PHP - security issues, and what i should do

Chronicle

Chronicle

Chronicle

Soldato
Joined
4 Jul 2004
Posts
2,647
Location
aberdeen
Hello
I have set up [removed]

Firstly, am I using the right terms (checksum/hash etc) on the page?

I only have strip_tags() on the "blob" one. I havn't put it into the others. Which means if something like "> test is writen it ****s it up. I know i could sort it out by a simple strip_tags(), but then the user will think that the md5 version of it was done without any tags (if that makes sense). any ideas what to do?

Also are there any security issues server side, as basically all it does is:

$md = $_POST['md'];
$md = md5($md);
echo $md;

I know there are the client side issues as mentioned above.

Thanks
 
Last edited:
use htmlentities() which will convert the dodgy characters to safe HTML form:

Code: 
// md5 string
echo md5($_REQUEST['blah']);
// echo you entered
echo htmlenities($_REQUEST['blah']);

btw how many google adverts (i thought google only allowed 3 on any page)? :confused:
 
Last edited:
If all you're doing is hashing the input then there is no need to strip tags or any similar gubbins. If you need to display the original string again then using htmlentities() *after* it's been hashed wouldn't be a bad idea.
 
Dfhaii said:
If all you're doing is hashing the input then there is no need to strip tags or any similar gubbins. If you need to display the original string again then using htmlentities() *after* it's been hashed wouldn't be a bad idea.
Click to expand...

It would be a bad idea in the sense that it would be totally and completely unnecessary :)
 
You don't need to fiddle before you MD5 because MD5 doesn't care what the string contains, it just outputs a 32char whatsit-what no matter what you give it :)
 
Beansprout said:
You don't need to fiddle before you MD5 because MD5 doesn't care what the string contains, it just outputs a 32char whatsit-what no matter what you give it :)
Click to expand...

...and if an attacker is able to somehow change what your MD5 function outputs, XSS is the least of your worries :)
 
Thanks.
Updated it now with an ajax thing, so it is more instant.
I used that htmlentities() function on the non AJAX version.
Cheers
 
Chronicle said:
Hello
I have set up http://www.instantmd5.com/

Firstly, am I using the right terms (checksum/hash etc) on the page?

I only have strip_tags() on the "blob" one. I havn't put it into the others. Which means if something like "> test is writen it ****s it up. I know i could sort it out by a simple strip_tags(), but then the user will think that the md5 version of it was done without any tags (if that makes sense). any ideas what to do?

Also are there any security issues server side, as basically all it does is:

$md = $_POST['md'];
$md = md5($md);
echo $md;

I know there are the client side issues as mentioned above.

Thanks
Click to expand...

Kinda offtopic, it's only 3 google ads per page else you'll get ban.

Craig.
 
That's hardly AJAX :\

and I'm not sure, but there may be some issues with using someone elses code (even though you have left the credits in) and putting a copywright on the page..
 
Just thought I'd point out, the version with stars, once you submit it it still keeps the entry in the box, it does it by echoing out the password in plain text in the source code. The idea of the * version should surely be that at no point in the proceedings is the password handled in plain text other than in the server side PHP code? I would recommend not showing the *s in the box afterward, i mean, they're only stars anyway, and lots of people don't even like it to show that much, or to show x amount of stars per character to hide the length of the password.
 
Code: 
		<script type="text/javascript"><!--
google_ad_client = "pub-XXXXXXXXX";
google_ad_width = 300;
google_ad_height = 250;
google_ad_format = "300x250_as";
google_ad_type = "text_image";
google_ad_channel ="XXXXXXXX";
google_color_border = "5F3A3A";
google_color_bg = "5F3A3A";
google_color_link = "FFFFFF";
google_color_url = "FFFFFF";
google_color_text = "FFFFFF";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
				
		
		
		</td>
		<td width="200">
		
	<script type="text/javascript"><!--
google_ad_client = "pub-XXXXXXXXXX";
google_ad_width = 120;
google_ad_height = 600;
google_ad_format = "120x600_as";
google_ad_type = "text_image";
google_ad_channel ="XXXXXXX";
google_color_border = "5F3A3A";
google_color_bg = "5F3A3A";
google_color_link = "FFFFFF";
google_color_url = "FFFFFF";
google_color_text = "FFFFFF";
//--></script>

<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
		
		</td>
      </tr>
"No Mr. Google my site isn't an 'Adsense site' which is explicitly disallowed, it really does do something, and whoops I'm sorry I really didn't mean to stuff my site with four ad blocks making it really hard to actually use the site at all, really, honest, please don't ban me"

Also, why are you using PHP and AJAX? Javascript can do MD5 ;)
 
There are only three ad units, and one link unit.

Craig321 said:
Kinda offtopic, it's only 3 google ads per page else you'll get ban.

Craig.
Click to expand...

Dj_Jestar said:
That's hardly AJAX :\

and I'm not sure, but there may be some issues with using someone elses code (even though you have left the credits in) and putting a copywright on the page..
Click to expand...
Technically it is. And it was from a tutorial explaining how to use it.


Moredhel said:
Just thought I'd point out, the version with stars, once you submit it it still keeps the entry in the box, it does it by echoing out the password in plain text in the source code. The idea of the * version should surely be that at no point in the proceedings is the password handled in plain text other than in the server side PHP code? I would recommend not showing the *s in the box afterward, i mean, they're only stars anyway, and lots of people don't even like it to show that much, or to show x amount of stars per character to hide the length of the password.
Click to expand...
Good point. Thanks.



Beansprout said:
Code: 
		xxx
				
		
		
		</td>
		<td width="200">
		
	xxx
		
		</td>
      </tr>
"No Mr. Google my site isn't an 'Adsense site' which is explicitly disallowed, it really does do something, and whoops I'm sorry I really didn't mean to stuff my site with four ad blocks making it really hard to actually use the site at all, really, honest, please don't ban me"

Also, why are you using PHP and AJAX? Javascript can do MD5 ;)
Click to expand...

It isn't an adsense site. The site does comply with Google's adsense rules. The site wasn't even designed around the adsense blocks anyway.

I know JS can do MD5. But I wanted to do it the way I did it :) Part of a learning process for me.

Please let this be the end of this thread. I was asking for some php security replies. Not a site critisism. Other wise i would have asked for it.

Mods please lock. thanks.
 
Last edited:
D'oh, forgot about the blasted Ad Link whatever Units. They're useless anyway :p

It is AJAX and it's a good learning experience, you're right :)

Here is a fantastic series of excellent AJAX tutorials. IBM really has a little-known treasure trove of information :)

As for the 'Adsense site' thing - I'd check with Google just in case someone reports it and Google decide it's bad. I'd guess you're safe (heck, worldwinddata.com is fine so really they can't be too strict :p) but it's always wise to check :)
 
Beansprout said:
D'oh, forgot about the blasted Ad Link whatever Units. They're useless anyway

It is AJAX and it's a good learning experience, you're right

Here is a fantastic series of excellent AJAX tutorials. IBM really has a little-known treasure trove of information

As for the 'Adsense site' thing - I'd check with Google just in case someone reports it and Google decide it's bad. I'd guess you're safe (heck, worldwinddata.com is fine so really they can't be too strict :p) but it's always wise to check :)
Click to expand...

:)
Thanks. I had a lot of trouble finding AJAX tutorials that started right from the start, for the complete ajax newbie :).

And btw, Google refuse to check my pages any more, think its because everytime i modify them, I used to get them to check them. Now they just say if we find one that doesn't comply with the rules, we'll email you :). (lol)
 
You must log in or register to reply here.
Back
Top Bottom