[PHP, MySQL] Security Issues
I have recently begun developing a script manager, in which the user can:
- Login, Register, User CP, etc
- Upload their scripts, etc
- More things that are irrelevant.
Any who, I was wondering what security issues will come of this project once users start uploading/downloading the content?
The users rank will determine which privileges they have, and administrators are the only people who can actually run a demo of their script. Users can also edit their scripts on the website in an online editor.
All data besides uploaded files are stored in MySQL.
Thank you for your contribution.
Re: [PHP, MySQL] Security Issues
Well, if the user can upload let's say a .php file, and pretty much host it on your server, they could take out your whole website. If you want to do uploads, try to get an anti-virus from your web-host, that will take out a few, plus make sure that when they upload, it renames it and puts in a hidden directory, and make it so it's only accessible by downloading, and don't give away where you hide it and the hidden name.
Re: [PHP, MySQL] Security Issues
Disable like .bat files and .php, .html files and such ;) (Disable extension files, which can harm the uploading, server or anything to the website).
But of course there is always a way to sql inject.. dont know how you would prevent it ;)
Re: [PHP, MySQL] Security Issues
Could I save it as a "FILE" extension? As in, take away the PHP extension so it cannot execute code?
Re: [PHP, MySQL] Security Issues
No, even if it's .txt or .jpg it can still be executed providing the file is using php tags. Trust me I know it works xD
Re: [PHP, MySQL] Security Issues
try to run it trough a encoding function (selfmade or premade) and save as a .txt file, and when the user wants to view the file or download it, decode it again :P
Re: [PHP, MySQL] Security Issues
just allow users to upload .zip, .rar and stuff... unless you want some unnecesary trouble, if you allow them to use a .php and they find out the config.php you use for example... that its not really something good...
another thing you can do is make .httacces might work... or (i've never tries this before) maybe changing the file CHMOD to 000 will disallow the files to execute... im unsure, i was just thinking of it right now... will test and post here...
Re: [PHP, MySQL] Security Issues
Quote:
Originally Posted by
kstor1234
just allow users to upload .zip, .rar and stuff... unless you want some unnecesary trouble, if you allow them to use a .php and they find out the config.php you use for example... that its not really something good...
another thing you can do is make .httacces might work... or (i've never tries this before) maybe changing the file CHMOD to 000 will disallow the files to execute... im unsure, i was just thinking of it right now... will test and post here...
Good ideas, but PHP can also be used to CHMOD files and putting files into zip'z (zipping requires a plugin)
But i belive CHMOD'ing files will work :laugh:
Re: [PHP, MySQL] Security Issues
if (!eregi("\.(mid|gif|bmp|mid|midi|3gp|mp3|mp4|sisx|wav|mpn|nth|mpc|jar|jad|jpeg|jpg|sis|mmf|amr|thm|png|wbmp|rar|zip)$",$file))
{
echo "Invalid type.<br/>";
}else{
Your processing codes
}
Re: [PHP, MySQL] Security Issues
You could always change the mime type on the host (or ask your host for you) to something that would have to be downloaded or viewed and not executed.
Re: [PHP, MySQL] Security Issues
Hm, I'll take all these into account :) Thank you.
Is it also possible to maybe, save the codes in a MySQL table? And just load them with:
PHP Code:
<?php
$file_source = query("SELECT `source` FROM `table` WHERE `ID` = 'FILE_ID'"); // I have a MySQL Grab function, btw.
?>
<textarea id="the_id" name="code_editor"><?php echo $file_source; ?></textarea>
Re: [PHP, MySQL] Security Issues
Quote:
Originally Posted by
9000234
No, even if it's .txt or .jpg it can still be executed providing the file is using php tags. Trust me I know it works xD
Ahum, no it can't. How would the server know what to do with a file if it didn't have an extension?
Re: [PHP, MySQL] Security Issues
Quote:
Originally Posted by
Cask
Hm, I'll take all these into account :) Thank you.
Is it also possible to maybe, save the codes in a MySQL table? And just load them with:
PHP Code:
<?php
$file_source = query("SELECT `source` FROM `table` WHERE `ID` = 'FILE_ID'"); // I have a MySQL Grab function, btw.
?>
<textarea id="the_id" name="code_editor"><?php echo $file_source; ?></textarea>
Yes, it is possible. Just remember to use addslashes or other function to prevent sql injection. Use nl2br to make \n turn to <br />, use html entities to make < become > and all other things.
If you are going to use it as a uploaded file, remember to limit the size of the file and dont check the file type by extension but by mime-type.
Re: [PHP, MySQL] Security Issues
Quote:
Originally Posted by
9000234
No, even if it's .txt or .jpg it can still be executed providing the file is using php tags. Trust me I know it works xD
Only if the server is configured to have php parse those files, which I would doubt anyone would.
Re: [PHP, MySQL] Security Issues
Well first I suggest a file-checker that the admin can use to check up on the size of it's files to see if they haven't been edited.
