PHP - security issues, and what i should do

[Chronicle]

Hello
I have set up [removed]

Firstly, am I using the right terms (checksum/hash etc) on the page?

I only have strip_tags() on the "blob" one. I havn't put it into the others. Which means if something like "> test is writen it ****s it up. I know i could sort it out by a simple strip_tags(), but then the user will think that the md5 version of it was done without any tags (if that makes sense). any ideas what to do?

Also are there any security issues server side, as basically all it does is:

$md = $_POST['md'];
$md = md5($md);
echo $md;

I know there are the client side issues as mentioned above.

Thanks

 

[lookitsjonno]

use htmlentities() which will convert the dodgy characters to safe HTML form:

// md5 string
echo md5($_REQUEST['blah']);
// echo you entered
echo htmlenities($_REQUEST['blah']);

btw how many google adverts (i thought google only allowed 3 on any page)?

 

[Dfhaii]

If all you're doing is hashing the input then there is no need to strip tags or any similar gubbins. If you need to display the original string again then using htmlentities() *after* it's been hashed wouldn't be a bad idea.

 

[robmiller]

If all you're doing is hashing the input then there is no need to strip tags or any similar gubbins. If you need to display the original string again then using htmlentities() *after* it's been hashed wouldn't be a bad idea.

It would be a bad idea in the sense that it would be totally and completely unnecessary

 

[Beansprout]

You don't need to fiddle before you MD5 because MD5 doesn't care what the string contains, it just outputs a 32char whatsit-what no matter what you give it

 

[robmiller]

You don't need to fiddle before you MD5 because MD5 doesn't care what the string contains, it just outputs a 32char whatsit-what no matter what you give it

...and if an attacker is able to somehow change what your MD5 function outputs, XSS is the least of your worries

 

[Chronicle]

Thanks.
Updated it now with an ajax thing, so it is more instant.
I used that htmlentities() function on the non AJAX version.
Cheers

 

[Craig321]

Hello
I have set up http://www.instantmd5.com/

Firstly, am I using the right terms (checksum/hash etc) on the page?

I only have strip_tags() on the "blob" one. I havn't put it into the others. Which means if something like "> test is writen it ****s it up. I know i could sort it out by a simple strip_tags(), but then the user will think that the md5 version of it was done without any tags (if that makes sense). any ideas what to do?

Also are there any security issues server side, as basically all it does is:

$md = $_POST['md'];
$md = md5($md);
echo $md;

I know there are the client side issues as mentioned above.

Thanks

Kinda offtopic, it's only 3 google ads per page else you'll get ban.

Craig.

 

[Dj_Jestar]

That's hardly AJAX :\

and I'm not sure, but there may be some issues with using someone elses code (even though you have left the credits in) and putting a copywright on the page..

 

[Moredhel]

Just thought I'd point out, the version with stars, once you submit it it still keeps the entry in the box, it does it by echoing out the password in plain text in the source code. The idea of the * version should surely be that at no point in the proceedings is the password handled in plain text other than in the server side PHP code? I would recommend not showing the *s in the box afterward, i mean, they're only stars anyway, and lots of people don't even like it to show that much, or to show x amount of stars per character to hide the length of the password.

 

[Beansprout]

		<script type="text/javascript"><!--
google_ad_client = "pub-XXXXXXXXX";
google_ad_width = 300;
google_ad_height = 250;
google_ad_format = "300x250_as";
google_ad_type = "text_image";
google_ad_channel ="XXXXXXXX";
google_color_border = "5F3A3A";
google_color_bg = "5F3A3A";
google_color_link = "FFFFFF";
google_color_url = "FFFFFF";
google_color_text = "FFFFFF";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
				
		
		
		</td>
		<td width="200">
		
	<script type="text/javascript"><!--
google_ad_client = "pub-XXXXXXXXXX";
google_ad_width = 120;
google_ad_height = 600;
google_ad_format = "120x600_as";
google_ad_type = "text_image";
google_ad_channel ="XXXXXXX";
google_color_border = "5F3A3A";
google_color_bg = "5F3A3A";
google_color_link = "FFFFFF";
google_color_url = "FFFFFF";
google_color_text = "FFFFFF";
//--></script>

<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
		
		</td>
      </tr>

"No Mr. Google my site isn't an 'Adsense site' which is explicitly disallowed, it really does do something, and whoops I'm sorry I really didn't mean to stuff my site with four ad blocks making it really hard to actually use the site at all, really, honest, please don't ban me"

Also, why are you using PHP and AJAX? Javascript can do MD5

 

[Chronicle]

There are only three ad units, and one link unit.

Kinda offtopic, it's only 3 google ads per page else you'll get ban.

Craig.

That's hardly AJAX :\

and I'm not sure, but there may be some issues with using someone elses code (even though you have left the credits in) and putting a copywright on the page..

Technically it is. And it was from a tutorial explaining how to use it.

Just thought I'd point out, the version with stars, once you submit it it still keeps the entry in the box, it does it by echoing out the password in plain text in the source code. The idea of the * version should surely be that at no point in the proceedings is the password handled in plain text other than in the server side PHP code? I would recommend not showing the *s in the box afterward, i mean, they're only stars anyway, and lots of people don't even like it to show that much, or to show x amount of stars per character to hide the length of the password.

Good point. Thanks.

		xxx
				
		
		
		</td>
		<td width="200">
		
	xxx
		
		</td>
      </tr>

"No Mr. Google my site isn't an 'Adsense site' which is explicitly disallowed, it really does do something, and whoops I'm sorry I really didn't mean to stuff my site with four ad blocks making it really hard to actually use the site at all, really, honest, please don't ban me"

Also, why are you using PHP and AJAX? Javascript can do MD5

It isn't an adsense site. The site does comply with Google's adsense rules. The site wasn't even designed around the adsense blocks anyway.

I know JS can do MD5. But I wanted to do it the way I did it Part of a learning process for me.

Please let this be the end of this thread. I was asking for some php security replies. Not a site critisism. Other wise i would have asked for it.

Mods please lock. thanks.

 

[Craig321]

There are only three ad units, and one link unit.

oooohhh, yeah, I forgot you're allowed 2 link units as well as 3 ad units.

Craig.

 

[Beansprout]

D'oh, forgot about the blasted Ad Link whatever Units. They're useless anyway

It is AJAX and it's a good learning experience, you're right

Here is a fantastic series of excellent AJAX tutorials. IBM really has a little-known treasure trove of information

As for the 'Adsense site' thing - I'd check with Google just in case someone reports it and Google decide it's bad. I'd guess you're safe (heck, worldwinddata.com is fine so really they can't be too strict ) but it's always wise to check

 

[Chronicle]

D'oh, forgot about the blasted Ad Link whatever Units. They're useless anyway

It is AJAX and it's a good learning experience, you're right

Here is a fantastic series of excellent AJAX tutorials. IBM really has a little-known treasure trove of information

As for the 'Adsense site' thing - I'd check with Google just in case someone reports it and Google decide it's bad. I'd guess you're safe (heck, worldwinddata.com is fine so really they can't be too strict ) but it's always wise to check

Thanks. I had a lot of trouble finding AJAX tutorials that started right from the start, for the complete ajax newbie .

And btw, Google refuse to check my pages any more, think its because everytime i modify them, I used to get them to check them. Now they just say if we find one that doesn't comply with the rules, we'll email you . (lol)

 

[Admiral Huddy]

[Pub ID and channel removed from code tags]