at cracking 128bit encryption I don't really need to worry about it.

Also yes this does all work during my testing, just wanted to make sure there isn't anything I've used that is likely to fall over and cause problems later on etc.

Also there's no CHMOD functionality on the server, it's a Windows 2003 box with IIS 6.0.

mattyod · 06-23-2005, 12:28 AM

Yes, I saw it was an intranet site but lets be honest it's the people inside that you need to worry about more than the ones outside.

Why on earth would I want to adjust the figures in your database?

Why would one of the users?

Acid · 06-23-2005, 08:05 AM

ROFLMFAO!!!! Sorry that first line of your post had me in hysterics. I REALLY don't need to worry about the users within the intranet, most of them can't figure out a pencil sharpner between them, the only ones capable of doing anything at all is the guys in the IT department, but they have access to the MySQL database anyway.

mattyod · 06-23-2005, 02:25 PM

That's a very interesting attitude to security you have.

Perhaps you should know that until a few months ago I also worked for the NHS.

You work for an organisation that needs to treat its data with particular care and you have given us:

your email address.
your telephone number.
your name.
your root server IP.
2 sets of username and password (not that it would take long to guess "admin").

I really would suggest to take your security a little bit more seriously and take down this information from the forums - it's exactly the sort of thing crackers trawl the internet looking for.

Acid · 06-23-2005, 03:23 PM

I actually do take security seriously but as I said, the user name and password provided for the MySQL isn't the user name and password, it is place holder text.

Also I haven't provided the root server IP, the only reference to any server is for the MySQL connection which is down as localhost.

As for my name, email and telephone number, not exactly sensitive information, it's actually published on the public site for my Trust as part of the freedom of information act.

delinear · 06-23-2005, 04:10 PM

Quote:

Originally Posted by Acid

I REALLY don't need to worry about the users within the intranet

Quote:

Originally Posted by Acid

I actually do take security seriously

JamieR · 06-23-2005, 04:20 PM

Quote:

Originally Posted by Acid

In addition this is on a closed intranet within a secure network so unless people trying to hack it have Kevin Mitnick type skills and are a wizz at cracking 128bit encryption I don't really need to worry about it.

Don't kid yourself with all this "I have 128-bit encryption etc" - I would say that stuff like that is pretty secure, but isn't *totally* unhackable if you know how to get around it

Like a little saying I heard of a while back - "Nothing's uncrackable"

Acid · 06-23-2005, 04:57 PM

Quote:

Originally Posted by delinear

Yes I'm aware that seems contradictory, however the users within the Trust can barely login to their own account without needing to call IT for assistance.

Quote:

Originally Posted by weazel

Don't kid yourself with all this "I have 128-bit encryption etc" - I would say that stuff like that is pretty secure, but isn't *totally* unhackable if you know how to get around it

Like a little saying I heard of a while back - "Nothing's uncrackable"

Don't get me wrong I tend to agree with that, I've been saying for years that if it was created by a human it can be cracked by a human, however it's a common fact that even 64 bit has something like 37 trillion possible combinations so for a guy to sit at his computer and try and crack it it could take somewhere like 100 years.

Yes there is an on-going project to crack 128 bit but it wont be happening any time soon, however this would be the exact same security risk regardless as to whether i supplied the passwords or not, which I haven't anyway.

Back onto the topic though, has anyone noticed anything that could be a problem later on or is the script OK?

JamieR · 06-23-2005, 05:23 PM

Quote:

Originally Posted by Acid

Back onto the topic though, has anyone noticed anything that could be a problem later on or is the script OK?

I can't see anything really wrong with it after a quick glance....

I think the topic of security has been discussed well enough now and we should just stick to the topc

Jamie.