Feedback on News System

Hello Everyone, I’m new here. Recently I just create a psudo-news system and I am curious if I might get some feed-back on what to do better. Thank you for your time. And any suggestions would be greatly appreciated. :)

-Teh Riddler

Form.html:

[code]

Title:
Post:
 
[/code]

MySql Table

$query = ("CREATE TABLE news( id INT(4) NOT NULL AUTO_INCREMENT, datim VARCHAR(255) NOT NULL, title TEXT(65000) NULL, post TEXT(65000) NOT NULL, PRIMARY KEY(id)) ");

Insert.php

[code]<?php

$date = $_POST[‘date’];
$title = $_POST[‘title’];
$post = $_POST[‘post’];

//date format
$date = date($date);

//database insert
$user = “user”;
$pass = “pass”;
$db = “db”;

mysql_connect(“localhost”,$user,$pass);
@mysql_select_db("$db") or die(“Unable to Select Database”);

$query = “INSERT INTO news VALUES(
‘’,’$date’,’$title’,’$post’)”;

if($result = mysql_query($query)){
echo “Data entered!”;
}else{
echo “Mysql Error!”.mysql_error();
}

mysql_close();

?>

Back[/code]

Insert2.php

[code]<?php
//database connect
$user = “user”;
$pass = “pass”;
$db = “db”;
$nl = “n”;

mysql_connect(“localhost”,$user,$pass);
@mysql_select_db("$db") or die(“Unable to Select Database”);

$query = (“SELECT * FROM news ORDER BY id DESC”);
$result = mysql_query($query);

//open or create news text file
$file = “news.txt”;
$fh = fopen("$file", ‘w’);

//get the number of rows
$num = mysql_numrows($result);

$i = 0;
while($i < $num){
$date = mysql_result($result,$i,‘datim’);
$title = mysql_result($result,$i,‘title’);
$post = mysql_result($result,$i,‘post’);

$l1 = “

”.$nl;
$l2 = "

$date

".$nl;
$l3 = "

$title

".$nl;
$l4 = "

$post

".$nl;
$l5 = “
”.$nl.$nl.$nl;

$news = $l1.$l2.$l3.$l4.$l5;

fwrite($fh, $news);

$i++;
}

//dc database
mysql_close();

//close text file
fclose($fh);

?>

Submit another News Item

Return to the Site

View News Items[/code]

Index.php

[code]<?php

function news(){
$file = “news.txt”;
$fh = fopen($file, ‘r+’);
$fs = filesize($file);
$fr = fread($fh, $fs);
fclose($fh);
echo $fr;
}

?>

<?php news(); ?>[/code]

Well, not to be a bastard, but I’m afraid your news system isn’t going to work properly. I haven’t really looked at the functionality and syntax 'n stuff, but for one: there’s no validation whatsoever. Users seem to be free to submit their own newsitems, including XSS creativity, SQL injections, etc.

A good tip for any (PHP) programmer, is to develop with security in mind: who is allowed to do what on this page/in this script? And implement safety precautions, doublechecks and other things accordingly.

What would happen if you had this up in a PROD environment, and it has been running for awhile, with a nice set of newsitems, and I would browse to the table.php page?

Thank you Zyppora for your imput. And no, your not being a ‘[Censored]’. :wink:

-Teh Riddler

Ah, okay, that explains a few things actually. In that case, may I recommend saving the newsitems in the database? And extracting them and injecting them straight into HTML when the index.php page is requested? That’s the way I’m doing it with my new webscript (which is still in DEV, and probably won’t ever be open-source, but I’ll give out bits 'n pieces of code that I’ve been using in the Code Snippets every once in awhile - enough advertising). A database as a backend is much faster than a remote file, and more versatile too.

Yes, that would be the best way to do it for this situation. But, I really just wanted to see if I couldn’t accomplish implimenting the writing+calling of the text file. It’s a work in progress. :wink:

-Teh Riddler

Security is quite complex. I’d suggest reading up on the following articles/sections:

PHP Security
PHP & MySQL Security

I think the general undertone is to never trust user input, never expect something from user input (always check and doublecheck if the value is valid, etc.).

A few tricks that I myself apply:

  • Store the user password as md5 hash in your database (should the db ever get hacked, your passwords are more or less secure). Use a so-called salt to scramble the hashes even more.
  • Always use .php (or another server-parsed extension) for your PHP files, so the code doesn’t get output as-is.
  • Be very careful with remote source connections (database, remote files, FTP streams) or the eval() function. (Unchecked) user input can compromise your system with these.

If you have any more questions, please don’t hesitate to ask :slight_smile:

Sponsor our Newsletter | Privacy Policy | Terms of Service