| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Comments:
<0> and php -v gets out pages of errors
<1> adughep: If you are still getting all those .so errors, fix that FIRST. And, yes, the ./ is probably wrong.
<0> checking...
<2> $a = "(9000.00 * 0.275) - 502.58"; ---- eval($a) doesnt work --- how should I do it?
<1> py1n1: eval('$a = (9000.00 * 0.275) - 502.58;'); would work...
<1> You have to hand it a full complete valid PHP statement, not just an expression. And eval is almost always a Bad Idea.
<2> richardlynch: but $a is already defined...
<2> is there a better way to do it?
<1> py1n1: That's fine. But you have to hand eval a FULL statement. eval('$answer = $a;'); for example, might work, if I got it right.
<1> py1n1: For a "better way"... Where exactly is this expression/data coming from?
<2> richardlynch: I got that in a database: ($value * 0.275) - 502.58
<1> py1n1: Are you limited to only * and - or will it always look like that or...
<2> not limited to only that
<1> py1n1: How much not limited... +-*/ only? Just how complicated can it get?
<2> richardlynch: +-*/ only
<1> py1n1: The problem with eval is that if somebody breaks into your database, they could easily get your PHP script to do ANYTHING.
<2> richardlynch: I was just realizing that
<1> py1n1: Aha. And you've got () as well.
<2> richardlynch: yes, to make it tidy
<1> py1n1: Consider searching for a solution that involves http://php.net/strtok wherein you actually read through the "math" and do it by hand, piece by piece, instead of the cannon that is eval.
<1> py1n1: A Google for "PHP Math Parser strtok" would probably find others who have done this.
<2> not too much useful results
<3> richardlynch, I'm doing something very very wrong here... to late an d to tired... what is wrong with this ? include('http://"; . $info[$i]["address"] . "/page..php');
<3> richardlynch, page.php
<1> 'http://"; is the first problem. Bigger problem is the gaping security hole unles you are DAMN sure $info[$i]['address'] is what you KNOW is safe, and that you've got armed guards (literally) to keep it that way.
<4> if im looping out a table of something.. can I echo the stuff outside the while-loop, or do I have to echo the content inside the while-loop?
<3> richardlynch, I can remove the http, NP... but why SAFE ? you mean... SuperGlobals ?
<5> MatBoy, he means you want to be sure that $info[$i]['address'] will be data that you can absolutely trust
<3> ootz0rz, I can !!
<3> ootz0rz, My own servers :)
<1> MatBoy: No matter where $info[$i]['address'] comes from, be it GET, POST, COOKIE, database, or whatever, if somebody can manage to break into that source and corrupt that data, you are screwed.
<3> richardlynch, if the guy will brake in... he can do also more than changing this script :)
<3> richardlynch, not screwed !
<1> MatBoy: Is $info[$i]['address'] hard-coded in PHP? In a database? What?
<3> PHP
<3> (for the moment)
<2> richardlynch: I found a nasty way to do it :) SELECT (9000.00 * 0.275 - 502.58);
<1> py1n1: Now you only have to worry about somebody corrupting your data in the database so that end up doing: SELECT (9000.00 * 0.275); DROP TABLE data;
<2> oh boy... havent tought that
<1> MatBoy: Unless you can ALWAYS guarantee that $info[$i]['address'] is tighter than a [bleep] you are opening up a big hole.
<6> whats the easiest way to convet 24 hour time, into standard time ? if the time is stored in mysql as varchar ?
<7> hello..
<1> py1n1: Give it some thought. How secure is this data? Where does it come from? Did you sanitize it on the way in?
<1> Silent[home]`: In mysql there is a date_format() function. http://dev.mysql.com
<3> richardlynch, only grabbing some sysinfo with /proc/version with it
<2> better to sanityze that
<1> MatBoy: Hunh? I don't care what you are trying to do with the data you expect. I'm asking you how do you KNOW that nobody will ever manage to corrupt the input to $info[$i]['address']?
<3> richardlynch, how will they do it ?
<1> MatBoy: I dunno. But you should try to think of all the ways they MIGHT do it, and then you can safely ***ume that there is some other super tricky way you didn't think of.
<3> richardlynch, are you always afraid in the dark ?
<1> MatBoy: So, 2 suggestions. Block all the ways you can think of. And right BEFORE you do the include, check $info[$i]['address'] to be SURE it looks like you expect. Is it supposed to be an IP address? Is it supposed to be one only in the range you expect?
<1> MatBoy: Hey, I'm just trying to help you avoid the nightmare of having your server hacked... include(...$variable...) is a huge monster hole that has gotten a bunch of people in deep deep trouble.
<8> if there was a php category in jeopardy richardlynch might win at it
<3> richardlynch, there will beused also SSL for the connection I think... I can also use SSH if I want... but that is much more insecure !
<1> Nah, all the PHP Devs would beat me, and a hundred others.
<3> richardlynch, indeed, I really priciate it !!
<9> oh and he's modest too :-p
<1> SSL and SSH have the same security, really... Unless I'm missing something fundamental here.
<3> richardlynch, but every server on the internet is a target
<9> SSH is built off SSH isnt it
<9> er
<9> SSH built off SSL
<1> MatBoy: Yes, but the guns fire very very rapdily.
<3> SSH is insecure in a script
<1> I don't even know how to respond to that, as it's such an open-ended statement...
<2> thank you, richardlynch. I gotta go
<3> richardlynch, you have to specify somewhere login-info to the other server
<3> richardlynch, with a key... can be done... but you have 2 targets than
<3> Do you know what I mean ?
<3> or trying to say ?
<1> MatBoy: Sure, or you could have public/private encrypted key pairs, one of each on the two machines, and, sure, if somebody manages to read one of the keys, then they can use it... Or they could sniff the SSL interchange and read the keys and monitor the traffic, which is no different, really.
<3> richardlynch, I mean... when the server with include gets hacked when using ssh to the other server... they can easily connect to the otherone too
<1> SSL and SSH both make a secure "tunnel" -- but the endpoints are equally vulnerable. If somebody is "in" the machine at either end, and can get ahold of the SSL/SSH stuff, it's Game Over. The SSL keys are more transitory, but... Not really that much harder to snag.
<10> will this line right here prevent sql injections ? ;\: $_POST = array_map('addslashes', $_POST);
<3> richardlynch, SSL ? No problem... there is no command-login-info in it ;)
<1> nanotech: Yes, but change 'addslashes' to 'mysql_real_escape_string' for an even better experience.
<11> s/Yes/No/
<10> richardlynch mysql_real_escape_string doesnt like to play nice with me
<10> ;\
<10> if (!get_magic_quotes_gpc()) {
<1> MatBoy: You're probably right: SSH would require php-readable keys, and that's worse than SSL, but, then, they can read your PHP source and write a PHP script just like it and...
<10> is before that line
<11> !+sql injection
<12> It's a really bad idea to put variables directly into SQL queries. Always escape them using a function like mysql_escape_string() first, and make sure the data matches the format you're expecting. For more information, see http://www.php.net/manual/security.database.sql-injection.php | Examples can be seen here: http://www.unixwiz.net/techtips/sql-injection.html
<1> nanotech: You have to do the mysql_connect before the mysql_real_escape_string. Or you can take out the 'real_' part -- the 'real_' part takes into consideration Unicode collating etc settings on the MySQL server.
<3> richardlynch, no problem with th php-source... there is no SSH access in it the script :) their are more script on a server... so I think SSL is the best idea !
<13> what is the proper way to use posix_* (seteuid/setuid)... to "DROP" root privledges.
<3> richardlynch, it's good to see it from a several of sides !
<10> so 'mysql_escape_string' would do the same thing only it wouldnt require the connection to mysql yet?
<3> richardlynch, that is why I'm here :)
<13> using posix_setuid(500); causes it to set the uid, and the effective using using seteuid, however, it does NOT, drop you out of the group=0 :( your still "logged in" to the group
<1> nanotech: The same thing EXCEPT that any locale settings for Unicode and non-English collation type stuff wouldn't "count". So characters in Spanish scripts, for example, might not get escaped the way you would want.
<10> ahh
<13> so therefor you can write to files owned by group "root".
<10> well its just for a username/p***word/name field
<10> so that should work for me right?
<1> nanotech: Are all your users English-speakers? Or will they want a p***word in French?
<10> uh
<10> english speakers only
<10> for now atleast
<10> maybe in the future i will need to revisit this
<10> heh
<1> nanotech: re-organizing your code to move the mysql_connect earlier should not be a Big Deal... :-)
<1> JamenoWRK: I think you also need posix_setgid to downgrade the GROUP id so then it's not able to do root group things.
<13> richardlynch, yea except, it doesnt drop them :)
<13> it sets the {"current"} uid
<13> it doesnt do anything with the group memberships.
<1> JamenoWRK: You did not mention gid, only uid and euid.
<10> heh
<10> richardlynch my site is riddled with functions
<1> The 'g' is significant.
<10> and my mysql connction is initated by a function
<13> richardlynch: ya, my bad, i setgid first, then uid, (and 'e')
<13> if i system("id")
<10> $i['database']->query($q);
<10> is how i subut my query
<10> $q bein the query
<10> heh
<13> is shows uid=500 gid=500 groups=root(0),bin(1),
<13> ...
<1> JamenoWRK: And user 500, whoever that is, is not in root group, right?...
<13> nerp
<13> its not ;)
<1> JamenoWRK: And I ***ume you tried setegid as well?
<13> yes, i do both of them (in proper order)
<13> i never want to be able to reclaim root privs
<1> JamenoWRK: I'm thinking all four. setuid, seteuid, setgid, setegid, just to be sure. :-)
<13> yea, thats what i mean
<13> after all 4
<13> still no worky
<13> before:
<10> richardlynch these are my functions, wanna take a look, just he 2 fucntiosn.. http://pastebin.com/711973
<13> id: user=0(root) group=0(root) groups=0(root),1(bin)
<13> after the 4 functions
<13> id: user=500(system) group=500(system) groups=0(root),1(bin),500(system)
<13> it seems the only thing it changes, is the group= more-or-less.
<13> it doesnt drop my "session" groups.
<1> nanotech: call sDatabase() before you do the stuff with $_POST.
<1> JamenoWRK: That does seem odd... I'd try posting to PHP-General and then filing a bug report, cuz it seems to this naive reader like it oughta work...
<13> yea, i think i gotta become a session leader
<13> or something
<13> before i setgid
<13> my set[e][u|g]id skills in php, are not the best at this point im guessing ;)
<14> Does anyone here have a php5 user authentication cl*** I could take a look at?
<1> JamenoWRK: Well,there are functions for that session leader stuff... Try them, I guess.
<1> CrazyTux: I'll get Google has one :-)
<14> richardlynch, trying right now, but actually not coming up with anything
<13> richardlynch, hehe, trying ;) just not having luck, figured id try and find if someone else knew the "proper order" of calling the functions.
<1> Yeah, my friend Google does have a lot of stuff. :-)
<1> JamenoWRK: One possible solution... We know for a fact that Apache does this exact same thing in C... And it's OpenSource. Grep the source of Apache for setgid and you could maybe find a shortcut...
<13> yea
Return to
#php
or
Go to some related
logs:
#python
#css
Invalid node mkisofs
#debian
input irq status -32 received keyboard debian
ubuntu ralsa
NatureTM irc
ct_sync
ubuntu pppoe access concentrator of your provider did not respond
#css
|
|