Hiya,

I was wondering if there is a need to change the database table names and script variables of an open source script to enhance security.

A script I have has lots of pages and variables that are used throughout the site. I have changed database table names as I believe this is a great security enhancement but is there a need to change variable names and even page names if the script is open source?


I am also splitting up the code and placing the PHP and database stuff in files in a hidden directory for added protection. But is the script still vunerable if it has the same variables/page names that it was writting with?

For example ... $username is obviously used for users names on pages throughout the site and also for mysql queries and the log in cookies.

Could someone who knows the script use all these variables and even the page names to hack the site?

Thanks

Justin

Yes and no. Certain server configurations may allow them to hack variables (register_globals), but most servers have this turned off since its deprecated and is soon to be removed as of php6. You can disable this in the php.ini (and you should just as added security).

As long as you have all input and output data sanitized, you shouldn't have a problem.

You should be focusing on csrf and xss attacks. Those are most common today.

Session hijacking is another topic to think about. Its easily preventable by putting the session temp directory within your webspace and make it have limited permissions (or you can use database sessions like I do, much faster).

hello ... thanks very much for the info there.

This is interesting. I am looking at ways to properly sanitise the user input.... currently the script uses this on all forms which I am not sure is a great way ....

$form_variable = badwords(strip_tags($form_variable,"<b><i><u><a><font>"));

The tags can be edited to whatever html tags you wish to allow.

Im not sure this is a great way to fully sanitise input so am thinking of using this as well:

$form_variable = mysql_real_escape_string($_POST['form_variable']);

I havent tried it yet so dont know if they will conflict each other.

With regards to the sessions ... I need to work out a way of how to add sessions as my script only seems to use cookies right now. Ive heard the database session data is a good way to go ahead but will have to look at how to do it.

I do have a dedicated server that I recently got for my website and when I transferred it across the script didnt seem to work on it. I tried changing a few of the php.ini settings to see if that was the cause and still it didnt work. So I have had to transfer it back to my old shared server and see if I can work out the problem. :(

So my dedicated server is sitting there doing nothing. lol


I will go and check my php.ini settings now for the global_variable thing.


Thanks again

mysql_real_escape_string() should always be used when putting information from a user into a database. strip_tags() is not reliable. Its allows some attributes that can still inject xss code onto a page. If you want to ensure that you are protected against xss, you need to run htmlentities() on all data that is output to the browser. If you have html that you want to display, consider using bbcode or a strip_attributes function (theres one on the strip_tags page of php.net) that will make sure people can't hack your site by adding their own code.

Using tokens and form timeouts help stop cross-site request forgery (csrf) attacks. I have put examples of those on the other thread you have.

Hi Thanks.

I have just looked at a tutorial for the htmlentities() code so thanks for that.

You say I should always use mysql_real_escape_string() so would I use both these to check a form input?

ie:

$form_variable = mysql_real_escape_string($_POST);
$userInputEntities = htmlentities($form_variable);


Then use the $userInputEntities as the cleaned up variable to insert into the database.

I saw you had posted on my other one so thanks. I had posted this before checking the other post so thanks for your script tutorial.

There is something I would like to ask you about integrating it into my site about the rank that I posted. I have tried a couple of things but cant seem to get it to work.

Also you said that you save your session data to your database. Is it possible for me to do this using your script?

Im off to bed as my head is starting to spin. lol Thanks for all the help though.

Hello only me again.

I have been working at trying to set up that script and include it into my one and have a question.

Can I ask why you use the {} in the database query?

I notice you set out your queries different to how I do mine...

This is your query ...

$query = mysql_query( "SELECT `username` FROM `login` WHERE `id` = {$memid}" ); //
$member = mysql_fetch_assoc( $query );

and this is an example of my query

$variable = fetch("SELECT * FROM table WHERE username = '$variable[username]' AND game = '$game'");

I notice you use the little ` amoungst the query whereas I dont. Why is this? Is it just personal preference or am I producing bad coding?

I have added a field to the table callen rank and then assign a rank to each member. Just been testing it out on a few pages and so far (fingers crossed) it seems to be working so thanks. Just need to try and integrate it all into my website script and was wondering if I should continue using my way of writing the database queries or not.

Should be quite simple to integrate your script I hope.

Thanks again

I do that because its easier to identify php variables in the query. The ` accents are something I do out of personal preference since its easier to find the field or table names. The way you are doing it is fine.

Hiya, thanks for letting me know.

Ive started integrating the script and its very well written so thanks.

However ...I also have a verification page where members have to verify their accounts before logging in.

I was wondering what the script used to encrypt the password as my website used MD5 and when trying to check the password against the database it doesnt work.

Thanks

ah thanks keith. Im having trouble setting up the verfication system when checking the password. I used to simple check it against the md5 but cant seem to get it to work using this sha1. :>/


This is the code im using which was taken from your login. The verifcation script sends an email on registration and then the user has to click a link and then fill in their username and password to confirm the account.

if ( count( $error ) == 0 ) { //if everything is ok so far, keep going (i do this because i don't want to hit the database if the username or password is blank)
        $query = mysql_query( "SELECT `id`,`password`,`is_verified`,`username` FROM `login` WHERE `username` = '{$user}' AND `is_verfied` = '0' LIMIT 1",$con );
        if ( mysql_num_rows( $query ) !== 1 ) { //checks to see if a row was found with username provided by user
            $error[] = 'Username and/or Password incorrect'; //never be specific with errors, makes it hard to crack
        }
        else {
            list( $id,$hash ) = mysql_fetch_row( $query ); //puts the id and password from result into $id and $pass variables
            if ( !checkPassword( $pass,$hash ) ) { //check password from user against the hash in the database.
                $error[] = 'Username and/or Password incorrect';
            }
            if ( count( $error ) == 0 ) { //if now errors found, then set session for login

Is there anything im doing wrong here? It seems to be pulling the error from the username checks. :>/

This article has been dead for over six months. Start a new discussion instead.