| | ||||||||
| |||||||||
 |
10-02-2009, 07:39 PM
| #1 |
| Advanced Grasshopper War Room Member Join Date: Sep 2009 Location: At the Library :)
Posts: 824
Thanks: 30
Thanked 52 Times in 41 Posts
|  Care to help me find a way to break into my own code? (security hardening)
I was wondering if anyone would care to help me break into the code below. I want to harden up this code against hackers and need some input on how to break into my site through it. You won't be able to run the actual code without my PHP object classes so I am interested in a theoretical break in and not in live testing. I won't hold anyone responsible for the consequences of breaking into my own code. The code below is not at my site at present (it's not even close). I am trying to ultra-simplify my code while not sacrificing it's secureness. Code: if ($_SERVER['REQUEST_METHOD'] == 'GET') {
require $_SERVER['DOCUMENT_ROOT']."/autoload.php";
$global = new globals();
$page = new webPage();
$category = $_GET['category'];
$page->setNavigation($global->getNavigationFor($category));
$page->setCopyright($global->getCopyright());
$fileName = $category.$_GET['page'].".txt";
if (file_exists($fileName))
$page->show($fileName);
else
$page->show($page->getDefaultErrorPage());
} Thanks. Carlos |
|  |
|
10-05-2009, 12:02 AM
| #2 |
| HyperActive Warrior War Room Member  Join Date: Oct 2009 Location: Berwick, Melbourne, Australia
Posts: 156
Thanks: 5
Thanked 48 Times in 29 Posts
| Re: Care to help me find a way to break into my own code? (security hardening)
One thing of note... you want to check that your ['category'] ['page'] fields exist and are what you are expecting. Trust Nothing that a user can enter... It's very good practice to check any Get or Post values actually exist. The reason being - you are expecting them to be there and if they aint, somethings amiss. You could simply call a regular expression function to check if they are empty or use illegal characters. The question is... What do you want your code to do if those GET vars are empty, not present or contain some mad scientists formula for cleaning mud... Cheers Tim |
|
| |
|
10-05-2009, 01:01 AM
| #3 |
| Advanced Grasshopper War Room Member Join Date: Sep 2009 Location: At the Library :)
Posts: 824
Thanks: 30
Thanked 52 Times in 41 Posts
| Re: Care to help me find a way to break into my own code? (security hardening)
Tim...thanks for your input. I had a response I wanted to give you but I am going to give up on this thread. The forum software here tries to run my PHP code every time I try to post it and rightly reports that there is an error in my incomplete PHP code. It's too much hassle to try and work with this forum software as such...I'll go elsewhere to get input on my PHP code. Thanks. Carlos |
|
| |
|
10-05-2009, 01:57 AM
| #4 |
| HyperActive Warrior War Room Member Join Date: Oct 2009 Location: Berwick, Melbourne, Australia
Posts: 156
Thanks: 5
Thanked 48 Times in 29 Posts
| Re: Care to help me find a way to break into my own code? (security hardening)
Yeah I had the same problem. Even in the PHP Tags things broke and the forum script had major kittens. You can PM me and we can arrange a yak in my conference room sometime if you'd like Cheers Tim |
|
| |
|
10-05-2009, 01:59 AM
| #5 |
| Advanced Grasshopper War Room Member Join Date: Sep 2009 Location: At the Library :)
Posts: 824
Thanks: 30
Thanked 52 Times in 41 Posts
| Re: Care to help me find a way to break into my own code? (security hardening)
Thanks Tim. That's very gracious of you. What is a conference room by the way? Is that a capability of this forum that I have not been aware of? I will PM you later Tim. Maybe tomorrow. I am in the middle of working on finishing up some client PHP code by tomorrow. Carlos |
|
| |
 |
|
| Tags |
| break, care, code, find |
| Thread Tools | |
| |
 |
