Lowyat.NET: Latest topics by jg71

issue cookie to the browser

jg71 — Fri, 02 Oct 2009 17:04:09 +0800

attacker can issue cookie with fixed session id to the browser by using these 3 ways:

A. using a client-side script that sets a cookie on the browser;

like:

CODE

http://online.worldbank.com/<script>document.cookie="sessionid=1234";</script>.idc

i just confuse, if the link didn't accept any user input from $_GET
method( e.g:

CODE

http://online.worldbank.com?user_input=

),
the above <script> can take effect or not?

B. using the HTML <META> tag with Set-Cookie attribute;

like:

CODE

http://online.worldbank.com/<meta%20http-equiv=Set-Cookie%20c
ontent="sessionid=1234;%20Expires=Friday,%201-Jan-2010%2000:0
0:00%20GMT">.idc

similarly, if

CODE

http://online.worldbank.com/

didn't have any variable to accept user input like case A, then this meta tag
injection can success or not?

C. using the Set-Cookie HTTP response header.

how to prevent it?

Edit
************
i try to append <script>document.cookie="sessionid=1234";</script> at the back of my site link that not intend to accept any $_GET input, then my page's images just gone, i try to upload the backup file but still the same, can't link back my images... help me please!

urlencode()

jg71 — Thu, 01 Oct 2009 20:40:58 +0800

i came across urlencode() this function online...and know that it's used to encode URL...

can i know what's the purpose of doing so? for security purpose, so that people can't see what we actually pass through the URL?

store temporary data without session

jg71 — Wed, 30 Sep 2009 20:44:37 +0800

my site will force the user to enable their browser cookie if they want to login to their account...

but, user still able to browse some other pages without login...for these pages, i need to store some temporary data, but i don't want to use session, then how? (the session will only be created after user login their account)

session security

jg71 — Tue, 22 Sep 2009 00:24:48 +0800

i have read about session security from a few tutorials...and found this

QUOTE

By default, the unique identifier that the server gives the browser is named PHPSESSID. This variable is stored on the client in either a URL, or a cookie. PHP first tries to set a cookie. If a browser does not accept cookies, PHP will append PHPSESSID to all URLs.

currently, in dealing with session, i'm only use session_start() in my website without any other code, so if according to the above explanation, my session id is saved in cookie? how can i confirm it? i try to disable the cookie in my browser, but didn't see that any session id appended in the URL...can anyone please explain this for me?

thx!

question about http header

jg71 — Tue, 15 Sep 2009 16:17:51 +0800

can anyone guide me to understand what http header is? this is what i found online

QUOTE

HTTP Headers form the core of an HTTP request, and are very important in an HTTP response. They define various characteristics of the data that is requested or the data that has been provided. The headers are separated from the request or response body by a blank line. HTTP headers can be near-arbitrary strings, but only some are commonly understood.

but, still not understand...

this is generated automatically? and how can we see it?

email injection attack

jg71 — Mon, 14 Sep 2009 19:42:49 +0800

i have read some tutorials about email injection attack...and found some points...
can anyone please confirm these points for me...?

1. it's perform through site provided form that send email, but not the email that the application send internally through hard code?

2. to prevent it, just to validate the form email address field entered by user, to make sure it contains no newlines (\n) and carriage returns (\r)?

CODE

if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {

[... direct user to an error page and quit ...]

}

$name is user name, $email is user email address entered by user in the form...

opinion for xss attack

jg71 — Tue, 08 Sep 2009 22:28:54 +0800

before this, i read about xss attack from a security tutorial, there is only a simple description about this attack...

so, i thought it's just easy to prevent it with htmlentities()...

but, i just came across a complicated description of this xss attack again from another site...

so, i just wonder is it enough to use only htmlentities() to deal with this xss attack?

hope experts and the experienced one here can give me some suggestions and opinions, thx!

phpinfo()

jg71 — Wed, 02 Sep 2009 14:19:35 +0800

when i execute <?php phpinfo() ?> and check my phpinfo()...

i found there are two columns for each directive, which are local value and master value...

can i know what's the different between both?
if i set those directives in my .htaccess, both of the columns must get the value i set or only the local value column will get the effect?

saving data with mysql_real_escape_string()

jg71 — Thu, 27 Aug 2009 12:43:40 +0800

let's say, my user input a variable $_POST['$user_name'], when i want to insert it into my database, i'll apply mysql_real_escape_string() on it, then save into database...

later, i need to retrieve the same data from database...then want to save it into another table in my database, i would like to know i need to apply mysql_real_escape_string() again on it or not?

thx!

compare mysql_real_escape_string() value

jg71 — Wed, 26 Aug 2009 16:51:50 +0800

when i use mysql_real_escape_string() on a variable like

CODE

$_SESSION['add_name'] = mysql_real_escape_string($_POST['register_name']);

if $_SESSION['add_name'] actual value is "back\slash"...

when i apply mysql_real_escape_string() on it, then $_SESSION['add_name'] will become "back\\slash"...

so if i want to compare $_SESSION['add_name'] with its actual value, which is "back\slash" then i'll get NOT SAME, right?

CODE

if($_SESSION['add_name']=="back\slash")
echo "it's same variable";
else
echo "there are different"; // this will be output

how can i solve this problem as both actually is the same value...?

htmlentities() used in email sent

jg71 — Tue, 25 Aug 2009 22:14:38 +0800

hi, i use htmlentities() in an email sent to user for the confirmation of registration...

for the user name and user email input by an user, i apply htmlentities() like

CODE

$myuser = htmlentities($user);
$useremail = htmlentities($uemail);

then this two variables are used to display in an email sent to the user, like

CODE

$msg="<table><tr><td>";
$msg.="Dear $myuser,";
$msg.="bla bla bla";
:
:
$msg.="<a href='http://www.mysite.com/register.php?sentemail=$useremail&key=$ukey'>activate link </a>";
:
:
$msg.="please copy and paste the following link to your browser.<br><br>";
$msg.="http://www.mysite.com/register.php?sentemail=$useremail&key=$ukey";
:
:

so, any problem i use htmlentities() in the variable display and the activate link? i tested it and found it works normally, but if really got xss attack in that two variables, what will going on to my email? will create any error?

virus and php file

jg71 — Tue, 25 Aug 2009 10:34:23 +0800

hi, my pc is infected virus recently, so i would like to know whether my php source file will be infected too, how should i do, please?

question about this code

jg71 — Mon, 24 Aug 2009 22:07:14 +0800

for the following code

CODE

$SQLquery = 'START TRANSACTION';
$result = mysql_query($SQLquery);
$SQLquery = 'UPDATE table SET column=1 WHERE type=2';
$result = mysql_query($SQLquery);
if (!$result) {
$SQLquery = 'ROLLBACK';
$result = mysql_query($SQLquery);
} else {
$SQLquery = 'COMMIT';
$result = mysql_query($SQLquery);
}

is that the 'START TRANSACTION' will make the autocommit to off?

hosting disk space and databases

jg71 — Wed, 19 Aug 2009 11:09:08 +0800

hi, i'm a newbie in web hosting...

recently, i checked on some web hosting package and found some stated their package that has XXGB and unlimited databases...

what it meant by unlimited databases here?
can create as much databases as we want? but how about the space? unlimited too?
or the database has unlimited storage?
is this unlimited database related with the disk space? i meant let's say it has 50MB disk space and unlimited databases, is that the database storage can exceed 50MB?

error handler

jg71 — Sat, 15 Aug 2009 20:48:59 +0800

for a php website, the error handler normally is needed for code that involve database access...
i would like to know in what case else the error handler is needed too?

simple website

jg71 — Thu, 13 Aug 2009 16:00:42 +0800

i would like to know for a very simple website that's plainly display information and pictures, without using any php, asp...script, will it be hacked and in what way?

$_GET and isset()

jg71 — Sun, 09 Aug 2009 18:09:20 +0800

in the following code, is the mysql_real_escape_string() needed? or can just ignore it?

if(isset(mysql_real_escape_string($_GET['getdata']))){

}

single quote in the variable

jg71 — Sat, 08 Aug 2009 21:17:15 +0800

i'm always use $_SESSION and $_GET variable in my php website, so the proper variable is like this

$_SESSION['userName']
$_GET['getdata']

which single quote is needed to enclose the variable name, but for the case when they are used in sql query, the single quote must be ignored like below:

mysql_query("SELECT * FROM mytable WHERE user_name='$_SESSION[userName]'")

i would like to know is this a correct way to do it? or i need to assign the session variable to another variable, like

assignedvar = $_SESSION['userName'];

mysql_query("SELECT * FROM mytable WHERE user_name='assignedvar'");

problem with htmlentities()

jg71 — Fri, 31 Jul 2009 15:25:47 +0800

to prevent XSS attack, i use htmlentities() to display user input...

but, i found there is a problem here...

let say, i have a textarea to get user input, and the user key in:

my test 1,
my test again 2...
then test 3

whenever i want to redisplay this input, i'll use htmlentities()...but, this is what i get:

my test 1,<br />
my test again 2...<br />
then test 3

so, how can i solve this problem? don't let the <br /> being output...

mysql_real_escape_string()

jg71 — Thu, 30 Jul 2009 18:20:32 +0800

my code work fine, until i add mysql_real_escape_string() for my user inputs and get all the warning like this:

QUOTE

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /home/mysite/domains/mysite.com/public_html/phpm/mypage.php on line 157

line 157 is the line that i add mysql_real_escape_string() for my user input...

so, what error i have made here?