Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,153,264 members, 7,818,895 topics. Date: Monday, 06 May 2024 at 07:33 AM |
Nairaland Forum / Science/Technology / Programming / (1141 Views)
Help On Php Code For A Dice Game / Free Ebooks On Php Progaming / PHP problems! (2) (3) (4)
by Nobody: 5:43pm On Aug 30, 2013 |
hello my bosses and my fellow learners and to all aspiring... i have been study php for a while now and i think its time to put my brain and skills to work... i want to solve some tough problems strictly on php... can you pls bring on some provlems you had while learning or anything innovative... i really want to get my hands to work. i'll be waiting.... Thanks Chuzzy |
Re: by CODEEATER(m): 5:51pm On Aug 30, 2013 |
Hmmmm,let's cc cc.. U have a world popular forum,written in php,unfortunately, d success of dat forum has attracted badass haters...and nw sum black hat dude is trying to "brute force" his way into ur Admincp to damage ur site from the inside,out.... what can u do to stop this scenerio. ..UR ANSWER IN IMAGINARY OOP CODE PLZ |
Re: by Nobody: 6:12pm On Aug 30, 2013 |
CODE-EATER: dis one is strong ooooo....but i believe i can do it...but pls what is "imaginary" |
Re: by CODEEATER(m): 7:39pm On Aug 30, 2013 |
Chuzzyrules:d normal. Word na,to imagine sum tin... what I mean is...4 example including classes wit IMAGINARY methods in dem n comment on wat d method dose den use it....just explain as u type..we go undrstand |
Re: by talk2hb1(m): 3:57am On Aug 31, 2013 |
Why not pick some projects from my blog to help build your CV |
Re: by Nobody: 12:45pm On Aug 31, 2013 |
Your SQL query in your PHP log-in script, on your website: <? $q = "SELECT `id` FROM `users` WHERE `username`= ' " .$_GET['username']. " ' AND `password`= ' " .$_GET ['password']. " ' "; ?> One day a self-proclaimed hacker stumbles upon your website. He clicks the 'Log In' button. He enters the following in the 'username' field: ' ; SHOW TABLES; The hacker now has been shown every table you have in your database. Since he knows your table's name, he enters : '; DROP TABLE [your table's name]; All of your information is gone. Note: There are attempts that are much more complicated than this, and someone can spend a lot of time to get into your database, or they can even use a program to try to exploit the vulnerability of your website, database, application, etc. Step 1 Use mysql_real_escape_string() This PHP function escapes special characters for use in SQL queries and protects you from attack. The query would now look like this: <? $q = "SELECT `id` FROM `users` WHERE `username`= ' " .mysql_real_escape_string( $_GET['username'] ). " ' AND `password`= ' " .mysql_real_escape_string( $_GET ['password'] ). " ' "; ?> Step 2 Use mysql_query() Using 'mysql_query()' has additional protection against SQL Injection. A query not wrapped in 'mysql_query()' could allow a hacker to use multiple SQL commands from your 'username' field, instead of just one, which is another vulnerability. 'mysql_query()' only allows one command at a time. So, our query would now look like this: <? //connection $database = mysql_connect("localhost", "username","password" //db selection mysql_select_db("database", $database); $q = mysql_query("SELECT `id` FROM `users` WHERE `username`= ' " .mysql_real_escape_string( $_GET ['username'] ). " ' AND `password`= ' " .mysql_real_ escape_string( $_GET['password'] ). " ' ", $database); ?> Recommendation: Centralize Your Connections In your script, you should centralize your connections to one page. On each page that needs it, just use the 'include()' function to include the page that hosts your SQL database connection information. This would force you to create queries with the same format on every page you create, and reduces the chances of a mistake leaving a vulnerability open. So, let's say we make a page called 'connections.php' and put in the following: <? //connection $database = mysql_connect("localhost", "username","password" //db selection mysql_select_db("database", $database); ?> We could modify our query using the new setup. Our log-in page would have: <? include("connections.php" $q = mysql_query("SELECT `id` FROM `users` WHERE `username`= ' " .mysql_real_escape_string( $_GET ['username'] ). " ' AND `password`= ' " .mysql_real_ escape_string( $_GET['password'] ). " ' ", $database); ?> Recommendation: Clean Data at the Beginning of the Page Many programming languages force you to declare variables before you can use them throughout the script. PHP does not force you to do this, however, it's a good habit to clean out your variables at the beginning of the page anyway! Sure someone can ask, "If I'm cleaning each variable throughout the page, why should I clean the variables at the top? Aren't I doing the same thing with your recommendation?". It is easier on you to clean variables at the beginning of the page for a few different reasons, beyond formatting. 1. It reduces the amount of code you have to write. 2. Once the variable is clean, you can use it freely throughout the page, without the fear of vulnerabilities. 3. It is cleaner and more organized, allows you to work easier, and avoids mistakes. If we cleaned variables at the beginning of the page, our script would look like this: <? include("connections.php" $username = mysql_real_escape_string( $_GET ['username'] ); $password = mysql_real_escape_string( $_GET ['password'] ); $q = mysql_query("SELECT `id` FROM `users` WHERE `username`= ' " .$username. " ' AND `password`= ' " .$ password. " ' ", $database); ?> You could even go as far as creating a function to do all cleaning for you, reducing the amount you have to type further. Look at the following example. <? function cleaner($input){ //clean variable, including mysql_real_escape_string() } include("connections.php" $username = cleaner( $_GET['username'] ); $password = cleaner( $_GET['password'] ); $q = mysql_query("SELECT `id` FROM `users` WHERE `username`= ' " .$username. " ' AND `password`= ' " .$ password. " ' ", $database); ?> Recommendation: Check Even After It Is Cleaned You can have additional checks in place to guard against unnecessary processing on your server. This is achieved by adding checks to your script before you ever get to the point of running the query; only running the query when you find the data acceptable. <? function cleaner($input){ //clean variable, including mysql_real_escape_string() } include("connections.php" $username = cleaner( $_GET['username'] ); $password = cleaner( $_GET['password'] ); //Check if the input is blank. if( ($password == '') || ($username == '')){ //dont let them pass } //Check if they are putting in way too many characters than should be allowed. else if( (strlen($username) > 20) || (strlen($password)> 20) ){ //dont let them pass } //Passed all of our checks! Run query. else { $q = mysql_query("SELECT `id` FROM `users` WHERE `username`= ' " .$username. " ' AND `password`= ' " .$ password. " ' ", $database); } ?> That's pretty much it. |
Re: by CODEEATER(m): 7:27pm On Aug 31, 2013 |
Umo u get power to type o....me m using touch screen, cnt type dis long stuff...nice guide though.. |
Re: by Djtm(m): 1:25am On Sep 03, 2013 |
Nice post @chuzz. You have to create a function for all those if you dont want to die typing. Create a functions.php file and insert your different functions; isSqlSafe(), isEmail(), isAlphanumeric(), isShort(), isLong() bla bla bla and include it on every page. Create a config.php file and input ur db conn stuffs inside also. Hope that helps. |
Re: by themanager: 1:01am On Sep 09, 2013 |
Hi guys am looking to develope an intranet application with php,also a desktop app with php that runs throug a browser |
Re: by CODEEATER(m): 7:42pm On Sep 09, 2013 |
themanager: Hi guys am looking to develope an intranet application with php,also a desktop app with php that runs throug a browserdesktop app wit php?to run tru d browser? Php scripts cnt just run like dat now...needs a server of some sort |
Re: by Djtm(m): 9:34pm On Sep 09, 2013 |
themanager: Hi guys am looking to develope an intranet application with php,also a desktop app with php that runs throug a browserdesktop apps do not run through web browsers. You'll need to install php gtk to be able to create desktop apps with php. |
Re: by Djtm(m): 9:35pm On Sep 09, 2013 |
themanager: Hi guys am looking to develope an intranet application with php,also a desktop app with php that runs throug a browser |
Re: by X3n(m): 12:14am On Sep 10, 2013 |
Nice stuff, I am a new php developer. I hav a question 4 u, it may not be as hard as u might want but it will be nice 2 see hw u tackle it. U want a login page 2 direct users dat hav logged in to d page dat brought them 2 d login page. E.g u hav a job site, and d person didn't login once he/she entered d site, and started searching 4 jobs, and afta goin 2ru a lot of pages, he/she wants 2 apply but he's den taken 2 d login page 2 login. After login in, u want d person 2 b directed back 2 d page dat he was on b4 and not 2 d home page or any static page, bearing in mind dat d person can refresh d page and thus makin $_SERVER['HTTP_REFFERER'] to become empty. |
Re: by maxit2(m): 3:39am On Sep 10, 2013 |
X3n: Nice stuff, I am a new php developer. I hav a question 4 u, it may not be as hard as u might want but it will be nice 2 see hw u tackle it. i think you can simply do this, To preserve your $_SERVER['HTTP_REFFERER'], make it a session variable. Then on upon successful login, you redirect using an IF statement. See sample.. //PUT THIS ON THE PAGE THE USER IS COMING FROM.. $_SESSION['referrer'] =$_SERVER['HTTP_REFFERER']; //THIS HELPS TO SAVE $_Server to a more permanent $_SESSION variable. //PUT THIS ON THE LOGIN PAGE, this helps to determine where to redirect. Static or Previous. if($_SESSION['referrer']){ $goto = $_SESSION['referrer']; } elseif(!$_SESSION['referrer']){ $goto="static_page.php"; } I hope you get the gist. Ask any questions if ur not clear. This is not a complete code, just giving you an insight on the method to apply. |
Re: by themanager: 5:12am On Sep 11, 2013 |
Djtm:i have seen some software that runs through a web browser,u dnt install them,u just click on it then,ur browser opens then u begin to work with it.though what i saw was designed using java.was wondering if there was a way arround that with php.How about the intranet software ,hw can i go about that with php.thanks ALot!!!!! |
Re: by maxit2(m): 11:10am On Sep 12, 2013 |
Depending on your web browser, Most browsers will only open, html,php,asp,aspx(Infact webpages) + .txt, some .pdf A software can be designed to output a html interface for the user. Whereas a server language like PHP, ASP is the extension, a server must be running in the host machine(USER'S computer). If trying to open a PHP on a windows computer u will need a server to locally run in your computer for it to work. This is because .php is a unix language.. Hope any bit of this information is useful, elseif(!useful){ ignore.it; } |
Re: by CODEEATER(m): 11:31am On Sep 12, 2013 |
LOL...GOD I LOVE PHP |
Re: by wdetres: 1:30pm On Sep 12, 2013 |
Chuzzyrules: hello my bosses and my fellow learners and to all aspiring... It's good that you want to do the practical of the PHP skills you have learned. It will be good to start your own website and implement your skills as it will help to furnish your php skills and also to get confidence. The website can be community website, social networking, classified ad, business directory or on any other topic. |
(1) (Reply)
Where Can I Send This Type Of Proposal To / Excellent Java Developers Quizzes For Interview Prepration / Is It Compulsory To Write An Algorithm Before Coding
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 41 |