I just recently had the horror of discovering all the form files and jpeg files which had been submitted to my contest site had DISAPPEARED from my host server. In calling my host, we discovered that there is a HUGE SECURITY HOLE that allows anyone to delete the files under my phpform folder. All anyone has to do is go to my partial URL (www.xxx.com/phpform/) and they'll get the phpformgenerator page that says:
Step 1: number of fields v2.09
please enter the number of fields your form is going to have. enter only numeric digits. the number should be between 1 - 99
This is absolutly correct and there are simple measures to prevent this. They have been posted previously. I'll repeat them here for your benefit.
First: Your generator is instaled with no security at all. Infact some posts suggest everything should be set to permissions of 777 (very dangerous) even if not done so by the generator.
Second: Your generator creates forms in a standard directory so that they can be deleted if you so choose. This is the hole you mention that allows anyone to use the generator to create and or delete your forms.
Third: You can move your form anywhere you like after it is created but it is still unsecure.
1: Never use permissions of 777 for anything. HTML should be 744 or 764. PHP should be 755 or 775. Graphics should be 744 or 764.
2: Your generator folder should be password protected if you intend to keep the generator. If you created the form(s) and no longer need the generator then remove it.
3: After forms are successfully created and tested they can be moved to another folder as long as you maintain the complete list of files and folders associated with the form you created. Once the form is moved I do a couple things to protect the forms and admin files.
a) Add an index file to all folders that do not have one already. This prevents ftp or filemanager like browsing of files.
b) Push all username and password variables into the config.inc.php file within the admin folder.
c) Password protect the admin folder.
This should cover the majority of security problems. There are other things you can do but in most cases they are needed only for the most secure environments and are not something the average user can understand or support without assistance.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Add variables with appropriate values in the config file. Replace all instances of these values in the process.php file with the variable name you assigned.
Done!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just tried to follow your advice and moved all my forms to a new directory, but when I try to delete my old ones from the use directory using ftp or index.php I recieve an error message that reads:
Warning: rmdir(use/FishingAdventures): Permission denied in /home/sportsma/public_html/phpform/copyfunc.php on line 58
Warning: Cannot modify header information - headers already sent by (output started at /home/sportsma/public_html/phpform/copyfunc.php:58) in /home/sportsma/public_html/phpform/del_form.php on line 12
Any ideas on what this means or how I delete my use files?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Your server, however the form generator was installed, has marked files and folders as owned by some ID other than yours.
You will have to speak with your host support personel to have the file and folder permissions set to your ID so you can remove of modify files and folders as you see fit.
This is an unfortunate result of installation on some hosts (not all users have this problem but it is somewhat common).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for your reply, however I can delete file and folders in all other directories on my server except for the phpform/use directory files. It seems unlikely that my host would set file permissions to an other id just for one directory. I do have a support ticket in however to see if they can figure it out.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried to edit my previous post, however I guess there is no way to do it. I changed all my permissions back to 777 from 755 on the form/admin/files and was able to delete the files using index.php. I am going to remove this program from my server as I feel it has too many bugs to be secure. Because of my lack of php knowledge I really have no choice. Hopefully if I can learn some more about php, I maybe able to make it work for me in the future.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Security is left to the user to provide. I'm not sure if any additional security features are planned for any future release for this reason; it is not very difficult to provide adequate security (no php required) in your own web environment.
However the choice is yours.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I appreciate your reply and I realize the security is my responsibility, however everything I've tried isn't working unless I chmod to 777. This is the only directory on my server that I cannot make work with different permissions. I even tried moving all my form files including admin and files folders into a forms directory outside of phpformgen directory and cannot get the forms to open in a browser. Keep getting page cannot be found error. http://www.sportsmanfishing.com/forms/FishingAdventures/form1.php
I'll keep pluggin away to see if I can figure something out as I have to replace my Dreamweaver generated forms to avoid spam spoofing which is rampant in my email. I hope my previous comments didn't offend anyone as I wasn't trying too.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No offense taken at all. The issues you have are not uncommon, but are solvable. I have used the form generator extensively and have made a habit of moving my forms and providing simple security measures.
It can work. If you need more help, don't be shy.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I guess I need help to figure out how to move my files. I originally created the form and then went to the phpformgen/user/ directory and ftp'd it over to my hard drive. Then I created a new directory named forms under my public_html and ftp'd my newly creatd formname directory over. I then chmoded everything as per your instructions in a previous post. When I browse to the address I recieve page not found error, yet when I look at my account in ftp I see everything there. I know I must have missed a step, but cannot figure out what it is.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Assuming your folder tree looks like this: http://www.yourdoamin.com/phpformgen/use/newformname
Within /newformname you have /newformname/admin and /newformname/files for subfolders.
When you move a form you create a new folder and copy everything within /newformname/ and all subfolders.
You end up with: http://www.yourdoamin.com/copyfolder
and within /copyfolder you have /copyfolder/admin
and /copyfolder/files as subfolders.
You would then browse to: http://www.yourdoamin.com/copyfolder/form1.html
to view your form.
You should not need to set folder permissions to anything except the default.
Your php files can be set to 664 in most cases but 775 if your php server requires it.
Your html files should be 664, graphics 664, data files at 775.
I password protect my admin and files folders with a .htaccess file. I also add an index.html file to any folder that does not already have one.
If you think you have done all this and it still does not work, either you've done something incorrectly or permissions are not set right, or there is some other server issue preventing the form from working.
I always test my forms on my local PC usinf a tool called Uniserver. This is a set of web sever applications like you would find on your web host server. The applications are bare minimum so the impact on your local PC is minimal. Plus you can turn the server on and off so when you are not using it, it only takes up a small amount of disk space.
You setup your form generator and form files and folders just as you would on your web site except you don't need ftp.
Let me know how things are going.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Forgives me for bothering you. I followed all your informations. Just the b option "Push all username and password variables into the config.inc.php file within the admin folder" that I didn't modify therefore I don't know the code to insert my password and username. I opened the "config.inc.php" file and inside of it had the code "<?php
$file_db=1;". How must I proceed now?
Thank you so much!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Scan your process.php file for any username, password, or other personal information. Write down the value and replace it with a variable name;
$username, $passsword, $personal.
Add each variable with value into the config.inc.php file.
$username="you";
$password="abc.123";
$personal="whereilive";
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have recently generated my form without a problem. After testing, I have taken all of the security measures suggested in this thread and in several others. I have one problem that I cannot figure out. I think I have read most, if not all, of the forum contents, but I don't see anything that addresses the problem I am having.
When I try to move all of the password/username information into the config.inc.php file in the password protected admin file, I receive error messages. I think that I have set up everything as directed, but I must have made a mistake somewhere. I am not a programmer, so please forgive me if there is an obvious solution to my problem.
I've taken the following steps...
In process.php, I have removed the information that is a potential security risk and replaced it with variables. The code is pasted below. (I included a bit of the code before and after the variables. I tried leaving in the ' ' around the variables, but other variables seem not to need them so I removed the single quotes.)
$message = stripslashes($message);
mail("publisher@atozpublishing.biz","Form Submitted at your website",$message,"From: phpFormGenerator");
$link = mysql_connect($hostname,$username,$password);
mysql_select_db($dbname,$link);
$query="insert into ebook_listing
I notice that the config.inc.php file does not contain a closing tag (?>). Adding the closing tag did not change anything, so I removed it again.
The error messages are as follows:
Warning: mysql_connect(): Access denied for user 'thewsbiz'@'localhost' (using password: NO) in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 98
Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 99
Warning: mysql_query(): Access denied for user 'thewsbiz'@'localhost' (using password: NO) in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 101
Warning: mysql_query(): A link to the server could not be established in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 101
Warning: Cannot modify header information - headers already sent by (output started at /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php:98) in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 108
It seems that I need tell the process.php file to look for the password, etc. in config.inc.php, but I am not sure if I am correct, and if I am correct, I don't know how to accomplish the task.
Any help would be greatly appeciated!!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think I have a realtivly simple solution to this, but i'm not sure how safe it is.
1. copy the code from your index.php file in the generator directory.
2. backup this code offline where you store your site.
3. create a new index.php with whatever you want, eg, a mirror of your homepage.
4. when you want to use the generator again just reverse the process and coppy back the original code to the index.php file
again i'm not sure how safe this is, but it seems to work for me.
regards.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just recently had the horror of discovering all the form files and jpeg files which had been submitted to my contest site had DISAPPEARED from my host server. In calling my host, we discovered that there is a HUGE SECURITY HOLE that allows anyone to delete the files under my phpform folder. All anyone has to do is go to my partial URL (www.xxx.com/phpform/) and they'll get the phpformgenerator page that says:
Step 1: number of fields v2.09
please enter the number of fields your form is going to have. enter only numeric digits. the number should be between 1 - 99
You have created the following forms:
* sampleform ... delete?
* petstar_entry ... delete?
* celeb_contest ... delete?
* sdgf ... delete?
HOW CAN I prevent this from displaying WITHOUT locking out access by my website visitors to the forms that are UNDER the phpform folder?
This is absolutly correct and there are simple measures to prevent this. They have been posted previously. I'll repeat them here for your benefit.
First: Your generator is instaled with no security at all. Infact some posts suggest everything should be set to permissions of 777 (very dangerous) even if not done so by the generator.
Second: Your generator creates forms in a standard directory so that they can be deleted if you so choose. This is the hole you mention that allows anyone to use the generator to create and or delete your forms.
Third: You can move your form anywhere you like after it is created but it is still unsecure.
1: Never use permissions of 777 for anything. HTML should be 744 or 764. PHP should be 755 or 775. Graphics should be 744 or 764.
2: Your generator folder should be password protected if you intend to keep the generator. If you created the form(s) and no longer need the generator then remove it.
3: After forms are successfully created and tested they can be moved to another folder as long as you maintain the complete list of files and folders associated with the form you created. Once the form is moved I do a couple things to protect the forms and admin files.
a) Add an index file to all folders that do not have one already. This prevents ftp or filemanager like browsing of files.
b) Push all username and password variables into the config.inc.php file within the admin folder.
c) Password protect the admin folder.
This should cover the majority of security problems. There are other things you can do but in most cases they are needed only for the most secure environments and are not something the average user can understand or support without assistance.
Can someone explain how to do this:
b) Push all username and password variables into the config.inc.php file within the admin folder.
Add variables with appropriate values in the config file. Replace all instances of these values in the process.php file with the variable name you assigned.
Done!
THANK YOU!!! I moved the forms folders to a different location and then psw protected the 'phpform' folder. Thank you, again, for your help!
I just tried to follow your advice and moved all my forms to a new directory, but when I try to delete my old ones from the use directory using ftp or index.php I recieve an error message that reads:
Warning: rmdir(use/FishingAdventures): Permission denied in /home/sportsma/public_html/phpform/copyfunc.php on line 58
Warning: Cannot modify header information - headers already sent by (output started at /home/sportsma/public_html/phpform/copyfunc.php:58) in /home/sportsma/public_html/phpform/del_form.php on line 12
Any ideas on what this means or how I delete my use files?
Your server, however the form generator was installed, has marked files and folders as owned by some ID other than yours.
You will have to speak with your host support personel to have the file and folder permissions set to your ID so you can remove of modify files and folders as you see fit.
This is an unfortunate result of installation on some hosts (not all users have this problem but it is somewhat common).
Thanks for your reply, however I can delete file and folders in all other directories on my server except for the phpform/use directory files. It seems unlikely that my host would set file permissions to an other id just for one directory. I do have a support ticket in however to see if they can figure it out.
I tried to edit my previous post, however I guess there is no way to do it. I changed all my permissions back to 777 from 755 on the form/admin/files and was able to delete the files using index.php. I am going to remove this program from my server as I feel it has too many bugs to be secure. Because of my lack of php knowledge I really have no choice. Hopefully if I can learn some more about php, I maybe able to make it work for me in the future.
Security is left to the user to provide. I'm not sure if any additional security features are planned for any future release for this reason; it is not very difficult to provide adequate security (no php required) in your own web environment.
However the choice is yours.
I appreciate your reply and I realize the security is my responsibility, however everything I've tried isn't working unless I chmod to 777. This is the only directory on my server that I cannot make work with different permissions. I even tried moving all my form files including admin and files folders into a forms directory outside of phpformgen directory and cannot get the forms to open in a browser. Keep getting page cannot be found error. http://www.sportsmanfishing.com/forms/FishingAdventures/form1.php
I'll keep pluggin away to see if I can figure something out as I have to replace my Dreamweaver generated forms to avoid spam spoofing which is rampant in my email. I hope my previous comments didn't offend anyone as I wasn't trying too.
No offense taken at all. The issues you have are not uncommon, but are solvable. I have used the form generator extensively and have made a habit of moving my forms and providing simple security measures.
It can work. If you need more help, don't be shy.
I guess I need help to figure out how to move my files. I originally created the form and then went to the phpformgen/user/ directory and ftp'd it over to my hard drive. Then I created a new directory named forms under my public_html and ftp'd my newly creatd formname directory over. I then chmoded everything as per your instructions in a previous post. When I browse to the address I recieve page not found error, yet when I look at my account in ftp I see everything there. I know I must have missed a step, but cannot figure out what it is.
Assuming your folder tree looks like this:
http://www.yourdoamin.com/phpformgen/use/newformname
Within /newformname you have /newformname/admin and /newformname/files for subfolders.
When you move a form you create a new folder and copy everything within /newformname/ and all subfolders.
You end up with:
http://www.yourdoamin.com/copyfolder
and within /copyfolder you have /copyfolder/admin
and /copyfolder/files as subfolders.
You would then browse to:
http://www.yourdoamin.com/copyfolder/form1.html
to view your form.
You should not need to set folder permissions to anything except the default.
Your php files can be set to 664 in most cases but 775 if your php server requires it.
Your html files should be 664, graphics 664, data files at 775.
I password protect my admin and files folders with a .htaccess file. I also add an index.html file to any folder that does not already have one.
If you think you have done all this and it still does not work, either you've done something incorrectly or permissions are not set right, or there is some other server issue preventing the form from working.
I always test my forms on my local PC usinf a tool called Uniserver. This is a set of web sever applications like you would find on your web host server. The applications are bare minimum so the impact on your local PC is minimal. Plus you can turn the server on and off so when you are not using it, it only takes up a small amount of disk space.
You setup your form generator and form files and folders just as you would on your web site except you don't need ftp.
Let me know how things are going.
Forgives me for bothering you. I followed all your informations. Just the b option "Push all username and password variables into the config.inc.php file within the admin folder" that I didn't modify therefore I don't know the code to insert my password and username. I opened the "config.inc.php" file and inside of it had the code "<?php
$file_db=1;". How must I proceed now?
Thank you so much!
Scan your process.php file for any username, password, or other personal information. Write down the value and replace it with a variable name;
$username, $passsword, $personal.
Add each variable with value into the config.inc.php file.
$username="you";
$password="abc.123";
$personal="whereilive";
It was like this:
<?php
$file_db=1;
$username="mylogin";
$password="mypassword";
Is this correct?
Thank you so much!
Looks OK.
I have recently generated my form without a problem. After testing, I have taken all of the security measures suggested in this thread and in several others. I have one problem that I cannot figure out. I think I have read most, if not all, of the forum contents, but I don't see anything that addresses the problem I am having.
When I try to move all of the password/username information into the config.inc.php file in the password protected admin file, I receive error messages. I think that I have set up everything as directed, but I must have made a mistake somewhere. I am not a programmer, so please forgive me if there is an obvious solution to my problem.
I've taken the following steps...
In process.php, I have removed the information that is a potential security risk and replaced it with variables. The code is pasted below. (I included a bit of the code before and after the variables. I tried leaving in the ' ' around the variables, but other variables seem not to need them so I removed the single quotes.)
$message = stripslashes($message);
mail("publisher@atozpublishing.biz","Form Submitted at your website",$message,"From: phpFormGenerator");
$link = mysql_connect($hostname,$username,$password);
mysql_select_db($dbname,$link);
$query="insert into ebook_listing
I adjusted the code in config.inc.php as follows:
<?php
$file_db=1;
$hostname="myhost";
$username="myusername";
$password="mypassword";
$dbname="mydatabase";
I notice that the config.inc.php file does not contain a closing tag (?>). Adding the closing tag did not change anything, so I removed it again.
The error messages are as follows:
Warning: mysql_connect(): Access denied for user 'thewsbiz'@'localhost' (using password: NO) in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 98
Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 99
Warning: mysql_query(): Access denied for user 'thewsbiz'@'localhost' (using password: NO) in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 101
Warning: mysql_query(): A link to the server could not be established in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 101
Warning: Cannot modify header information - headers already sent by (output started at /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php:98) in /home/thewsbiz/public_html/atozpublishing/request_forms/ebook_listing/process.php on line 108
It seems that I need tell the process.php file to look for the password, etc. in config.inc.php, but I am not sure if I am correct, and if I am correct, I don't know how to accomplish the task.
Any help would be greatly appeciated!!
I think I have a realtivly simple solution to this, but i'm not sure how safe it is.
1. copy the code from your index.php file in the generator directory.
2. backup this code offline where you store your site.
3. create a new index.php with whatever you want, eg, a mirror of your homepage.
4. when you want to use the generator again just reverse the process and coppy back the original code to the index.php file
again i'm not sure how safe this is, but it seems to work for me.
regards.
I prefer to use the htaccess method of password protecting the generator. This way I am the olny one to access tha generator.