473,320 Members | 2,112 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Beginner confused about PHP security

Hello all,

As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:

Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php
on line 98

Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?

Thanks for any advice.

Rod.
Jul 17 '05 #1
16 2173
Rod Carrol wrote:
Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php
on line 98

Is this to be expected?
Yes.
Is this a security risk?
Definetly.
Is it possible, (and/or a good idea), to disable these
warnings once I'm happy that the code is stable?
Yes.
Thanks for any advice.


See http://fi.php.net/manual/en/function...-reporting.php

--
Markku Uttula

Jul 17 '05 #2


Markku Uttula wrote:
Rod Carrol wrote:
Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php

on line 98

Is this to be expected?

Yes.
Is this a security risk?

Definetly.
Is it possible, (and/or a good idea), to disable these
warnings once I'm happy that the code is stable?

Yes.
Thanks for any advice.

See http://fi.php.net/manual/en/function...-reporting.php

You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:

@if ( $_SESSION['auth'] == 'ok') {
header ("location:entrance.php");
}

instead of

if ( $_SESSION['auth'] == 'ok') {
header ("location:entrance.php");
}
Jul 17 '05 #3
Andrew M. wrote:
You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:


Which is a bad thing during development. If the error message is
supressed, you have no idea of something havnig gone wrong, and the
bughunt might take a lot longer than necessary.

--
Markku Uttula

Jul 17 '05 #4
Markku Uttula wrote:
Andrew M. wrote:
You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:


Which is a bad thing during development. If the error message is
supressed, you have no idea of something havnig gone wrong, and the
bughunt might take a lot longer than necessary.


which is why is is NOT acceptable to write EITHER:
$file = fopen(...);
$data = fread($file);
//etc

OR:

$file = @fopen(...);
$data = fread($file...);
//etc.
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Location: showerror.php?errno=" . ERR_FOPEN_FAILED);
exit;
}
$data = fread($file...);
// etc.

one should never be spending time tracking down bugs like this -- they
should always be checked and reported right away.

mark.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #5
NO!!! The error control operator should be used only when doing custom
error control!

For instance, say I want to include a file, but it doesn't exist on the
system.
<?php include 'file.php'; ?>

That will spit out a warning (cannot open stream). This is something
you want to know about! Obviously, there is a reason why I wanted the
file in the first place. Don't suppress the warning, or you may never
know what is wrong.

However, you may want to do something more elaborate:
<?php
if( !@include 'file.php' ){
// file doesn't exist, call a user function
file_doesnt_exist('file.php',__FILE,__LINE__);
}
?>

Here, the error is suppressed, but it was intentional. The
file_doesnt_exist function might send the webmaster an email or do some
other helpful procedure.

I swear, if I get another project to take over/maintain that has blocks
like this:

<?php
$rowcount = mysql_num_rows($result);
if($rowcount > 0)
{
$row = mysql_fetch_array($result);

@ $securityquestion = $row['securityquestion'];
@ $securityanswer = $row['securityanswer'];
@ $company = $row['company'];
@ $title = $row['title'];
@ $division = $row['division'];
@ $firstname = $row['firstname'];
@ $lastname = $row['lastname'];
@ $emailaddr1 = $row['emailaddr1'];
@ $emailaddr2 = $row['emailaddr2'];
@ $website = $row['website'];
@ $phone1 = $row['phone1'];
@ $phone2 = $row['phone2'];
@ $phone3 = $row['phone3'];
@ $address1 = $row['address1'];
@ $address2 = $row['address2'];
@ $city = $row['city'];
@ $state = $row['state'];
@ $zip = $row['zip'];
$uts=$row['updatetimestamp'];
@ $updateuserid=$row['updateuserid'];
$hour = substr($uts,8,2);
$ampm = " AM";
if($hour > 12)
{
$hour = $hour - 12;
$ampm = " PM";
}
@ $updatetimestamp = substr($uts,4,2)."/".
substr($uts,6,2)."/".
substr($uts,0,4)."@".
$hour.":".substr($uts,10,2).$ampm;
@ $lastupdated = " - last updated by {$updateuserid} on
{$updatetimestamp}";
}
?>

I'm going to go POSTAL!!!

(Since I dug that snippet out, I just had to submit it to
http://www.thephpwtf.com/ !)

Jul 17 '05 #6
"rodtheplodder" wrote:
Hello all,

As a beginner I've been exeperiencing lots of errors while
building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code
from
hackers and people trying to snoop around on the web site
running the
PHP scripts - however, one thing I've noticed is that whenever
I get a
script error, (for example, failure to connect, it lists the
file
contining the php code - see below:

Warning: mysql_connect(): Access denied for user:
'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php
on line 98

Is this to be expected? Is this a security risk? Is it
possible,
(and/or a good idea), to disable these warnings once I'm happy
that
the code is stable?

Thanks for any advice.

Rod.


Hi,
The best thing you can do (and I have done) IMHO is to have the
warning/error emailed to yourself... and don’t show it to the visitor.

I find that if I just write the error to a file, I never get to visit
and see what is going on. With an email alert (which shows exactly
what the error is), I react instantly.

steve

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/PHP-Beginner...ict191933.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=649596
Jul 17 '05 #7
"Rod Carrol" <ro***********@yahoo.co.uk> wrote in message
news:65**************************@posting.google.c om...
Hello all,

As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:

Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php on line 98

Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?


Well, that raises the ever contentious "security through obscurity"
question. Is it a security risk to let others know about your software's
archecture? A reasonable answer is "it shouldn't, but it might."
Jul 17 '05 #8
I couldn't find it on 'thephpwtf.com', and for us beginner's (if, it's
not too time consuming), can you show us how you would replace this
snippet ?
tia

Jul 17 '05 #9
Wow! Thanks for all the replies - very helpful!

This seems to be a cool place to hang out while I get my head around
PHP :o)

Once my code is stable and errors are hidden from the user, emailing
the errors to myself sounds like a good idea.

Much appreciated!

RodC.

Jul 17 '05 #10
le*********@natpro.com wrote:
I couldn't find it on 'thephpwtf.com', and for us beginner's (if, it's not too time consuming), can you show us how you would replace this
snippet ?


He must be in the process of getting it ready to post. I noticed that
he just added 2 more entries, and has emailed me 2 times about the one
I sent in...

Unfortunately, I'm a bit pressed for time today (deadlines!), but if it
doesn't get to the phpwtf site by my lunch time tomorrow, I'll try and
show an example.

Jul 17 '05 #11
As I always tell my students:

Security through obscurity is not security at all.

While I'm teaching classes, I continuously bring up questions like,
"Should we trust the value of this variable?" This is usually followed
by blank stares, so the next question is, "What if the value was...."

The SQL Injection thing really got them to thinking. I'm hoping that if
any of them go on to do web development that they will keep things like
this at the forefront of their planning stages.

Jul 17 '05 #12
<ro***********@yahoo.co.uk> wrote in message
news:11*********************@z14g2000cwz.googlegro ups.com...
Wow! Thanks for all the replies - very helpful!

This seems to be a cool place to hang out while I get my head around
PHP :o)

Once my code is stable and errors are hidden from the user, emailing
the errors to myself sounds like a good idea.


Until you're bombarded by e-mails triggered by various PHP exploit scanners
out there.
Jul 17 '05 #13
.oO(Mark)
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Location: showerror.php?errno=" . ERR_FOPEN_FAILED);
exit;
}


Proper, secure and robust coding also uses an absolute URL in a Location
header, as required by the HTTP RFC.

Micha
Jul 17 '05 #14
Michael Fesser wrote:
.oO(Mark)
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Location: showerror.php?errno=" . ERR_FOPEN_FAILED);
exit;
}


Proper, secure and robust coding also uses an absolute URL in a Location
header, as required by the HTTP RFC.

Micha


touche` :-)

i'll consider myself reprimanded!!

mark.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #15
Chung Leong wrote:
<ro***********@yahoo.co.uk> wrote in message
news:11*********************@z14g2000cwz.googlegro ups.com... <snip>
Once my code is stable and errors are hidden from the user, emailing the errors to myself sounds like a good idea.


Until you're bombarded by e-mails triggered by various PHP exploit

scanners out there.


And so, one should send email alerts on daily or hourly basis by
parsing the error log via cron--but certainly not on error basis.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jul 17 '05 #16
well, to address the original problem, no, mysql will not aburbtly spit
out your username and password, it MAY however spit out information
about bad querys. Error checking on mysql is somthing that every
website needs, along with good logging, and you have a flexible,
dynamic, fast site.

Hiding errors with @ is a good idea, but what it is used for is to
check for an error, then display your own custom error message..

if you get an error on
mysql_connect();
and you have no error checking at all, the mysql/php error checking
will tell you what went wrong by itself, but if you have error
checking, then you can pick what to say, if anything at all.

a good way of doing this is somthing like

if(!@mysql_connect($user,$pass,$host)){
//print error here, log it, do w/e
echo "Could not connect to database";
}

And for advanced error checking you can accutally create your own error
handler, or you can just disable error warnings/messages completely..
but thats not a good idea seeing as you never know what could go wrong.

Just find a way to create a library that you can use for all your
mysql/database functions, and then make sure they have proper error
checking.

Jul 17 '05 #17

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

44
by: lester | last post by:
a pre-beginner's question: what is the pros and cons of .net, compared to ++ I am wondering what can I get if I continue to learn C# after I have learned C --> C++ --> C# ?? I think there...
2
by: Alex | last post by:
Hello I am interested learn more about .NET but am uncertain of exactly what niche it fills in the world of programming. (The more I read the more I am confused). What I am looking for is the...
5
by: Jeff Amiel | last post by:
Yes, I've read the FAQ's... I'm still confused. I'm trying to help out a buddy to extract data from an .mdb file that has special 'permissions' on it. If I try to open it with the standard...
12
by: Blaze | last post by:
I am doing the first walk through on the Visual Studio .Net walkthrough book to learn a little about programming. I am having issues with the first tutorial not running correctly. It seems that...
5
by: Lauren Wilson | last post by:
The more I look at the issue of digital certification for our Access app, the more confused I get. The SelfCert feature that allegedly installed with Office 2003 does not work. The entry is on my...
3
by: Neal | last post by:
managed C++ VS 2003 I have a beginner question about windows forms.... I need to call a function when a certain limit has been reached, now with the way VS sets up the .NET windows Form I get...
6
by: sstallman | last post by:
I have been tasked with creating a database in Access for a Mortgage Lending office. My boss wants a database that can be placed on the office server. He wants all of the lending officers to be...
4
by: Ranginald | last post by:
Sorry for the simple question but thanks in advance: My goal is to create reusale code for a web app in C#. I have written the code already as a windows app but here is where I am confused: ...
4
by: Johs | last post by:
I am looking for a good C++ book for beginners. I have some experience with C and a lot of experience with Java. I am currently reading Bjarne Stroustrups C++ Programming Language but it starts off...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.