PHP is secure, it's upto the programmer to make sure the script they write is secure.
I'd guess the reason that no one has replied is because we hate reading 75+ lines of code. In my experience on this list, the best answers come when you ask a specific question about a specific problem... NOT when you post a big chunk of code and ask a vague question. Perhaps another way you could assess your script's security is to download a popular, respected application (like a e-commerce library, content management library, etc etc) which has simular needs to yours, and see how they do it. Or check out a decent article on the subject. Security is a massive topic. Justin French -------------------- Creative Director http://Indent.com.au -------------------- on 07/06/02 3:18 AM, Jas ([EMAIL PROTECTED]) wrote: > I cannot believe that no one with alot of PHP and MySQL experience has not > replied to this post yet. Is PHP not a secure scripting language? I would > really like a little insight into this question, anyone? > > "Jas" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >> I posted this yesterday and did not get any response at all? Just > wondering >> if someone can give me some insight into some security measures for a >> content management application... >> >> Posted 06/05/2002 >> Ok, I am not a security expert so I would like to know if my security >> measures I have implimented is adequate enough to keep people out. Any >> pointers on this would be very helpful as I am trying to impliment a > secure >> way for people to update a website through the use of a content management >> application. Example of code is as follows >> >> // Login form - index.php >> <form name="authenticate" method="post" action="auth_done.php"> >> <input type="text" name="user" size="20" maxlength="20"><br> >> <input type="password" name="pw" size="20" maxlength="20"><br> >> Select an image to identify yourself as an administrator.<br> >> <select name="image"> >> <option value="image01.jpg">image01</option> >> <option value="image02.jpg">image02</option> >> <option value="image03.jpg">image03</option> >> <option value="image04.jpg">image04</option> >> <option value="image05.jpg">image05</option> >> </select><br><br> >> <input type="submit" name="Login" value="Login"> >> <input type="reset" name="Reset" value="Reset"> >> </form> >> >> // Authentication checker - auth_done.php >> #############check fields for valid entries in form############ >> if ((!$u_name) || (!$p_word) || (!$image)){ >> header("Location: index.php"); >> exit; >> } >> ############connects to database############ >> require '/path/to/database/connection/script/dbcon.php'; >> #############selects database table containing users that are allowed to >> use application############ >> $db_table = 'users'; >> $sql = "SELECT * from $db_table WHERE un = \"$user\" AND pw = >> password(\"$pw\")"; >> $result = @mysql_query($sql,$dbh) or die("Couldn't execute query"); >> #############loops through all records to find a match############ >> $num = mysql_numrows($result); >> if ($num !=0) { >> #############creates variables for sessions############ >> $p_hash = "$p_word"; >> $to_hash = "$image"; >> #############creates md5 hash of image user selected############ >> $pstring = md5($to_hash); >> #############creates md5 hash of password user entered############ >> $image_sel = md5(uniqid(microtime($p_word),1)); >> #############starts session for user############ >> session_start(); >> #############registers variables created (md5 of password, username, & >> image) in session############ >> session_register('user'); >> session_register('$pstring'); >> session_register('$image_sel'); >> #############captures users ip address (logging stuff, not listed in > this >> code for security reasons)############ >> $ipaddy = $REMOTE_ADDR; >> #############echoes success message to authenticated user############ >> $msg_success = "<b>You have been authorized to make changes to the >> website! Your IP address has been recorded and sent to the administrator: >> $ipaddy</b>"; >> } else { >> #############this prints if user name and password combination is not >> found in database############ >> print "<p>You are not authorized to use this application!</p>"; >> exit; >> } >> >> Now on each page in the content management app I have these lines of code: >> #############Start the session############# >> session_start(); >> #############check session variables############# >> if (isset($HTTP_SESSION_VARS['user']) || >> isset($HTTP_SESSION_VARS['$image_sel']) || >> isset($HTTP_SESSION_VARS['$pstring'])) { >> $main = "Some kinda message for page in question"; >> #############connects to database############# >> require '/path/to/database/connection/script/dbcon.php'; >> #############if session variables not registered kick the user back to >> login form############# >> } else { >> header ("Location: index.php"); >> } >> >> Now just so you know I have changed all the variables to something other >> than what I am currently using, however I have made sure that this is a >> working example so everything should work as is. Also I have tested this > a >> few different ways, including: creating a page that tries to include one > of >> the pages I have my security checks on from another website, linking >> directly to a script within the application etc. In any event, I also > have >> logging setup on each and every script which I have not included here >> (different topic), just in case someone does get in I can at least "try" > to >> find them. Any help, pointers, tutorials, examples, etc. would be >> appreciated!!! >> TIA >> Jas >> >> >> >> > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
