general question web site design and cs3 code security

pimptovimto

Hello

I am in the process of developing a web site using Dreamweaver CS3 and PHP/mysql. Dreamweaver certainly makes things easy to get things up and running quickly but how secure is the wizard code for logging a user in and inserting a user?

As part of the registration process I have written code so that it sends an e-mail to the e-mail address containing a link to a validation page the link url contains variables of the registered users ID in the database and the their e-mail address. When they click the link it runs code in the validate page to update the database and set there account to validation field to 'yes' where the id is equal to the id in the link and the email address is equal to the e-mail address in the link. I have read a bit of stuff saying that there are lots of secrity wholes in PHP that need to patched through proper coding but I dont dont know what I need to do to better secure this Validation process, do i need to do anymore given that both the e-mail field and the id field need to match in order for the sq statement to run?

Thanks for any advice and help.

djjjozsi

id field is equal in the value from the email.
i think its not good... I could do a php clicker, what click the whole ID in your users table...

lets put the link in the email as md5 encrypt value,

$md5_code=md5( $currend_date_time . $user_id. $username);

put this encrypted value in a field, called check_code
if the user click the link, it goes to the check.php and check if the validate code is in the user, with that email address too.. you put a field, to ask the password from the user..

then you check that from the users table where the validate code is that you GET[""]...

lets try to make with this idea... and try to do this: if the (activation time) -( registration time) bigger than 3 day, lets delete the username and password from the users table.

pimptovimto;10890858 wrote:
Hello

I am in the process of developing a web site using Dreamweaver CS3 and PHP/mysql. Dreamweaver certainly makes things easy to get things up and running quickly but how secure is the wizard code for logging a user in and inserting a user?

As part of the registration process I have written code so that it sends an e-mail to the e-mail address containing a link to a validation page the link url contains variables of the registered users ID in the database and the their e-mail address. When they click the link it runs code in the validate page to update the database and set there account to validation field to 'yes' where the id is equal to the id in the link and the email address is equal to the e-mail address in the link. I have read a bit of stuff saying that there are lots of secrity wholes in PHP that need to patched through proper coding but I dont dont know what I need to do to better secure this Validation process, do i need to do anymore given that both the e-mail field and the id field need to match in order for the sq statement to run?

Thanks for any advice and help.

bpat1434

I honestly don't use any pre-built tools to do any of my work (well, with the exception of frameworks like cakePHP and Zend Framework). I don't use dreamweaver either (for personal reasons).

I can say this though: your validation isn't really validation. Better validation would be what djjjozsi described. That's coming up with a unique key (using [man]md5[/man], [man]sha1[/man], or [man]mcrypt[/man]) and storing that in a database field called "validation code" or something; matter of fact, you could even store it in your validation field where you have "yes" in the field for valid users. Then when the user comes back to validate their email, they just have to provide the same string of characters you used to create the md5 or sha1 hash.

So for your validation code generation, you'd want to use a function, something similar to:

function uniqueCode($len=10, $prev=null)
{
    // Array of characters to choose from
    $chars = array_merge(range('a', 'n'), range('A', 'N'), range('0', '9'), array('$', '@', '!', '&'));
    $max=count($chars)-1;
    $code = '';

for($i=0; $i<$len; $i++)
{
    $char = $chars[rand(0, $max)];

    // Don't use doubling characters...
    // So if this character is the same as the previous, call the function again
    if($char == $prev)
        $char = uniqueCode(1, $char);

    $code .= $char;
}

// We now have a valid code with no repeating characters (i.e. no BB or 00)
return $code;
}

Then you can easily encrypt that and save the encrypted string in the database. For example, I could generate this string: !&D2!HNl$5. That would be this code:

$validationCode = uniqueCode();

Then I want to encrypt it so I can store its hash in the database:

$encrypted = md5($validationCode); // could use sha1() here instead

That gives me this value for the encrypted variable: 7ff985336db428f1b623a2610ed95fce

Now, when someone comes back to your site, all you have to do is ask for their email address and the 10 character code you send them ($validationCode), or you can put that 10 character code in the URL.

Much better than asking them to type in 32+ characters between a-f and 0-9.

That's just an example of "securing" a validation.

You could also think of encrypting the email address with the validation code to make the hash more random; however, just remember however you encrypt it, that when you check it you encrypt it just the same, otherwise people won't validate.

pimptovimto

Thank you both I will attempt this although since I am starting out it may take me awhile to suss it out.

I still dont however understand the risk, for example;

let say the link in the email is http://www.whatevermyurlis.com/validate.php?id=23&email=youremail@yoursite.com

in the validate.php

the SQL code

mysql_select_db($blah, $blah);
$update = "UPDATE tablename SET " .
"valid = 'y' " .
"WHERE id = '" . $REQUEST['valid'] . "' AND email = '" . $REQUEST['email'] . "'";
$results = mysql_query($update) or die(mysql_error());

what is the risk since code will only update the table where the id and email address match in the table? I appreciate that I probably just have a basic lack of knowledge o the risks, so is there any good sites or examples of how someone could hack this and either retrieve data from my database or equally as bad damage my data?

Again thanks in advance

NogDog

The first risk I see is the possibility of SQL injection. If someone were to send the following link, you might be in real trouble:

www.yoursite.com?valid=%27%3Bdelete+from+tablename%3B--

(This would mean that $_REQUEST['valid'] would then have a value of "';delete from tablename;--", which in turn means that if a hacker knew/guessed the correct table name, bye-bye data.)

You can prevent this by type-casting numeric values and escaping string values:

$update = "UPDATE tablename SET " .
"valid = 'y' " .
"WHERE id = '" . (int) $_REQUEST['valid'] . "' AND email = '" . mysql_real_escape_string($_REQUEST['email']) . "'";

pimptovimto

Thank you NogDog, I see the point however it does rely on someone guessing that my table name is thisismytotallyrandomtabelname instead of something stupid like table1 or customers. Am I right in saying this is reffered to as a 'brute force' method? Ad I still dont understand the danger because surely my sql stament would then read

UPDATE tablename SET valid = 'y' WHERE id =
'DELETE FROM tablename' and email = 'yourname@yoururl.com'

which is not harmful or am I missing the function of the % and 3B ?

bpat1434

It is harmful because that is a subquery which gets executed prior to the main query.

THe %3B is just an html entity for the single-quote character.

NogDog

Regarding the SQL injection attempt: yes, the hacker would need to "guess" the table name (or any other table name in that database). However, there's no guarantee that he would need to guess, as he might be able to determine it from some other security hole. In fact, the first place he might get it in this example is by simply sending nonsense characters in that URL variable, then see what the output of your mysql_error() gives when the query fails. :eek:

Highly recommended reading: http://phpsecurity.org/

djjjozsi

Lets lee the whole SQL commands, what could be harmful to you databse.

Drop database 🙂
Truncate table
UPDATE SET
DELETE * FROM table WHERE 1

IF You allow to get string into the variables, the first probes will that.

But its enought to write an image script , 4 example a php generated image gallery.
IF you don't check if the user writes ../ into the url you want to download ,
its easy to write a script to the db_connection.php, or .htaccess .htpassword files.

So don't trust the values you get from the user. And don't you think how many website hole attack program are available.
And not use $REQUEST[] if $POST is shorten and safer method.

pimptovimto;10891001 wrote:
Thank you NogDog, I see the point however it does rely on someone guessing that my table name is thisismytotallyrandomtabelname instead of something stupid like table1 or customers. Am I right in saying this is reffered to as a 'brute force' method? Ad I still dont understand the danger because surely my sql stament would then read

UPDATE tablename SET valid = 'y' WHERE id =
'DELETE FROM tablename' and email = 'yourname@yoururl.com'

which is not harmful or am I missing the function of the % and 3B ?

bpat1434

And not use $REQUEST[] if $POST is shorten and safer method.

That has no security implication what-so-ever. $POST, while shorter, has the exact same data as $REQUEST would. The only difference between $REQUEST and $POST is that $POST only stores data that was posted from a form, whereas $REQUEST stores all data from $COOKIE, $GET, and $_POST.

Drop database
Truncate table
UPDATE SET
DELETE * FROM table WHERE 1

Let's not forget the DESCRIBE query where a user could describe a table and get all the columns in that table.

Of course the real solution to this is to create two users: one for admin, the other for general use. The admin user has rights to update, delete and insert (do anything really) while the general use user can only read from the database. The general user would be used for your site's front-end (what a general visitor would see) whereas your admin user would be used for things in the backend where you update news items, add pictures and other things that really require the rights to update/insert/delete from tables.

And of course to always use some type of string escape function _escape_string where is the name of the db provider like pgsql or mysql; however, for mysql, use [man]mysql_real_escape_string/man instead.

pimptovimto

Does using stored procedures eliminate any of the security risks associated with sql injections and the sub query as passed in the url?

NogDog

pimptovimto;10891412 wrote:
Does using stored procedures eliminate any of the security risks associated with sql injections and the sub query as passed in the url?

Not if you still pass tainted data to the stored procedure call. For instance, if you have a stored procedure name "foo" that takes one parameter, and you do not sanitize the value use for that parameter, then someone might still pass a value that could corrupt the query being used, since you still execute a query to access the stored procedure:

$result = mysql_query("SELECT stored_proc_name('$user_supplied_parameter')");

Now imagine that the $user_supplied_parameter is "x');drop table users;--" and the query you end up sending to MySQL is:

SELECT stored_proc_name('x');drop table users;--')