if file_exists security question


#1

I’m looking for opinions about a file_exists query. for one thing, is a php if file_exists request visible in any way to the client? anyway to know a query is made with fiddler? is this constrained to php and the web server?

I am thinking that since HTTP_REFERRER can be spoofed easily with fiddler, then maybe a secret file on the server can be used between php files. does this even make sense? has anyone tried this?

I’m not sure if this is a secure method or not. if such a check creates a vulnerability somehow, then it is not a good idea.

anyone have an opinion?
i am thinking that if the file exists, then the page is on the server. otherwise, my page is at another location because the file will not exist on the other server. then a security message can be displayed.


#2

Nothing in PHP is visible to a client. What is rendered by PHP is visible on the client. The file_exists function, is just a function.

What are you trying to secure? Files? Being able to see those files?


#3

i am just curious if a call to check if a file exists is visible in any way via http requests and headers. if you can see the request, then the file to get is known. Thus, this idea is useless.

i am trying to build a subscription based website for nature. I am not a php programmer. I am sick of all of these css3 box after box, learn more, buy now web designs. gag. look at google for example, nothing but white body with gray boxes. a multi-million dollar company and this is the best they can muster? i hate modern web designs. my html, css skills are pro level. yet my advanced language skills are novice. php is new to me. database design is new to me. security is new to me. I cannot afford to pay a company to design security scripts. I am on my own here. Frameworks are too self-absorbed. I am trying to learn php not php plus framework specific php. I do nt know any programmers that can give me tips. I try to think of ways to deal with problems. I ask here for opinions because I see that members have alot of php and security experience.

I am currently trying to think of ways to stop spammers and bots from abusing my forms. I also want to make hacking difficult for script kiddies and atleast annoying to top hackers.

I\ve never designed a login script or a registration/subscription form. I\ve only ever designed static html/css web sites. I am completely new to advanced programming languages except for asp which I learned from qbasic in the 90s. asp is now dependent upon visualstudio. I cannot find asp.net code tutorials that use notepad instead of visualstudio. I choose php instead.

anyway, I am trying to secure my forms and thwart bots and spammers. I think that the use of tokens and random form fields will mitigate posts from other servers. now I want to try to deal with actual users and validation of data. just for the record, i am not interacting with a database for registration. I will just send an email to avoid sql injections. The login, however, will require db connections. I will deal with a login script later. for now, I am attacking the registration process. I have no knowledge of how to do this but i am trying to think of ways to fight problems.


#4

also, yes i want to protect my photos from direct access, unauthenticated viewing. apache rewrites help but i still need a login session and better ideas. i am trying to design new ways to deal with hacking. alot like the way that facebook disabled the browser console. I’m trying to detect unusual requests and hack attempts. Originally, i realized that i can make a form based upon google search form and submit the form to perform a search. I shouldn’t be able to do this! google should respond with an error complaining that the search did not come from google.com. I want to break my form if the user is not actually at my site using my form. the tokens and random input fields help but are they really working? i think that maybe a secret referrer file also stops requests that are created at my server.


#5

An aside. You can use, and I know professionals that actually use, Visual Studio Code; which is not the same thing as Visual Studio.

Okay, one you don’t have to worry about what happens on the server being seen in the client. To prove this, watch the networking tab and open a php script doing cURL calls and everything else. You will only see the call to and the response from the server.

The way I have handled your issue in the past, is to have all files behind the public root (public_html on CentOS). You then have a script controller that will check if the user is allowed to see the requested file, and if they are, it retrieves it. Now, to make it even more interesting, the file it retrieves is not the same as the file name.

So, in the database you have a file, sams_2016_tax_returns.pdf as a display name. The name that the file is stored under is actually, 345234907101.pdf. When the request is made it grabs the actual file and displays the file name as what is in the display. That way, even if someone somehow got into those files, they don’t know what they are without the table saying it.


#6

I am very Thankful to you for your comments. You are Wonderful! your post is most helpful to me. Especially because the backend programming is new to me. I am nervous and worried. Honestly, i don’t like php because it is too powerful. What i mean by that, is php can be a powerful tool IF you know how to program php. Otherwise, you end up empowering a hacker and really helping them hack you. I am more comfortable with asp but I will try my best to master php.

the visual studio code tip is Fantastic. I didn’t know about this tool. Excellent resource. Thank You.

revisiting the power of php: today i just realized that I am a very bad php programmer. I don’t really understand it yet. I just tried to make a honeypot input field with my form. I’ve seen that people say to make an input field, then test !empty. After a few minutes of hacking to test the honeypot I discovered a hack for empty!

if i type 0 into the box, the honeypot fails me. you get the form. yikes! i may be over my head with php. I decided to change my test to the following:

$honeypotOn = NULL;
$honeypotTest = NULL;
$honeypotTest = $_SESSION[‘honeyBuzz’];
if ($_POST[$honeypotTest] > NULL) {
$honeypotOn = 1;
}

then
if (//other fields pass && empty($honeypotOn)) {
continue form access…

this seems to work now but I am not sure if it is correct. maybe a pro will laugh at me but testing isset or !empty seems to allow a 0 to bypass the honeypot test. PHP is a poerful tool for a Pro PHP Programmer but it can be a Very Powerful tool to a hacker in the hands of a novice. I am struggling with PHP at times.

Anyway, Thank You very much for your help.


#7

The purpose of a honeypot is to see if anything is entered. So, if you have a hidden form field and ANYTHING is there, it means that something other than a user entered the value. When you enter “0” it should trigger that something is wrong and fail, not continue, because that is the value that should always be empty.


#8
// hide this using css instead of type="hidden"

PHP processform script

$honeypotOn = NULL;
if (!empty($_POST[‘honeypotTest’])) {
$honeypotOn = 1;
}

now I am not a bot so how do I test the honeypot?
I either allow the form to be visible to me with css instead of hidden or i use a value attribute to the input element. for testing:

value=“0” or just type zero into the input field.
the form continues as it accepts 0 as empty.
a space or value="" even works.

if my test is user action, then how do i test a bot response? is this not correct?

all i know, is that my form was revealed with a zero entered via input and also via value attribute. a good bot may be able to add a value or enter a zero.
i tested for null instead and now it works.

perhaps i need to read more about honeypot but most google search results bring up websites testing isset or !empty and a zero revealed my form. maybe i don’t really understand this concept.


#9

http://jennamolby.com/how-to-prevent-form-spam-by-using-the-honeypot-technique/

I know you are not using Drupal, but the testing portion still applies, https://drupal.stackexchange.com/questions/42413/how-to-test-if-honeypot-is-working-on-a-form


#10

Thank you for taking the time to help me out. I appreciate you very much. :slight_smile: