avs-code / PREM-Podium-race-E-manager

Description PREM (Podium race e manager) is management software for races and race leagues. It can be used to create overviews of race results. Based on Paddock 7.10beta by: demontpx

https://arv187.github.io/PREM-Podium-race-E-manager/

GNU General Public License v3.0

5 stars 1 forks source link

Check security, improve security of web page #1

Open avs-code opened 8 years ago

avs-code commented 8 years ago

http://php.net/manual/es/security.database.sql-injection.php http://www.forosdelweb.com/f18/aporte-seguridad-basica-php-1011808/

TASKS

[x] .htaccess "Options -Indexes" added.
[ ] Change from sha1 to bcrypt (blowfish.) http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php
[ ] Check variables.
[ ] Check XSS security.
[ ] Check sql injection.
[ ] Check session start(); security.
[ ] Check sessions security.
[ ] Check upload security.
[ ] Check security "Join" -> "new Driver" web section.
[x] Update to Mysqli (Mysql => Mysqli or PDO) Tip: https://www.phpclasses.org/blog/package/9199/post/3-Smoothly-Migrate-your-PHP-Code-using-the-Old-MySQL-extension-to-MySQLi.html https://github.com/philip/MySQLConverterTool

DemonTPx commented 7 years ago

Mysql => Mysqli (or PDO) should also be part of this, since the php mysql module has not had a security update in a long time...

stmeissner commented 7 years ago

@arv187 I started the migration to Mysqli in a new branch. The fundamental change is in the file functions.php in which I changed the function mysqlconnect(). This function needs to be made available on every page that requires access to the database. I have done this for example on the results.php page like so: <? require_once("functions.php"); // import mysql function $link = mysqlconnect(); // call mysql function to get the link to the database

We need this $link as parameter for all queries and error messages later on, e.g.: $sresult = mysqli_query($link,$squery); show_error("MySQL Error: " . mysqli_error($link) . "\n");

Basically you replace:

mysql_query($squery) with mysqli_query($link,$squery)
mysql_error() with mysqli_error($link)
mysql_fetch_array($sresult) with mysqli_fetch_array($sresult)

avs-code commented 7 years ago

Hi @stmeissner , I found out in the summer that these expressions have to be replaced as you say, I expected in january test the scripts programs to make the autoconversion to mysqli. Thanks for continue with this!!!. I'll try to take a closer look during this week or this weekend at what you tell me.