Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • W3Schools
    • General
    • Suggestions
    • Critiques
  • HTML Forums
    • CSS
  • Browser Scripting
    • JavaScript
    • VBScript
  • Server Scripting
    • Web Servers
    • Version Control
    • SQL
    • ASP
    • PHP
    • .NET
    • ColdFusion
    • Java/JSP/J2EE
    • CGI
  • XML Forums
    • XML
    • Schema
    • Web Services
  • Multimedia
    • Multimedia
    • FLASH

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL








Found 25 results

  2. hi everyone, i am basically new to this forum so i didn't really know where to post this question, basically what happened i made a site. on this site is a particular commenting system where i used php ajax on the jquery way, my teacher saw my website and wanted to test something so he left a comment with <b>exampe</b> and his comment turned out to be bold text. to me and the safety of my site it is a dangerous thing as peope are required to leave their email in the form (not shown in actual comment but saved in the db) he also said that with his knowlege he could use <script>alert(document.cookie)</script> to make me use his cookie to log in to phpmyadmin, esentially granting him acces to all my databases. now is my question "how can i use htmlentities() on ajax?" he suggested "$comment = htmlentities( $_POST['comment'] );"but since all of my fields are written like this: $commentId = isset($_POST['comment_id']) ? $_POST['comment_id'] : ""; $comment = isset($_POST['comment']) ? $_POST['comment'] : ""; $commentSenderName = isset($_POST['name']) ? $_POST['name'] : ""; $date = date('Y-m-d H:i:s'); there is no way i can figure out where to put it... these are my php files, take a loo if you wish, but i removed my db.php database password and replaced my database name in the form (for security reasons) (you may lso see comments.php as index.php since i already had index so i renamed it to something else comment-add.php comment-list.php comments.php comment-add.php comment-list.php comments.php db.php
  3. BACKGROUND: As always I am concerned about security on the one hand, but do not wish to over-code on the other. In the following outlined procedure the data is fetched from the super secure, vast thicket of layered PHP and sent after translation THE PROCEDURE: Create two MySQL tables linked with a foreign key. Make a method call to the Matomo API and retrieve a four tiered nested array containing two tiers of visitor data. The first tier consists of an indexed array whose 100 elements each corresponds to a single visit to the Grammar Captive website. The second tier consists of an associative array, one for each of the 100 elements of the first tier. The third tier consists of an indexed array of varying length corresponding to one of the elements of each of the second tier arrays. Each element of this third tier array contains an associative array of varying length whose elements correspond to different actions and/or events associated with the respective visit. The fourth tier contains the data for each recorded action or event. Generate two classes: one for the visit data (2nd tier), and one for the action/event data (4th tier). Translate the keys of the key-value pairs of the two aforementioned tiers so that their values can be properly inserted into either of the two data tables. Insert the translated data into the two data tables via two separate objects created from the two classes. With the exception of the creation of the data tables Steps 1-5 are all performed within the context of the same PHP document. QUESTION: Do you see any security risk in the above? Roddy
  4. Hi all, I'm trying to control where a visitor enters my website. I only want a visitor to open my homepage, pass security and then continue, like a menu-driven app. I know you can enter a domain name and a slash and go to that page in the website like 'amazon.com/tools' will bring up the tool page. Is there a way to prevent this from happening? Can it be turned off or on according to a security level imposed? I only want higher level users to see pages like 'checkswritten.html' or 'incomelevel.html' and not a casual user type in 'myDomain/incomelevel'. anybody can see the links in <a href> or where buttons take you so they could learn all your pages and go directly to them. Do you need to invoke security precautions on every page? Thank you for responses, Gil
  5. I would like to share with you a message that I posted on the Matomo forum for which I am not expecting a satisfactory reply. I suspect that Matomo will be unwilling to entertain the idea for fear of opening a Pandora's box of insecurity for casual users and thereby endangering its reputation as a secure web utility. Matomo's fear need not be my own, however, with the proper guidance. BACKGROUND: After several weeks of enormous frustration I was finally able to access the Matomo web application directly with PHP. I was able to achieve this somewhat (for me) monumental task by renaming the .htaccess file (see below) in the /matomo/config folder and thus canceling its prohibitive effect. Obviously, this file was placed in the /matomo/config folder as a matter of security -- security, mind you, that I do not wish to compromise. This said, an unending series of HTTP requests uses up an enormous number of resources, and I wish to share the data that I collect about my users with my users via my own custom-built PHP files for which I require direct communication with the Matomo application. (I have no desire to play the governmental game of protect-and-deceive -- read GDPR or NSA). So, I explored the internet and found alternative contents <https://www.slicewise.net/php/piwik-absichern/> to the current .htaccess file in use by Matomo as of 3.5.1. REQUEST: Would anyone like to comment on the merging of these two files (see below) into a workable arrangement that would give me the superuser direct access to the Matomo web-application via PHP, but deny access to everyone else except through those channels already set in place by Matomo for anonymous users and opt-in/out visitors. PROPOSED FILE <Files "*"> AuthUserFile /path/to/piwik.htpasswd AuthName Piwik-Password AuthType Basic <RequireAny> Require valid-user Require ip <your-server-ip> #needed for some scripts </RequireAny> </Files> <Files ~ "^piwik\.(js|php)|robots\.txt|idxsec\.php|favicon\.ico$"> Require all granted </Files> CURRENT FILE <Files "*"> <IfModule mod_version.c> <IfVersion < 2.4> Order Deny,Allow Deny from All </IfVersion> <IfVersion >= 2.4> Require all denied </IfVersion> </IfModule> <IfModule !mod_version.c> <IfModule !mod_authz_core.c> Order Deny,Allow Deny from All </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </IfModule> </Files> My goal is to give my visitors an important glimpse into the reality of data collection and analysis. I now know that I am able to do this my eliminating the .htaccess file. Elimination of the file is, however, not my goal. Roddy
  6. Dear all, As you know, an .htaccess file placed in a directory to be affected (protected) is useful in websites hosted in an Appache server to protect such directories from prying eyes. But I have noticed that recommendation is to place such files inside certain directories only, e.g., inside includes and views (that contains home page, shopping cart, listing of products, etc.) directories. I thought we could as well protect all other directories should there be no downside to protecting all. Any thoughts on why we should not include an .htaccess file inside all directories will be appreciated.
  7. Hi, I'm using PHPMailer to send email from a contact form using gmail SMTP which requires to include the SMTP password directly in the PHP script like so $mail->Password = 'mypassword'; According to what I've found on the net, it seems that it's not recommended since the password can be easily hacked. Thus, I'm wondering how to do to protect my password. I've found people recommending to put the password in an INI file outside the webroot and then to retrieve it using parse_ini_file() function. My problem is that I'm not sure I understand the "outside the webroot" part… if anyone could explain this to me and how to do it, it would be much appreciated. Also, should I protect the INI file with a .htaccess? Thanks.
  8. Hi, I'm new to PHP and I was wondering if it's perfectly safe to use $_SERVER['PHP_SELF'] like so: <body<?php if(basename($_SERVER['PHP_SELF']) == 'home.php') echo ' class="home"'; ?>> … </body> As far as I understand, the $_SERVER['PHP_SELF'] variable can only be exploited when used as a link or in a form/inputs, where the variable should be wrapped into htmlspecialchars() to counter XSS attacks, am I right?
  9. My goal is to store javascript code into a database. My first idea was to use htmlspecialchars; store it in mysql in a table column and later retrieve it with htmlspecialchars_decode. All this to prevent injection / hacking. But online I read one or two warnings that it wouldnt work, which I assume is so (I didnt test it, but it seems quite obvious afterwards) . So my question is: is it possible to have a user store javascript in a database and use it in a php script for specific purposes in a secure way?
  10. Hi all I would like to know whether it is possible or not to build a secure inlog script. The script I have as example is mainly in php. I read a couple of tuts online and watched some youtube video's and discovered that both javascript and php are used. I dont know much about encryption but more and more questions are rising ..... Is it true that it is possible to add javascript encryption wen you want a user to login ? My own idea is that this looks quite insecure as anybody can see the encryption code. I have more questions but first i would like to know this if possible.
  11. I am a complete Newbie and will be embarking on a big project to use a device for learning the web dev languages. That being said, with the availability of page source code info, inspect element etc. What should I be studying at the outset so that my design can't merely be cut and pasted and sold after all my hard work. I know there are copyrights laws, but we all no they are only a good as the paper they were written on if a person is determined to pirate something.
  12. Hi guys! I have an issue with my webpages, from the homepage I can go to the page two without clicking on the link, just adding a #pagetwo on the address bar, have someone solved this using javascript or something like that? I'm attaching an example for those who will try to help me. Thanks! PageTransitionProblem.html
  13. In my current website project, I would like to design a secure area for members. I have built basic login systems before, but I want to build something more secure this time. One of the things I would like to do it route requests using the HTTPS protocol. In my research on how to do this, I have been starting to learn about SSL certificates. As I understand it, in order to create an SSL encrypted connection that users can be confident in, I must purchase a certificate from a certificate authority (CA). I am questioning whether I really need to do this, though. Neither money nor information that is extremely sensitive would be handled in the secure area. The purpose of the website is of a nature that membership would be restricted to those personally acquainted with me, so it's not like they would be using a website with some vague "entity" operating it. They could trust me. Would that make it safe for me to use a self-signed SSL certificate? My only suspicion is that a hijacker could potentially inject a new SSL certificate (not sure if this is possible...) and trick users since neither his nor mine would be signed by a trusted CA. I could just get a cheap certificate, but I would like to avoid spending money on this if I don't have to. Maybe a free certificate would be okay? I'm not sure. What do you think is the best course of action for my situation?
  14. davej

    Php security?

    I am feeling rather overwhelmed by the number of security-related issues. I think I know the basics related to untrusted external inputs and database risks but looking at...https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
  15. CMS/Forum Session/cookie management and security, picking a good example. I am starting an opensource GPL forum project primarily for the sake of learning. I have been looking at the different implementations for user authentication and session management of different CMS and forum packages.Trying to go through and learn what is being done. Also wondering which makes for the best example of a good clean way to implement it.I would prefer to store the bare minimum cookies client side and keep most data in session variables server side.Unless there is a good reason to have another cookie or two, like if it somehow added additional security. SMF & Drupal makes use of the standard session_start(), and both also use database for session management.(more scalable) phpBB3 also uses the databse for session management, but does not use the standard "session_start()"it uses custom implementation using session_begin() , session_create() , session_kill() , session_gc() I like that Drupal only had the one session cookie, however it takes me much longer to follow the functions and understand what is happening with drupal code.In drupal a lot of things are generated like forms etc, using a single function, this is very clean as it reuses a lot of code, however I would rather learn from something easier to follow.I can always make the code more efficient afterwards. mybb seemed to set more cookies than the rest, and did not make use of the standard session_start(), I am unsure if it uses the db for session management. Right now I think I have it narrowed down to either SMF or PHPBB3, I am kinda leaning toward PHPBB because of a post I found: I read this post: https://www.phpbb.co...49840#p12949840 "Stealing a session id/key is not enough to get logged in. The IP must match to the extent defined in the ACP.Also, the browser user-agent must match (enabled by default). Additionally, you can have it check the x_forwarded_for value." I would think the extra checks like user-agent, IP, x_forwarded_for would help mitigate xss and sesion fixation.phpbb3 key function quotes:"Multiple keys may exist for each user representing different browsers or locations."I am curious if they limited the number of sessions per user, so that a malicious user cant intentionally create Tons of session keys on purpose. SMF may have the same checks, I am unsure. (I do not see IP or x_forwarded_for checks in the 'cookies and Sessions' admin section of smf, but they could be hardcoded.) Any insight or opinions on the subject are appreciated, or if you know of another opensource CMS or Forum that I should take a look at as a good example. at the moment I am leaning towards further studying the phpbb3 implementation and tryint to implement something similar.
  16. I have been developing a php web site. I have been trying to follow suggested best practices. I am running ubuntu minimalist install, and installed the following packages: nginx php5 php5-fpm postgresql phppgadmin php5-gd I have nginx up and running instead of apache.I have done some basic configuration for nginx.got my vhost setup and linked. and I am now able to browse my php pages on my local test machine running ubuntu. I have created my postgre database, and have a user setup. So I am to the point that I wanted to create a page to register/login/change password. I searched and found http://stackoverflow...asswords-safely it was posted back in 2010, it links to this guide using phpass: http://www.openwall....Users-Passwords The guide/tutorial was created using Mysql, I have been swapping out functions to their equivalent postgresql functions using the postgresql documentation. I modified the guide to the point that I can create new users in my postgre database. When I got to the point "How to authenticate existing users" I hit a snag. mysql version from guide: } else { $hash = '*'; // In case the user is not found($stmt = $db->prepare('select pass from users where user=?'))|| fail('MySQL prepare', $db->error);$stmt->bind_param('s', $user)|| fail('MySQL bind_param', $db->error);$stmt->execute()|| fail('MySQL execute', $db->error);$stmt->bind_result($hash)|| fail('MySQL bind_result', $db->error);if (!$stmt->fetch() && $db->errno)fail('MySQL fetch', $db->error); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';}unset($hasher);} my version: } else { $hash = '*'; // In case the user is not foundpg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));$hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));$hash = pg_fetch_result($hashx, 1, 'pass'); if (!$hash && pg_last_error($dbconn))fail('pg_execute failed.2 ',pg_last_error($dbconn)); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';$op = 'fail'; // Definitely not 'change'} I think it has to do with bind_result($hash) I used $hashx = pg_execute() I assumed it would take the results of pg_execute() and store it in the $hashx variable, and I thought that was what bind_result($hash) was doing in the mysql example. here is the error from the server logs: 2013/02/15 19:01:12 [error] 16860#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: pg_fetch_result(): Unable to jump to row 1 on PostgreSQL result index 5 in ..../testing.com/public/inc/user-man.php on line 91" while reading response header from upstream, client:, server: testing.com, request: "POST /inc/user-man.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "testing.com", referrer: "http://testing.com/inc/user-man.html" Also if anyone has any input weather or not this is still best practice for user registration/password security, please let me know. In addition to having a good user/password system I know that I am going to need to recheck my configuration for both nginx and postgresql to make sure everthing is locked down and secure, as well as user permissions, I have not looked for any info/guides on any of this yet. Thanks so much for any responses, I appreciate it.
  17. I posted this in General, but I'll also post it here in the specific Java area... Does this threat imply the use of malicious applets? I'm not sure. http://www.cbsnews.c...-java-software/ "The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts." http://www.us-cert.g.../TA13-010A.html http://www.slashgear.com/turn-off-java-they-warn-heres-how-you-do-it-12265037/
  18. Hello, im wondering can i prevent brute-force attacks from my webpage example creating this. This should work if the user doesn't close and re-open the page after attempts are out, but i have no idea how brute-force does it. Login page <?php session_start();if(isset($_SESSION['login_attempt']) && $_SESSION['login_attempt'] < 6) {} else {//Form here}?> Login confirm page <?phpsession_start();if (isset($_SESSION['Rights']) && $_SESSION['login_attempt'] < 6) {header("Location: index.php");} elseif (isset($_POST['password']) && isset($_POST['username']) && $_SESSION['login_attempt'] < 6) {//LOGIN SCRIPT HERE} elseif ($rows > 0) { //user has logged in correctly//FEW SESSIONS TO STORE DATA} else { if (!isset($_SESSION['login_attempt'])) {$_SESSION['login_attempt'] = 1;} else {$_SESSION['login_attempt'] = $_SESSION['login_attempt'] + 1;}if ($_SESSION['login_attempt'] < 6) {echo (5 - $_SESSION['login_attempt']) . " attempts left";}}}?> Read more about brute-force here http://en.wikipedia.org/wiki/Brute-force_attack Read more about SQL-injections here (This prevention is MUST-have to SQL-based webpage) http://en.wikipedia.org/wiki/SQL_injection
  19. sepoto


    I am currently reading the title "Essential PHP Security". I see one of the topics is concerning the use of "htmlentities()". I have looked up the functions man page on php.net and I do understand what it is doing however I don't yet fully understand how the use of "htmlentities()" is supposed to make my application more secure. Could someone explain this a bit? Thanks!
  20. http://www.forbes.com/sites/andygreenberg/2012/08/31/oracles-java-security-woes-mount-as-researchers-spot-a-bug-in-its-critical-bug-fix/ http://www.informationweek.com/security/vulnerabilities/java-zero-day-attack-second-bug-found/240006431
  21. Hello, Does somebody know a simple security question script for my contact form.like what is 2+2 or what number comes after 7. Thanks.
  22. Could some of you tell me the basic protection that PHP & MySQL website needs. For example new stuff to me was SQL injection. Q: How to prevent website from SQL injection?Q: What other protection websites require than SQL injection protect? I know that the password should be crypted but somehow i think its not enough or is it?
  23. Hi. Wonder if anyone can help. I am trying to build a website where users can log in to their account, and then place an order for an item, edit their details etc. However, am using the following code upon loading the myAccount.cshtml page: if (WebSecurity.IsAuthenticated == false) { Response.Redirect("~/"); } So that if the user is not logged in it directs them to the home page to then login. However I am finding that even when the user has logged in, as soon as they come away from the My Account area - it logs them out and they then have to log back in. How could I make this so it persistently keeps the user logged in until they manually log out with the button I have created. Thanks. Kevin
  24. I am currently creating an e-learning application for my honours project (This will not go live or be distributed for profit) that teaches php to brand new users however there will obviously be experienced users using the application as well and they will try to attack it or bring it down. My code to process the user input for malicious code strings before it is run thru an eval(); is below.If any of the banned words are found it returns false and the user input never gets near an eval() function. If no banned words are found then it returns true and the input (PHP CODE) is run thru an eval(); and the results checked to see if the user input had the desiered effect (e.g. change the value of a local variable inside a function) Any major security issues that anyone can see or advice on making my applicaton more secure is greatly appreciated. P.s. Any feedback used in the application will be 100% referenced to avoid accusations of plagerism. function checkPHP($input){// array of denied words.$deniedWords = array( //PHP tags '<?', '?>', '?', 'PHP', 'script', //Session Variables '$_SESSION', '$_GET', '$_POST', '$_GLOBALS', '$HTTP_POST_VARS', 'GLOBAL', 'SESSION', 'SERVER', 'GET', 'POST', 'COOKIE', 'REQUEST', 'FILE', //Escape chars on session variables '$_', "'_'", "'\$'", "'\_'", '\$', '\_', "$'", "'$", "_'", "'_", '\\', '/', '_', //Commands that parse code as PHP 'INCLUDE', 'REQUIRE', 'EVAL', //Shell commands 'SYSTEM', 'EXEC', '`', 'SHELL', 'passthru', 'popen', 'DROP', //PHP core functions 'magic_quotes', 'base64_decode', 'scandir', 'file_', 'unlink', 'get_defined_functions', 'get_defined_vars', 'get_defined_constants', 'get_loaded_extensions', 'assert_options', 'assert', 'dl', 'extension_loaded', 'gc_collect_cycles', 'gc_disable', 'gc_enable', 'gc_enabled', 'get_cfg_var', 'get_current_user', 'get_defined_constants', 'get_extension_funcs', 'get_include_path', 'get_included_files', 'get_loaded_extensions', 'get_magic_quotes_gpc', 'get_magic_quotes_runtime', 'get_required_files', 'getenv', 'getlastmod', 'getmygid', 'getmyinode', 'getmypid', 'getmyuid', 'getopt', 'getrusage', 'ini_alter', 'ini_get_all', 'ini_get', 'ini_restore', 'ini_set', 'magic_quotes_runtime', 'main', 'memory_get_peak_usage', 'memory_get_usage', 'php_ini_loaded_file', 'php_ini_scanned_files', 'php_logo_guid', 'php_sapi_name', 'php_uname', 'phpcredits', 'phpinfo', 'phpversion', 'putenv', 'restore_include_path', 'set_magic_quotes_runtime', 'set_time_limit', 'sys_get_temp_dir', 'version_compare', 'zend_logo_guid', 'zend_thread_id', 'zend_version', 'REFLECTION', 'apc_', 'apd_', 'error', 'debug_', 'restore_', 'trigger_', 'override_', 'rename_', 'inclued', 'flush', 'ob_', 'output_', 'overload', 'runkit_', 'wincache_', 'xhprof_', 'rewrite', 'file_exists', 'fopen', 'fwrite', 'fclose', 'ctype_alnum', 'realpath', 'is_file', 'chdir', 'mail', 'preg' );$found = "";for($i=0;$i<count($deniedWords);$i++){ $badWordFound = stristr($input, $deniedWords[$i]); if($badWordFound){ $found = $found."Do not use <span class=bold>".$deniedWords[$i]."</span> in you script. <br />"; }}if($found){ echo "For security reasons, some keywords and characters have been banned for use within user input. Currently your code contains banned words and will NOT be executed until these are removed: <br />" . $found; return false;}else{ return true;}}
  25. davej

    Basic Php Security?

    I am just getting started with PHP and I would like to immediately learn some basic security facts, such as how database accesses should be properly handled so that I don't have to unlearn bad habits like I did in ASP.NET (with that idiotic SqlDataSource method). Can PHP source code inside the brackets <?php ?> ever become visible to the web (as in view page source)? Do MySQL accesses need to be wrapped in try-catch statements to prevent database errors from being visible? Thanks.
  • Create New...