PHP9 - Security Issues

I have completed this section.

Am done with the section also. Am glad!

Section Completed.

Hi all

I have learned that the configuration file that holds the key to how PHP runs on your computer is named php.ini;
I decided to create my own, which i named as config.ini

Inside this file there is a connection to the database.
/includes/config.ini

Language: PHP
[database]
user=root
password='; ';
host=localhost
select=true
database=chapter7
[general]
record_per_page=20
site_name=Introduction to php
seo_default_title=%s %s - Awesome PHP
seo_default_description=<p>Looking for a %s in %s?</p>
 
// To read this file, i constructed the ff code
 
$general_config_options = parse_ini_file("config.ini", "general");
$database_config_options = $general_config_options["database"];
$host = $database_config_options["host"]
$username = $database_config_options["user"]
$password = $database_config_options["password"]

Im currently using localhost and it works fine.
But if i use a different server it gives me errors.
Does anyone know why?

And for security purposes, is this secured enough.

Huh?

the php.ini is a configuration files for how apache runs. What you are talking about is an include file, which you can name anything, but config.php is best practice. Therein you define your db connections etc. You include this when required.

You want to change php.ini settings, you do that inside the current php.ini.

Thanks mac.
Really appreciate.

One more thing, how do you solve the issue with register_global.
Some say you must develop assuming it is turned off?

Complete

Completed this section.

On thing I found strange is the way the tutorial conveyed the difference between htmlspecialchars() and htmlentities(). It said

Quote

So if you think your attacker might launch an attack in a language that is not English, then use [htmlentities()]

Is this really the reason why someone would use htmlentities() over htmlspecialchars()? I googled around a bit and found a lot of over-my-head discussions about vulnerabilities between different character sets. If a hacker could 'launch an attack in a language that is not English' why would anyone use htmlspecialchars() over htmlentities()? It sounds like a very strange explanation to me.

Can anyone help clarify? I would obviously want form inputs and so on to be as secure as possible.

Thanks

I completed this section

77592972_innocent Wrote:
-------------------------------------------------------
> Thanks mac.
> Really appreciate.
>
> One more thing, how do you solve the issue with
> register_global.
> Some say you must develop assuming it is turned
> off?


You can check in the php.ini if it is on or off, or ask the host if it is on or off, or write some code to check if it is on or off.

Completed!!!

mm77509382 Wrote:
-------------------------------------------------------
> Completed this section.
>
> On thing I found strange is the way the tutorial
> conveyed the difference between htmlspecialchars()
> and htmlentities(). It said
>

Quote

So if you think your attacker might launch
> an attack in a language that is not English, then
> use [htmlentities()]

> Is this really the reason why someone would use
> htmlentities() over htmlspecialchars()? I googled
> around a bit and found a lot of over-my-head
> discussions about vulnerabilities between
> different character sets. If a hacker could
> 'launch an attack in a language that is not
> English' why would anyone use htmlspecialchars()
> over htmlentities()? It sounds like a very strange
> explanation to me.
>
> Can anyone help clarify? I would obviously want
> form inputs and so on to be as secure as
> possible.
>
> Thanks


Missed this post.... You are quire correct about over-the-head discussion on this on the net. It appears every person has their own view.It ultimately comes down to this: the biggest risk is that people use malicious code in form to gain access to a db because that is where the information lies that they want access to. Therefore the mysql_real_escape_string built-in function has seen the light and has become sort of compulsory. Example three at http://www.w3schools.com/php/func_mysql_real_escape_string.asp uses this built-in function in another self-written function, and it is a good idea to use this function with forms - easy to addapt.

owned this section

1. Which is stronger between md5 and shai1 to make password a lot stronger to crack?
2. Is it wise to implement error_log in your system to be notified of any errors that might crip in?

md5 generates 128-bit hash value while sha1 generates 160-bit hash value. This makes sha1 much harder to crack. This link is resourceful http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/. Concerning the error log, try to read chapter 9 of the php prescribed book. cheers!

I have completed this section.

Here is example of the strip_tags() function:

Language: PHP
<?php
$My_string =  "<p>This is example of paragraph</p>,
<div>This is an example of division,</div>
<p>This is another example of paragraph</p>,
<span>This is an example of span tag.</span>";
$stripped_string = strip_tags($My_string,"<div>");
echo $stripped_string;
?>

Output :-

Language: PHP
This is example of paragraph,
 
This is an example of division,
This is another example of paragraph, This is an example of span tag.

In above example,<div> is allowable tag, so it will return string with the <div> tag used.

Another strip_tag() with no allowable tags:

Language: PHP
<?php
$My_string = "<p>This is example of paragraph</p>,
<div>This is an example of division,</div>
<p>This is another example of paragraph</p>,
<span>This is an example of span tag.</span>";
$stripped_string = strip_tags($My_string);
echo $stripped_string;
?>

Output:

Language: PHP
This is example of paragraph, This is an example of division, This is another example of paragraph, This is an example of span tag.

Language: PHP
function clean($data)
{
$dataA = strip_tags($data);
$dataB = trim($dataA);
$dataC = mysql_real_escape_string($dataB);
$dataD = str_replace("","';", $dataC);
$dataE = str_replace("",';"';, $dataD);
$dataF = str_replace("",';|';, $dataE);
$dataG = str_replace("","/", $dataF);
$dataH = str_replace("","`", $dataG);
$dataI = stripslashes($dataH); //// error on textarea: (rn) ////
return $dataI;
}
 
I use this function to clean the users input, but the str_replace don';t work
if I enter Hell`o it echo out the same
 
why is not removing the ` " '; / \ ???????
 
any better method?
 
thanks[code="php"]

[/code]

More about the PHP htmlspecialchars_decode() Function:

Language: PHP
<?php
$str = "Jane &amp; &#039;Tarzan&#039;";
echo htmlspecialchars_decode($str);
echo "<br />";
echo htmlspecialchars_decode($str, ENT_QUOTES);
echo "<br />";
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>

string - Required. Specifies the string to decode
quotestyle - Optional. Specifies how to decode single and double quotes.
The available quote styles are:

ENT_COMPAT - Default. Decodes only double quotes
ENT_QUOTES - Decodes double and single quotes
ENT_NOQUOTES - Does not decode any quotes

As mentioned in one of the threads, PHP 5.4.0 Released, the link below will show you htmlspecialchars() improvements in PHP 5.4.0:

htmlspecialchars() improvements in PHP 5.4.0

htmlspecialchars()

Language: PHP
<?php 
$new = htmlspecialchars("<a href=';test';>Test</a>", ENT_QUOTES); 
echo $new; // 
?>

Output:

Language: PHP
<a href='test'>Test</a>

htmlentities()

Language: PHP
<?php 
$str = "A ';quote'; is <b>bold</b>"; 
 
echo htmlentities($str); 
echo htmlentities($str, ENT_QUOTES); 
?>

Output:

Language: PHP
A ';quote'; is <b>bold</b> 
 
A 'quote' is <b>bold</b>

tererai Wrote:
-------------------------------------------------------

>I use this function to clean the users input, but the str_replace don't work
>if I enter Hell`o it echo out the same
>why is not removing the ` " ' / \ ???????
>any better method?
>thanks

Try the preg_replace function....read up about it here:
http://www.php.net/manual/en/function.preg-replace.php

Also, read up about preg_filter():
http://www.php.net/manual/en/function.preg-filter.php

I have completed this section too

There is a nice function to remove global variables

Language: PHP
function unregisterGlobals() {
  if (ini_get(';register_globals';)) {
    $array = array(';_SESSION';, ';_POST';, ';_GET';, ';_COOKIE';, ';_REQUEST';, ';_SERVER';, ';_ENV';, ';_FILES';);
    foreach ($array as $value) {
      foreach ($GLOBALS[$value] as $key => $var) {
        if ($var === $GLOBALS[$key]) {
          unset($GLOBALS[$key]);
        }
      }
    }
  }
}

For magic quotes and stripslashes

Language: PHP
//Recursively remove slashes
function stripSlashesDeep($value) {
  $value = is_array($value) ? array_map(';stripSlashesDeep';, $value) : stripslashes($value);
  return $value;
}
//This cater for php 5. For php 4 use $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS
function removeMagicQuotes() {
  if (get_magic_quotes_gpc()) {
    $_GET = stripSlashesDeep($_GET);
    $_POST = stripSlashesDeep($_POST);
    $_COOKIE = stripSlashesDeep($_COOKIE);
  }
}

Completed the section.

Section completed

Completed this section