SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question about security and PHP

    Hello,

    I have a site that allows webmasters to create a poll to put on their site. When their visitors click on the submit button I use a Perl script to register the votes. But now I want to use a PHP script to register the votes. But I'm a little concerned about the security issue. Can people do harm to my system if I allow the script to be called from anywhere? Normally when I run a PHP script on my site I always check the referer to see if the script is being called from my site.

    What advice can you guys give me?

  2. #2
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    I don't see anything different than from the Perl script being called remotely. The same security risks exsist for both. The script can be abused with either language.

    I hope this helps.

    Please clarify exactly how the script works and I will be able to give a better assessment.

  3. #3
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Please clarify exactly how the script works and I will be able to give a better assessment.
    Well, when a user submit their vote, the script then just updates the file with the results and then display the result page. Go to my site at http://www.ballot-box.net and click on "Demo" to see a demonstration.

    Do you have any tips on how to tighten the security?

  4. #4
    SitePoint Enthusiast Stallion's Avatar
    Join Date
    Jan 2001
    Location
    Cumberland, RI, US
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you post the source code we could give you some suggestions, otherwise we can't tell much.
    /* Chris Lambert - chris@php.net
    WhiteCrown Networks, CTO - Web Application Security
    vBulletin, Security Programmer - Instant Community
    */

  5. #5
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you post the source code we could give you some suggestions, otherwise we can't tell much.
    Sorry, can't post the source code. I don't think anyone would do that.

    Can't I get some tips without posting the code?

  6. #6
    SitePoint Wizard
    Join Date
    Jul 1999
    Location
    Chicago
    Posts
    2,629
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There's really no way for us to know if the script is insecure without the source. Yes, it's possible for it to be insecure, but it would help a lot of we could see the source.

    If you're worried about attackers seeing the source and cracking your server, you needn't be.
    Last edited by qslack; Aug 11, 2001 at 02:02.

  7. #7
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you're worried about attackers seeing the source and cracking your server, you needn't be
    It's not that. I see my scripts as a piece of knowledge that I don't want to just give away. I always compare it to Microsoft, they won't just give away the code for Windows 98!

    But I guess if I want some tips from you guys then I must post the code. Ok, give me a couple of days to create the PHP code (I only have the Perl version now) and then I will post it here for you guys to see.

    I will try to contact you guys that replied to this thread to take a look at the code.

    Thanks in advance.

  8. #8
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    DeNasio, do you really think you are going to be giving away nuclear secrets by showing your source code. It will only do one of two things, either show us how poorly the script was coded and draw tons of tips on how to improve it or impress the hell out of us by how good it is, and motivate poeple to try using your principles. Either way you have and everyone else have everything to gain by viewing the source code, IMHO.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  9. #9
    SitePoint Addict Chris Roane's Avatar
    Join Date
    Jul 1999
    Location
    Helena, MT
    Posts
    287
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good point, freddy.

    When I create PHP scripts, I always try to see if I can cheat my own system.

    If it is fairly easy for you to cheat off of it, then you probably need to re-work some of the code and make things look less obvious. However, if you were able to cheat off of it because you were the one who created the script and know how it works, then I wouldn't worry about it. Unless you are working off of another script, no one else should be able to cheat (unless they get your source code somehow) or are incredibly good guessers.

    But then again, no one is perfect and there is a possibility that you might miss a huge security risk, which is why it is a good reason to post the code.

    Just some things based off of my experience.

  10. #10
    SitePoint Addict kunal's Avatar
    Join Date
    Oct 2000
    Posts
    307
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Short, simple and sweet answer, YES! There is no script that is completely secure. As for the security issue, it all depends on how you write your code. and we cant comment on the code, until we see it...
    i dunno...

  11. #11
    chown linux:users\ /world Hartmann's Avatar
    Join Date
    Aug 2000
    Location
    Houston, TX, USA
    Posts
    6,455
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    So you are taking the Miscrosoft approach eh? Don't let us know what is wrong with it?? Just kidding....

    If you think that your ballot box software is very top of the line and shouldn't be copied (although I don't know of anyone in these forums who would do it) then don't post it. But without it we really cannot help.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •