473,711 Members | 3,004 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Beginner confused about PHP security

Hello all,

As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:

Warning: mysql_connect() : Access denied for user: 'xxxxx@localhos t'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.ph p
on line 98

Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?

Thanks for any advice.

Rod.
Jul 17 '05 #1
16 2201
Rod Carrol wrote:
Warning: mysql_connect() : Access denied for user: 'xxxxx@localhos t'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.ph p
on line 98

Is this to be expected?
Yes.
Is this a security risk?
Definetly.
Is it possible, (and/or a good idea), to disable these
warnings once I'm happy that the code is stable?
Yes.
Thanks for any advice.


See http://fi.php.net/manual/en/function...-reporting.php

--
Markku Uttula

Jul 17 '05 #2


Markku Uttula wrote:
Rod Carrol wrote:
Warning: mysql_connect() : Access denied for user: 'xxxxx@localhos t'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.ph p

on line 98

Is this to be expected?

Yes.
Is this a security risk?

Definetly.
Is it possible, (and/or a good idea), to disable these
warnings once I'm happy that the code is stable?

Yes.
Thanks for any advice.

See http://fi.php.net/manual/en/function...-reporting.php

You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:

@if ( $_SESSION['auth'] == 'ok') {
header ("location:entr ance.php");
}

instead of

if ( $_SESSION['auth'] == 'ok') {
header ("location:entr ance.php");
}
Jul 17 '05 #3
Andrew M. wrote:
You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:


Which is a bad thing during development. If the error message is
supressed, you have no idea of something havnig gone wrong, and the
bughunt might take a lot longer than necessary.

--
Markku Uttula

Jul 17 '05 #4
Markku Uttula wrote:
Andrew M. wrote:
You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:


Which is a bad thing during development. If the error message is
supressed, you have no idea of something havnig gone wrong, and the
bughunt might take a lot longer than necessary.


which is why is is NOT acceptable to write EITHER:
$file = fopen(...);
$data = fread($file);
//etc

OR:

$file = @fopen(...);
$data = fread($file...) ;
//etc.
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Locatio n: showerror.php?e rrno=" . ERR_FOPEN_FAILE D);
exit;
}
$data = fread($file...) ;
// etc.

one should never be spending time tracking down bugs like this -- they
should always be checked and reported right away.

mark.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #5
NO!!! The error control operator should be used only when doing custom
error control!

For instance, say I want to include a file, but it doesn't exist on the
system.
<?php include 'file.php'; ?>

That will spit out a warning (cannot open stream). This is something
you want to know about! Obviously, there is a reason why I wanted the
file in the first place. Don't suppress the warning, or you may never
know what is wrong.

However, you may want to do something more elaborate:
<?php
if( !@include 'file.php' ){
// file doesn't exist, call a user function
file_doesnt_exi st('file.php',_ _FILE,__LINE__) ;
}
?>

Here, the error is suppressed, but it was intentional. The
file_doesnt_exi st function might send the webmaster an email or do some
other helpful procedure.

I swear, if I get another project to take over/maintain that has blocks
like this:

<?php
$rowcount = mysql_num_rows( $result);
if($rowcount > 0)
{
$row = mysql_fetch_arr ay($result);

@ $securityquesti on = $row['securityquesti on'];
@ $securityanswer = $row['securityanswer '];
@ $company = $row['company'];
@ $title = $row['title'];
@ $division = $row['division'];
@ $firstname = $row['firstname'];
@ $lastname = $row['lastname'];
@ $emailaddr1 = $row['emailaddr1'];
@ $emailaddr2 = $row['emailaddr2'];
@ $website = $row['website'];
@ $phone1 = $row['phone1'];
@ $phone2 = $row['phone2'];
@ $phone3 = $row['phone3'];
@ $address1 = $row['address1'];
@ $address2 = $row['address2'];
@ $city = $row['city'];
@ $state = $row['state'];
@ $zip = $row['zip'];
$uts=$row['updatetimestam p'];
@ $updateuserid=$ row['updateuserid'];
$hour = substr($uts,8,2 );
$ampm = " AM";
if($hour > 12)
{
$hour = $hour - 12;
$ampm = " PM";
}
@ $updatetimestam p = substr($uts,4,2 )."/".
substr($uts,6,2 )."/".
substr($uts,0,4 )."@".
$hour.":".subst r($uts,10,2).$a mpm;
@ $lastupdated = " - last updated by {$updateuserid} on
{$updatetimesta mp}";
}
?>

I'm going to go POSTAL!!!

(Since I dug that snippet out, I just had to submit it to
http://www.thephpwtf.com/ !)

Jul 17 '05 #6
"rodtheplod der" wrote:
Hello all,

As a beginner I've been exeperiencing lots of errors while
building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code
from
hackers and people trying to snoop around on the web site
running the
PHP scripts - however, one thing I've noticed is that whenever
I get a
script error, (for example, failure to connect, it lists the
file
contining the php code - see below:

Warning: mysql_connect() : Access denied for user:
'xxxxx@localhos t'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.ph p
on line 98

Is this to be expected? Is this a security risk? Is it
possible,
(and/or a good idea), to disable these warnings once I'm happy
that
the code is stable?

Thanks for any advice.

Rod.


Hi,
The best thing you can do (and I have done) IMHO is to have the
warning/error emailed to yourself... and don’t show it to the visitor.

I find that if I just write the error to a file, I never get to visit
and see what is going on. With an email alert (which shows exactly
what the error is), I react instantly.

steve

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/PHP-Beginner...ict191933.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=649596
Jul 17 '05 #7
"Rod Carrol" <ro***********@ yahoo.co.uk> wrote in message
news:65******** *************** ***@posting.goo gle.com...
Hello all,

As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:

Warning: mysql_connect() : Access denied for user: 'xxxxx@localhos t'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.ph p on line 98

Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?


Well, that raises the ever contentious "security through obscurity"
question. Is it a security risk to let others know about your software's
archecture? A reasonable answer is "it shouldn't, but it might."
Jul 17 '05 #8
I couldn't find it on 'thephpwtf.com' , and for us beginner's (if, it's
not too time consuming), can you show us how you would replace this
snippet ?
tia

Jul 17 '05 #9
Wow! Thanks for all the replies - very helpful!

This seems to be a cool place to hang out while I get my head around
PHP :o)

Once my code is stable and errors are hidden from the user, emailing
the errors to myself sounds like a good idea.

Much appreciated!

RodC.

Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

44
4235
by: lester | last post by:
a pre-beginner's question: what is the pros and cons of .net, compared to ++ I am wondering what can I get if I continue to learn C# after I have learned C --> C++ --> C# ?? I think there must be many know the answer here. thanks
2
1386
by: Alex | last post by:
Hello I am interested learn more about .NET but am uncertain of exactly what niche it fills in the world of programming. (The more I read the more I am confused). What I am looking for is the ability ot write programs to work on mobile phones, as well as web pages, and to interact with servers. My background is a basic knowledge of VBA, XHTML and Java. Java can
5
2793
by: Jeff Amiel | last post by:
Yes, I've read the FAQ's... I'm still confused. I'm trying to help out a buddy to extract data from an .mdb file that has special 'permissions' on it. If I try to open it with the standard system.mdw file, I get the "Current user account doesn't have permission to covert or enable this database".
12
1887
by: Blaze | last post by:
I am doing the first walk through on the Visual Studio .Net walkthrough book to learn a little about programming. I am having issues with the first tutorial not running correctly. It seems that the build fails with what the book tells me to do. Specifically, I am doing this: public authors1 GetAuthors() { authors1 authors = new Authors1();
5
2245
by: Lauren Wilson | last post by:
The more I look at the issue of digital certification for our Access app, the more confused I get. The SelfCert feature that allegedly installed with Office 2003 does not work. The entry is on my menu but is marked "invalid". I've tried re-installing it several times to no avail. In any case, Self Certification won't cut it for us. I MUST get the security warnings to go away -- permanently! My understanding is that full blown PAID...
3
2644
by: Neal | last post by:
managed C++ VS 2003 I have a beginner question about windows forms.... I need to call a function when a certain limit has been reached, now with the way VS sets up the .NET windows Form I get confused. When I was using Directx everything was being run from a while loop, so that was no problem for me in seeing where to place conditional statements and other functions. With windows forms do I need to have an event and eventhandler? it...
6
1476
by: sstallman | last post by:
I have been tasked with creating a database in Access for a Mortgage Lending office. My boss wants a database that can be placed on the office server. He wants all of the lending officers to be able to access the database from their computers. He wants them to be able to pull up a form containing all of the fields that are currently available on the "log sheet." They have given me a list of fields. They want the fields broken down into...
4
2658
by: Ranginald | last post by:
Sorry for the simple question but thanks in advance: My goal is to create reusale code for a web app in C#. I have written the code already as a windows app but here is where I am confused: To keep it really easy let's say this is the code: function addition(int, int); int X;
4
2665
by: Johs | last post by:
I am looking for a good C++ book for beginners. I have some experience with C and a lot of experience with Java. I am currently reading Bjarne Stroustrups C++ Programming Language but it starts off rather complex without examples of compiling modules or making and using classes. Is there some C++ books that takes you through the whole process of making modules, compiling them and using classes?
0
8794
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9165
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9005
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7935
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6617
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5942
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4457
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3152
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
2099
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.