PDA

View Full Version : using dreamweaver mx 2004 - how to change php


nanny
03-08-2007, 06:49 AM
Hi I have sort of asked this before, and as I can't change my code Dreameweaver pumps out as to the way they suggest, how do I change it.
I know it relies on certain behaviours etc. and that is why it has so much gooble gosh. But apparently the code Dreamweaver mx 2004 is unsecure and if a person has say o'reilly the apostrophe causes problems and won't let the user log in.
As I can't afford to upgrade I need to find out how to change my code to suit.
I like using Dreamweaver for testing and for design. I have looked at the tutorials but I am worried about removing the Dreamweaver data.
Any suggestions or info is welcome.
I really need to get this fixed.

Thanks everyone so far, you have been a great help especially davidj.

davidj
03-08-2007, 08:56 AM
it works like this

in SQL when you query a db you send form variables through to your query and the resulting query looks like this..

select * from table where db_field1 = '$formfield_value1' and db_field2 = '$formfield_value2'

Notice that the variables inside the SQL carry single quotes and as you know that an open quote needs a closed quote or you will probably get a syntax error within any code you write and in any language. By entering the name o'reilly you are sending this to the SQL query...

select * from table where db_field1 = '$formfield_value1' and db_field2 = 'o'reilly'

can you spot how the SQL is being interpreted wrongly.

What you have done by innocently pointing out an error you have stumbled upon a mine field which is a massive security risk known as a SQL INJECTION but thats another post.

You need to disallow the single quote by using Javascript to strip it out or warn the user against using illegal chars when they register. You can also use PHP to seek and destroy any occurrences it finds which is best practice. Or you could allow this entity and just treat it as part of the string but that involves a little bit more work

nanny
03-09-2007, 12:55 AM
Thanks davidj
I did a search on the net and many say to keep magic quotes on but where the new dreamweaver hot fix says to do:.... if magic quotes are off on the server.
So I will disregard what they have and try and work out my solution.
Now I have just placed a restricted access on my user admin pages. It hasn't allowed me to have more than one access level to access those pages, but I will try and work that out. I think I didn't highlight all of the defined users.
The thing with the o'reilly bit, I read that some malicious users can use certain characters to do uncaring things and maybe even wipe out your whole website entirely. So this my first focus for now.
I got this info from a website last night, would this be helpful.
I am still trying to understand how this all works.
I have magic quotes enabled on the server and thought this would solve the problem:

$pattern = '([[:digit:]]|[~`!@#$%^&*()_=+{}|\:;"/?,]|[|]|-)+';
$name = stripslashes({$_POST['name_field']});
if (ereg($pattern,{$_POST['name_field']})) {
echo "write your error message";
}

I already use this for my registration form:

if (get_magic_quotes_gpc()) {
function stripslashes_deep($value) {
$value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
}


Thanks for showing the example - it is helpful when you really are learning and it takes a while to sink in. I am told the light bulb will turn on one day....

nanny
03-10-2007, 12:12 AM
Hi my pages now allow a user to use all sorts of characters e.g. \ ' etc. in their username and password fields and allows them to login and shows correctly the username and password.
e.g. if someones name is G'oeffrey and somewhere in the password they use \w0rd.
Then it will say welcom G'oeffrey your password is\w0rd.

Is this wrong? I read about the sql being interpreted incorrectly but it seems to be interpreting correctly now.
Is this still a sql injection problem?

While I am on the subject of protection, I want to be able to make my login more secure. On the register page I ask a security question like hotmail does and want to only allow 3 attempts at trying to login with username and password. Once this is up I want to conditionally hide the login form and have a link to lost password page.
Now instead of sending the password in the mail and waiting I thought that the user could put in their username, security question and fill out a captcha image. With that done the system would print out the password for them, otherwise the password form conditionally hides and they are given a link to the registration page or contact page.
How does that sound. Maybe I might have to have two security questions to match.

Now I just have to work out the recordset..........
if you think this is a secure way to go about it of course.......