No language is "secure".... becuase there's no such thing. even supposedly secure Java VM sandboxes have well-known security exploits.
PHP code is as secure as you write it. Bad programmer = bad code Name any language or program and there are well-documented ways to subvert it. Buffer overflows in "C", and flawed Double-byte char support in "IIS", to name a few recent and better-known exploits. --- Scott Hurring Systems Programmer EAC Corporation [EMAIL PROTECTED] Voice: 201-462-2149 Fax: 201-288-1515 > -----Original Message----- > From: Adam Voigt [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 1:22 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Re: Anyone? > > > Yes, PHP is a secure programming language. > > On Thu, 2002-06-06 at 13:18, Jas wrote: > > I cannot believe that no one with alot of PHP and MySQL > experience has not > > replied to this post yet. Is PHP not a secure scripting > language? I would > > really like a little insight into this question, anyone? > > > > "Jas" <[EMAIL PROTECTED]> wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I posted this yesterday and did not get any response at all? Just > > wondering > > > if someone can give me some insight into some security > measures for a > > > content management application... > > > > > > Posted 06/05/2002 > > > Ok, I am not a security expert so I would like to know if > my security > > > measures I have implimented is adequate enough to keep > people out. Any > > > pointers on this would be very helpful as I am trying to > impliment a > > secure > > > way for people to update a website through the use of a > content management > > > application. Example of code is as follows > > > > > > // Login form - index.php > > > <form name="authenticate" method="post" action="auth_done.php"> > > > <input type="text" name="user" size="20" maxlength="20"><br> > > > <input type="password" name="pw" size="20" maxlength="20"><br> > > > Select an image to identify yourself as an administrator.<br> > > > <select name="image"> > > > <option value="image01.jpg">image01</option> > > > <option value="image02.jpg">image02</option> > > > <option value="image03.jpg">image03</option> > > > <option value="image04.jpg">image04</option> > > > <option value="image05.jpg">image05</option> > > > </select><br><br> > > > <input type="submit" name="Login" value="Login"> > > > <input type="reset" name="Reset" value="Reset"> > > > </form> > > > > > > // Authentication checker - auth_done.php > > > #############check fields for valid entries in form############ > > > if ((!$u_name) || (!$p_word) || (!$image)){ > > > header("Location: index.php"); > > > exit; > > > } > > > ############connects to database############ > > > require '/path/to/database/connection/script/dbcon.php'; > > > #############selects database table containing users > that are allowed to > > > use application############ > > > $db_table = 'users'; > > > $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw = > > > password(\"$pw\")"; > > > $result = @mysql_query($sql,$dbh) or die("Couldn't > execute query"); > > > #############loops through all records to find a > match############ > > > $num = mysql_numrows($result); > > > if ($num !=0) { > > > #############creates variables for sessions############ > > > $p_hash = "$p_word"; > > > $to_hash = "$image"; > > > #############creates md5 hash of image user selected############ > > > $pstring = md5($to_hash); > > > #############creates md5 hash of password user > entered############ > > > $image_sel = md5(uniqid(microtime($p_word),1)); > > > #############starts session for user############ > > > session_start(); > > > #############registers variables created (md5 of > password, username, & > > > image) in session############ > > > session_register('user'); > > > session_register('$pstring'); > > > session_register('$image_sel'); > > > #############captures users ip address (logging stuff, > not listed in > > this > > > code for security reasons)############ > > > $ipaddy = $REMOTE_ADDR; > > > #############echoes success message to authenticated > user############ > > > $msg_success = "<b>You have been authorized to make > changes to the > > > website! Your IP address has been recorded and sent to > the administrator: > > > $ipaddy</b>"; > > > } else { > > > #############this prints if user name and password > combination is not > > > found in database############ > > > print "<p>You are not authorized to use this application!</p>"; > > > exit; > > > } > > > > > > Now on each page in the content management app I have > these lines of code: > > > #############Start the session############# > > > session_start(); > > > #############check session variables############# > > > if (isset($HTTP_SESSION_VARS['user']) || > > > isset($HTTP_SESSION_VARS['$image_sel']) || > > > isset($HTTP_SESSION_VARS['$pstring'])) { > > > $main = "Some kinda message for page in question"; > > > #############connects to database############# > > > require '/path/to/database/connection/script/dbcon.php'; > > > #############if session variables not registered kick > the user back to > > > login form############# > > > } else { > > > header ("Location: index.php"); > > > } > > > > > > Now just so you know I have changed all the variables to > something other > > > than what I am currently using, however I have made sure > that this is a > > > working example so everything should work as is. Also I > have tested this > > a > > > few different ways, including: creating a page that > tries to include one > > of > > > the pages I have my security checks on from another > website, linking > > > directly to a script within the application etc. In any > event, I also > > have > > > logging setup on each and every script which I have not > included here > > > (different topic), just in case someone does get in I can > at least "try" > > to > > > find them. Any help, pointers, tutorials, examples, etc. would be > > > appreciated!!! > > > TIA > > > Jas > > > > > > > > > > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
