467,134 Members | 1,047 Online
Bytes | Developer Community
Ask Question

Home New Posts Topics Members FAQ

Post your question to a community of 467,134 developers. It's quick & easy.

Beginner confused about PHP security

Hello all,

As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:

Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php
on line 98

Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?

Thanks for any advice.

Rod.
Jul 17 '05 #1
  • viewed: 1837
Share:
16 Replies
Rod Carrol wrote:
Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php
on line 98

Is this to be expected?
Yes.
Is this a security risk?
Definetly.
Is it possible, (and/or a good idea), to disable these
warnings once I'm happy that the code is stable?
Yes.
Thanks for any advice.


See http://fi.php.net/manual/en/function...-reporting.php

--
Markku Uttula

Jul 17 '05 #2


Markku Uttula wrote:
Rod Carrol wrote:
Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php

on line 98

Is this to be expected?

Yes.
Is this a security risk?

Definetly.
Is it possible, (and/or a good idea), to disable these
warnings once I'm happy that the code is stable?

Yes.
Thanks for any advice.

See http://fi.php.net/manual/en/function...-reporting.php

You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:

@if ( $_SESSION['auth'] == 'ok') {
header ("location:entrance.php");
}

instead of

if ( $_SESSION['auth'] == 'ok') {
header ("location:entrance.php");
}
Jul 17 '05 #3
Andrew M. wrote:
You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:


Which is a bad thing during development. If the error message is
supressed, you have no idea of something havnig gone wrong, and the
bughunt might take a lot longer than necessary.

--
Markku Uttula

Jul 17 '05 #4
Markku Uttula wrote:
Andrew M. wrote:
You can stop the error messages from being output to the browser by
putting @ in front of funtions. For example:


Which is a bad thing during development. If the error message is
supressed, you have no idea of something havnig gone wrong, and the
bughunt might take a lot longer than necessary.


which is why is is NOT acceptable to write EITHER:
$file = fopen(...);
$data = fread($file);
//etc

OR:

$file = @fopen(...);
$data = fread($file...);
//etc.
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Location: showerror.php?errno=" . ERR_FOPEN_FAILED);
exit;
}
$data = fread($file...);
// etc.

one should never be spending time tracking down bugs like this -- they
should always be checked and reported right away.

mark.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #5
NO!!! The error control operator should be used only when doing custom
error control!

For instance, say I want to include a file, but it doesn't exist on the
system.
<?php include 'file.php'; ?>

That will spit out a warning (cannot open stream). This is something
you want to know about! Obviously, there is a reason why I wanted the
file in the first place. Don't suppress the warning, or you may never
know what is wrong.

However, you may want to do something more elaborate:
<?php
if( !@include 'file.php' ){
// file doesn't exist, call a user function
file_doesnt_exist('file.php',__FILE,__LINE__);
}
?>

Here, the error is suppressed, but it was intentional. The
file_doesnt_exist function might send the webmaster an email or do some
other helpful procedure.

I swear, if I get another project to take over/maintain that has blocks
like this:

<?php
$rowcount = mysql_num_rows($result);
if($rowcount > 0)
{
$row = mysql_fetch_array($result);

@ $securityquestion = $row['securityquestion'];
@ $securityanswer = $row['securityanswer'];
@ $company = $row['company'];
@ $title = $row['title'];
@ $division = $row['division'];
@ $firstname = $row['firstname'];
@ $lastname = $row['lastname'];
@ $emailaddr1 = $row['emailaddr1'];
@ $emailaddr2 = $row['emailaddr2'];
@ $website = $row['website'];
@ $phone1 = $row['phone1'];
@ $phone2 = $row['phone2'];
@ $phone3 = $row['phone3'];
@ $address1 = $row['address1'];
@ $address2 = $row['address2'];
@ $city = $row['city'];
@ $state = $row['state'];
@ $zip = $row['zip'];
$uts=$row['updatetimestamp'];
@ $updateuserid=$row['updateuserid'];
$hour = substr($uts,8,2);
$ampm = " AM";
if($hour > 12)
{
$hour = $hour - 12;
$ampm = " PM";
}
@ $updatetimestamp = substr($uts,4,2)."/".
substr($uts,6,2)."/".
substr($uts,0,4)."@".
$hour.":".substr($uts,10,2).$ampm;
@ $lastupdated = " - last updated by {$updateuserid} on
{$updatetimestamp}";
}
?>

I'm going to go POSTAL!!!

(Since I dug that snippet out, I just had to submit it to
http://www.thephpwtf.com/ !)

Jul 17 '05 #6
"rodtheplodder" wrote:
Hello all,

As a beginner I've been exeperiencing lots of errors while
building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code
from
hackers and people trying to snoop around on the web site
running the
PHP scripts - however, one thing I've noticed is that whenever
I get a
script error, (for example, failure to connect, it lists the
file
contining the php code - see below:

Warning: mysql_connect(): Access denied for user:
'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php
on line 98

Is this to be expected? Is this a security risk? Is it
possible,
(and/or a good idea), to disable these warnings once I'm happy
that
the code is stable?

Thanks for any advice.

Rod.


Hi,
The best thing you can do (and I have done) IMHO is to have the
warning/error emailed to yourself... and donít show it to the visitor.

I find that if I just write the error to a file, I never get to visit
and see what is going on. With an email alert (which shows exactly
what the error is), I react instantly.

steve

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/PHP-Beginner...ict191933.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=649596
Jul 17 '05 #7
"Rod Carrol" <ro***********@yahoo.co.uk> wrote in message
news:65**************************@posting.google.c om...
Hello all,

As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)

I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:

Warning: mysql_connect(): Access denied for user: 'xxxxx@localhost'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.php on line 98

Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?


Well, that raises the ever contentious "security through obscurity"
question. Is it a security risk to let others know about your software's
archecture? A reasonable answer is "it shouldn't, but it might."
Jul 17 '05 #8
I couldn't find it on 'thephpwtf.com', and for us beginner's (if, it's
not too time consuming), can you show us how you would replace this
snippet ?
tia

Jul 17 '05 #9
Wow! Thanks for all the replies - very helpful!

This seems to be a cool place to hang out while I get my head around
PHP :o)

Once my code is stable and errors are hidden from the user, emailing
the errors to myself sounds like a good idea.

Much appreciated!

RodC.

Jul 17 '05 #10
le*********@natpro.com wrote:
I couldn't find it on 'thephpwtf.com', and for us beginner's (if, it's not too time consuming), can you show us how you would replace this
snippet ?


He must be in the process of getting it ready to post. I noticed that
he just added 2 more entries, and has emailed me 2 times about the one
I sent in...

Unfortunately, I'm a bit pressed for time today (deadlines!), but if it
doesn't get to the phpwtf site by my lunch time tomorrow, I'll try and
show an example.

Jul 17 '05 #11
As I always tell my students:

Security through obscurity is not security at all.

While I'm teaching classes, I continuously bring up questions like,
"Should we trust the value of this variable?" This is usually followed
by blank stares, so the next question is, "What if the value was...."

The SQL Injection thing really got them to thinking. I'm hoping that if
any of them go on to do web development that they will keep things like
this at the forefront of their planning stages.

Jul 17 '05 #12
<ro***********@yahoo.co.uk> wrote in message
news:11*********************@z14g2000cwz.googlegro ups.com...
Wow! Thanks for all the replies - very helpful!

This seems to be a cool place to hang out while I get my head around
PHP :o)

Once my code is stable and errors are hidden from the user, emailing
the errors to myself sounds like a good idea.


Until you're bombarded by e-mails triggered by various PHP exploit scanners
out there.
Jul 17 '05 #13
.oO(Mark)
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Location: showerror.php?errno=" . ERR_FOPEN_FAILED);
exit;
}


Proper, secure and robust coding also uses an absolute URL in a Location
header, as required by the HTTP RFC.

Micha
Jul 17 '05 #14
Michael Fesser wrote:
.oO(Mark)
proper, secure, and robust coding ALWAYS involves checking return values
and errors:

$file = fopen(...);
if ($file === NULL)
{
header("Location: showerror.php?errno=" . ERR_FOPEN_FAILED);
exit;
}


Proper, secure and robust coding also uses an absolute URL in a Location
header, as required by the HTTP RFC.

Micha


touche` :-)

i'll consider myself reprimanded!!

mark.

--
I am not an ANGRY man. Remove the rage from my email to reply.
Jul 17 '05 #15
Chung Leong wrote:
<ro***********@yahoo.co.uk> wrote in message
news:11*********************@z14g2000cwz.googlegro ups.com... <snip>
Once my code is stable and errors are hidden from the user, emailing the errors to myself sounds like a good idea.


Until you're bombarded by e-mails triggered by various PHP exploit

scanners out there.


And so, one should send email alerts on daily or hourly basis by
parsing the error log via cron--but certainly not on error basis.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jul 17 '05 #16
well, to address the original problem, no, mysql will not aburbtly spit
out your username and password, it MAY however spit out information
about bad querys. Error checking on mysql is somthing that every
website needs, along with good logging, and you have a flexible,
dynamic, fast site.

Hiding errors with @ is a good idea, but what it is used for is to
check for an error, then display your own custom error message..

if you get an error on
mysql_connect();
and you have no error checking at all, the mysql/php error checking
will tell you what went wrong by itself, but if you have error
checking, then you can pick what to say, if anything at all.

a good way of doing this is somthing like

if(!@mysql_connect($user,$pass,$host)){
//print error here, log it, do w/e
echo "Could not connect to database";
}

And for advanced error checking you can accutally create your own error
handler, or you can just disable error warnings/messages completely..
but thats not a good idea seeing as you never know what could go wrong.

Just find a way to create a library that you can use for all your
mysql/database functions, and then make sure they have proper error
checking.

Jul 17 '05 #17

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Jeff Amiel | last post: by
12 posts views Thread by Blaze | last post: by
6 posts views Thread by sstallman@gmail.com | last post: by
4 posts views Thread by Johs | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.