Free PHP Project for DP Members <Download>

I am busy so not commenting.Just get the Index Link Bank which is suitable for your site.Read the readme file for more information.


Download

 

Can you explain a bit more about what this is?

Cheers,
Cindy

 

It's a free for all link page... but he calls it a "link bank" because it sounds better. Nice fun project for a PHP newbie to make but totally useless. You could throw a script like this together in 10 minutes, if that.

 

Oh, thank you

Very cool then!

 

Nice and small, thanks for sharing this code.

 

Don't say that its useless only bcoz u don't have use of it.But if you are don't know php and in search of a small script that can be added as a link submitter then it will be useful, I think.I am saying like this bcoz I am a newbie and b4 starting with php I was in search of a code like this and can't find anything.

Its so simple and any one with small php/my sql knowledge can edit this.If someone have some more idea then I will try for that ......... !

 

The script have three parts.One for webmasters to install.Second for submitting the links.Third for viewing the submitted link.

If there are some good programmer here then they can add some more features to it.I am also in my way to make it more nice and useful.

 

Its will be much better , if you can post a online demo of this script , bcoz people would like to see before downloading

Thanks
Tulip

 

I will make one !!!!

 

BTW, that script is not secure at all. You don't validate anything, at all. And you leave all the database connections at the top of the file which is a big NO-NO!

Very bad coding practices to pick up this early.

Put the connections in another file, conf.inc.php for example.
And store the connections variables in constants in another file as well.

 

Thankz for ur advice.Since I am a newbie I am not aware of the security problems.

And I am having a doubt.Why it is said in most projects that install file should be deleted.Is it dangerous ???
If a hackers don't get the database then how is it dangerous ???
Any more comments on permission settings ???

 

Security-wise I don't see the problem with having the database connection at the top of the file. I can understand having the username and password stored in a separate file, preferably in a non-web accessible directory, but the actual connection?

pulikuttann, with regards to the install directory it is easier to just prevent a script from working until it is deleted than secure the install process fully. It makes more sense to concentrate on what is going to be important over the long term.

 

That's what I was referring to, the access credentials. You should have those stored outside of the document root.

 

In that case I agree completely.

 

Storing you MySQL password/username within the document root isn't really a problem. Even vBulletin stores the username/password in includes/config.php The only scenario in which someone could get to that information would be if (1) they have access to the server (FTP/SSH/Physical), (2) the HTTP server stopped running *.php files through the php parser, or if someone could execute php code on your server. *Very* few commercial scripts save the database login credentials above the webserver's document root.

I'd be a lot more concerned about proper input validation and coding practices.

 

Try typing

'); DELETE * FROM submit; -- 

Code (markup):

in the yourname field. And you'll see why security is important.

ps. the result will be an empty submit table.

The values in all fields must be ESCAPED so that the values will not contain special characters (to MySQL).

Use a function like this, which escapes ' into \' and does other things such as wrapping the strings into ' ' chars:

function sqlesc($x)
{	 $value = $x;
	 // Stripslashes
   if (get_magic_quotes_gpc()) 
   { $value = stripslashes($value);  }
   // Quote if not integer
   if (!is_numeric($value)) {$value = "'" . mysql_real_escape_string($value) . "'";   }
   return $value;
}

PHP:

You can now write that code like this :

$name= sqlesc($_REQUEST['name']);
$cat = sqlesc($_REQUEST['cat']);
$image = sqlesc($_REQUEST['image']);
$link = sqlesc($_REQUEST['link']);
$yourname = sqlesc($_REQUEST['yourname']);

$query = 'INSERT INTO submit (name,cat,image,link,yourname) VALUES ('.$name.','.$cat.','.$image.','.$link.','.$yourname.')';

PHP:

REQUEST array contains values from both $_GET and $_POST arrays.

This is your homework : try to secure the code you've written.

ps. The function that escapes the strings has a somewhat minor bug. it doesn't treat the case when the value is something like "1e3". For is_numeric() php function this is actually a number (1e3 = 1 x 10^3 = 1000) which means it will return true and there will be no ' ' characters to wrap the string and the query will fail. Homework 2: add another condition for cases such as this.

 

I agree, that storing the configuration files outside of document root isn't necessary, but it is one more step towards Defense in Depth. It doesn't take much to move your files there, but it can help you in the long run.

I also agree that taking the extra steps for proper validation is necessary. You should also take Defense in Depth into account when working with validation. For example, many developers don't validate data that is coming out of a database because they have used their logic when they inserted the data into the DB. This is a bad idea, because if for some reason, your great logic isn't so great, you can have bad problems.

I wrote out a whole script giving an example of this, but then firefox crashed. I'm not retyping it. Sorry.

 

Yeah all that u said are real.I have made many queries inside my input box and finds that any query can be executed there.
Thankz a lot !!!
I expect more helps from you people !!!!