Just FYI, I read your previous two messages and decided not to answer them for the following (very subjective) reasons:
1. Your commenting style (############) made my head hurt. 2. The question was a little too open-ended yet the answer would be very specific. I'm happy to write a long-winded blowhard essay if I think it will contribute to a broad discussion of interest to many people. But when it's just in effect a free programming help service, I tend to take on the terser projects. There are plenty of kind-hearted people who will respond to messages like yours, at least sometimes (when they have enough time, or are waiting for a big compile to finish, or feel guilty about cutting someone off on the freeway this morning and want to earn karma back, or whatever). But it seemed like you were sort of curious as to why you didn't get any response, so there you go. miguel On Thu, 6 Jun 2002, Jas wrote: > I cannot believe that no one with alot of PHP and MySQL experience has not > replied to this post yet. Is PHP not a secure scripting language? I would > really like a little insight into this question, anyone? > > "Jas" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I posted this yesterday and did not get any response at all? Just > wondering > > if someone can give me some insight into some security measures for a > > content management application... > > > > Posted 06/05/2002 > > Ok, I am not a security expert so I would like to know if my security > > measures I have implimented is adequate enough to keep people out. Any > > pointers on this would be very helpful as I am trying to impliment a > secure > > way for people to update a website through the use of a content management > > application. Example of code is as follows > > > > // Login form - index.php > > <form name="authenticate" method="post" action="auth_done.php"> > > <input type="text" name="user" size="20" maxlength="20"><br> > > <input type="password" name="pw" size="20" maxlength="20"><br> > > Select an image to identify yourself as an administrator.<br> > > <select name="image"> > > <option value="image01.jpg">image01</option> > > <option value="image02.jpg">image02</option> > > <option value="image03.jpg">image03</option> > > <option value="image04.jpg">image04</option> > > <option value="image05.jpg">image05</option> > > </select><br><br> > > <input type="submit" name="Login" value="Login"> > > <input type="reset" name="Reset" value="Reset"> > > </form> > > > > // Authentication checker - auth_done.php > > #############check fields for valid entries in form############ > > if ((!$u_name) || (!$p_word) || (!$image)){ > > header("Location: index.php"); > > exit; > > } > > ############connects to database############ > > require '/path/to/database/connection/script/dbcon.php'; > > #############selects database table containing users that are allowed to > > use application############ > > $db_table = 'users'; > > $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw = > > password(\"$pw\")"; > > $result = @mysql_query($sql,$dbh) or die("Couldn't execute query"); > > #############loops through all records to find a match############ > > $num = mysql_numrows($result); > > if ($num !=0) { > > #############creates variables for sessions############ > > $p_hash = "$p_word"; > > $to_hash = "$image"; > > #############creates md5 hash of image user selected############ > > $pstring = md5($to_hash); > > #############creates md5 hash of password user entered############ > > $image_sel = md5(uniqid(microtime($p_word),1)); > > #############starts session for user############ > > session_start(); > > #############registers variables created (md5 of password, username, & > > image) in session############ > > session_register('user'); > > session_register('$pstring'); > > session_register('$image_sel'); > > #############captures users ip address (logging stuff, not listed in > this > > code for security reasons)############ > > $ipaddy = $REMOTE_ADDR; > > #############echoes success message to authenticated user############ > > $msg_success = "<b>You have been authorized to make changes to the > > website! Your IP address has been recorded and sent to the administrator: > > $ipaddy</b>"; > > } else { > > #############this prints if user name and password combination is not > > found in database############ > > print "<p>You are not authorized to use this application!</p>"; > > exit; > > } > > > > Now on each page in the content management app I have these lines of code: > > #############Start the session############# > > session_start(); > > #############check session variables############# > > if (isset($HTTP_SESSION_VARS['user']) || > > isset($HTTP_SESSION_VARS['$image_sel']) || > > isset($HTTP_SESSION_VARS['$pstring'])) { > > $main = "Some kinda message for page in question"; > > #############connects to database############# > > require '/path/to/database/connection/script/dbcon.php'; > > #############if session variables not registered kick the user back to > > login form############# > > } else { > > header ("Location: index.php"); > > } > > > > Now just so you know I have changed all the variables to something other > > than what I am currently using, however I have made sure that this is a > > working example so everything should work as is. Also I have tested this > a > > few different ways, including: creating a page that tries to include one > of > > the pages I have my security checks on from another website, linking > > directly to a script within the application etc. In any event, I also > have > > logging setup on each and every script which I have not included here > > (different topic), just in case someone does get in I can at least "try" > to > > find them. Any help, pointers, tutorials, examples, etc. would be > > appreciated!!! > > TIA > > Jas > > > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
