PDA

View Full Version : Is this PHP script safe?



samp
02-05-2004, 02:33 PM
Asking if this script is safe mainly because it calls "mail" and I am not familiar with all the ins and outs of mail/sendmail, etc. and I am not an experienced coder.

(Also, please see related followup question.)

This is the script:

<?php
if (strstr($_SERVER['HTTP_USER_AGENT'], "Googlebot")) {
$body = "Googlebot just visited this page: " . $_SERVER["PHP_SELF"];
mail("My_email_address", "Google Alert " . $_SERVER["PHP_SELF"], $body);
};
?>

This simply sends me an email every time user agent "googlebot" visits a page on the site. It works, but just want to make sure there are no holes in it.

Thanks.

wildjokerdesign
02-05-2004, 03:44 PM
Don't belive you well have any problems. Nothing seems to be coming from user input and I think that is where you would get in trouble. I'm not an exepert but can't see any holes from the knowledge I have.

FZ
02-05-2004, 06:40 PM
You should be fine with that, as long as you don't publicize that you have that code on a specific page - because someone could easily fake the user agent string to match that, and reload the page many times, effectively mailbombing you. My recommendation to you would be to manually check your access_log (and search for occurrences of "google") for this data. Another alternative would be to install something like AWStats (http://awstats.sourceforge.net) which will provide you with detailed stats, including information on user agent strings.

wildjokerdesign
02-05-2004, 08:22 PM
FZ,

So if someone where to do what you mentioned it would simply be a malicous hack that would fill the mail box right? They wouldn't be able fake the e-mail it was sent to could they?

FZ
02-05-2004, 08:29 PM
Yes - all it would do is send an e-mail every time the web page is reloaded (assuming that the person had changed their user agent string). I'm assuming the e-mail address is "hardcoded" (i.e. not used as a variable) in the above example, in which case, no, they would not be able to fake the address. I suppose it wouldn't be a problem even if the e-mail address was set as a variable, but WestHost decided to turn on register_globals by default, and for security reasons, it is recommended that you keep this off (and adjust your code accordingly). It's even been turned off by default for the last few versions of PHP.

wildjokerdesign
02-05-2004, 08:57 PM
phpBB uses $HTTP_SERVER_VARS['HTTP_USER_AGENT'] to read the user agent. Is that an example of adusting the code or is that also concidered a register_golobal? They would be turned off in the php.ini file right?

samp
02-06-2004, 04:51 AM
Thank you wildjokerdesign and FZ.

I thought it would be reasonably ok.

To FZ - yes, it is not publicized and the email is hardcoded (mainly because i don't know how to do it otherwise). I do look at the access log manually, this script is just something I am trying out and will probably discontinue if there are mailbombings and revert over to Webalizer or Awstats.

Thanks again to both of you.

FZ
02-06-2004, 10:32 AM
Shawn,

Hmm, I think $HTTP_SERVER_VARS is actually the "old way" of doing it - i.e. with register_globals on (could be wrong). Looking at the PHP manual, $_SERVER (and specifically $_SERVER['HTTP_USER_AGENT'] in this case) is what is now preferred. Have a look at http://www.php.net/reserved.variables And yes, you can turn off register_globals in php.ini - you just need to make sure your code doesn't break (and you need to "restart").

samp - you're welcome :)