Hi, i have just finished production of an online editor and i was wondering whether it was safe, eg, can it be used to hack into sites etc... //Edit: Its not MEANT to be able to be used to hack sites!
and also, just give it a rating (eg, out of usefulness, tidiness, ease of use etc), thanx in advance!Well? Is anyone going to say anything??? its been Download ed 23 or so times... JUST TELL ME ALREADY!!!I only see 14 times.
but what makes you think it is not safe?
besides some html error it looks fine to me. although the username and password should be kept someplace else. like a database or something. and encrpytedoh... yea thanx, my mate said i need to strip slashes or something? And said that like the whole server could be erased if someone accessed it online (after getting the password) is that true??? And he said it didnt look to safe... actually that mate was MikeXP (you must know him [?], owns Hardware-HQ, GlobalBoards and others)
Um... also, i had like 25 posts then i didnt come on for a while and when i came back i had less, how did that happen???yes I know Mike, good guy.
after taking a closer look I can agree.
$content=$_POST["edit_contents"];
anytime you have text posted via a form you should add addslashes()
$content=addslashes($_POST["edit_contents"]);
that way it cuts down the possibility of an attack on the db and server.
also you need to check on the extension they can save as. don't let them save as a .exe or vbs or something other that can be ran.
never let them run it after they uploadooooo ok, cool...
also, its really only for my friends and i for our personal (and non personal) websites... but still, if their password etc, feel into the wrong hands! uh oh!!!
Thanx for that...
A summary:
* I must addslashes(); all file contents that are to be saved...
* I must encrypt passwords
* I must store passwords elsewhere
* and.... anything else???
Would adding a log (of activities + IP addys etc) be good?Hold on... adding addslashes to the content to be added to the file means that the file will contain PHP slashes, which i dont want if its an HTML file or even just a plain text (.txt) file! so now what?
then hope nobody gets your password/username
saving a runable script is dangerous. anybody can save a file and then run it and bingo, they have everything under the sun, mysql passwords, db stuff, etc..
so that is why it is important to save those passwords someplace else.
you don't addlashes to the filename, just the contents. if you add to the file name then it will never run.
a log is good, but if it is just you then why?yea, good point, and thanx... (again )
i might add like 2 more passwords, as in i have to get 3 passwords right to unlock the script...
yea, that sounds good, again (again) thank you for your help as per usual scoutt!ok, can you give me the run down (not to complicated, because i dont quite understand the PHP manual description) on stripslashes() / addslashes() eg, why i need to use them on the contents of the file to be saved....beacuase if you don't use addslahses then somebody can run the file and run a query to return all your db stuff. bu tthat is what you get if you have an online editor.
addslahses adds slashes
to all " and '
stripslahes does the opposite.so is that when they save the file, and then run that file afterwards eg,
save using the "New" command on my editor, then open a new window and request the script eg <!-- m --><a class="postlink" href="http://egsite.com/egpage.php">http://egsite.com/egpage.php</a><!-- m -->
is that what you mean???? well, thats what i wanna do, so i suppose ill have to take the risk!
o well... ill just have to be careful..........o yea and btw i did understand WHAT it does, but not why we need to do it, i understand now though Originally posted by scoutt
beacuase if you don't use addslahses then somebody can run the file and run a query to return all your db stuff. bu tthat is what you get if you have an online editor.
addslahses adds slashes to all " and '
stripslahes does the opposite.
Doesn't it also add another slash to the '/' so it becomes // ?Originally posted by Josh
Doesn't it also add another slash to the '/' so it becomes // ?
if it does then I haven't seen it.Oh, ok then. I thought i had read taht in my book.wait, i just read in the manual (.chm ver) that if you addslashes to something that already has the slashes, it goes ahead and does it again eg,<?php
$string="Hello, what yo up to? \"Nothing\"";
$string2 = addslashes($string); //Now contains: Hello, what yo up to? \\\\"Nothing\\\\" ?>
But to check if it already contains \'s you can use the integer returning function get_magic_quotes_gpc() which i think (read in the manual to be sure) returns one or zero as to if there are escapers (\) in a string.
hmmm.....
/////EDIT: FSCK!!! the stupid PHP in this site is preventing me from putting the right numba of "\"'s so yea... ill try like this:
\\\"Nothing\\\"
or
just= \\\"Nothing\\\"
/////End of editno, although that is a good idea you have it all wrong.
i fyou are goin to tough it out then don't do addslashes. addslashes it to prevetn people from inserting extra stuff into a query to it wil retund extra information, it is also used to protect if you don;t have magic_quote set to ON.
if you are running it as an editor where you can make files then do not use it. those files will not run if you do.
and also, just give it a rating (eg, out of usefulness, tidiness, ease of use etc), thanx in advance!Well? Is anyone going to say anything??? its been Download ed 23 or so times... JUST TELL ME ALREADY!!!I only see 14 times.
but what makes you think it is not safe?
besides some html error it looks fine to me. although the username and password should be kept someplace else. like a database or something. and encrpytedoh... yea thanx, my mate said i need to strip slashes or something? And said that like the whole server could be erased if someone accessed it online (after getting the password) is that true??? And he said it didnt look to safe... actually that mate was MikeXP (you must know him [?], owns Hardware-HQ, GlobalBoards and others)
Um... also, i had like 25 posts then i didnt come on for a while and when i came back i had less, how did that happen???yes I know Mike, good guy.
after taking a closer look I can agree.
$content=$_POST["edit_contents"];
anytime you have text posted via a form you should add addslashes()
$content=addslashes($_POST["edit_contents"]);
that way it cuts down the possibility of an attack on the db and server.
also you need to check on the extension they can save as. don't let them save as a .exe or vbs or something other that can be ran.
never let them run it after they uploadooooo ok, cool...
also, its really only for my friends and i for our personal (and non personal) websites... but still, if their password etc, feel into the wrong hands! uh oh!!!
Thanx for that...
A summary:
* I must addslashes(); all file contents that are to be saved...
* I must encrypt passwords
* I must store passwords elsewhere
* and.... anything else???
Would adding a log (of activities + IP addys etc) be good?Hold on... adding addslashes to the content to be added to the file means that the file will contain PHP slashes, which i dont want if its an HTML file or even just a plain text (.txt) file! so now what?
then hope nobody gets your password/usernamesaving a runable script is dangerous. anybody can save a file and then run it and bingo, they have everything under the sun, mysql passwords, db stuff, etc..
so that is why it is important to save those passwords someplace else.
you don't addlashes to the filename, just the contents. if you add to the file name then it will never run.
a log is good, but if it is just you then why?yea, good point, and thanx... (again
)i might add like 2 more passwords, as in i have to get 3 passwords right to unlock the script...
yea, that sounds good, again (again) thank you for your help as per usual scoutt!ok, can you give me the run down (not to complicated, because i dont quite understand the PHP manual description) on stripslashes() / addslashes() eg, why i need to use them on the contents of the file to be saved....beacuase if you don't use addslahses then somebody can run the file and run a query to return all your db stuff. bu tthat is what you get if you have an online editor.
addslahses adds slashes
to all " and 'stripslahes does the opposite.so is that when they save the file, and then run that file afterwards eg,
save using the "New" command on my editor, then open a new window and request the script eg <!-- m --><a class="postlink" href="http://egsite.com/egpage.php">http://egsite.com/egpage.php</a><!-- m -->
is that what you mean???? well, thats what i wanna do, so i suppose ill have to take the risk!
o well... ill just have to be careful..........o yea and btw i did understand WHAT it does, but not why we need to do it, i understand now though Originally posted by scoutt beacuase if you don't use addslahses then somebody can run the file and run a query to return all your db stuff. bu tthat is what you get if you have an online editor.
addslahses adds slashes
to all " and 'stripslahes does the opposite.
Doesn't it also add another slash to the '/' so it becomes // ?Originally posted by Josh
Doesn't it also add another slash to the '/' so it becomes // ?
if it does then I haven't seen it.Oh, ok then. I thought i had read taht in my book.wait, i just read in the manual (.chm ver) that if you addslashes to something that already has the slashes, it goes ahead and does it again eg,<?php
$string="Hello, what yo up to? \"Nothing\"";
$string2 = addslashes($string); //Now contains: Hello, what yo up to? \\\\"Nothing\\\\" ?>
But to check if it already contains \'s you can use the integer returning function get_magic_quotes_gpc() which i think (read in the manual to be sure) returns one or zero as to if there are escapers (\) in a string.
hmmm.....
/////EDIT: FSCK!!! the stupid PHP in this site is preventing me from putting the right numba of "\"'s so yea... ill try like this:
\\\"Nothing\\\"
or
just= \\\"Nothing\\\"
/////End of editno, although that is a good idea you have it all wrong.
i fyou are goin to tough it out then don't do addslashes. addslashes it to prevetn people from inserting extra stuff into a query to it wil retund extra information, it is also used to protect if you don;t have magic_quote set to ON.
if you are running it as an editor where you can make files then do not use it. those files will not run if you do.