What's up dudes?
I'm looking to set up a secure download token system on our website by tonight for distributing a DVD download. Basically, tonight we will send to all the pre-orders, a download token embedded in a hyperlink that will only allow to download the DVD once. If they need to download it again, then they press a button that generates and emails them a new download token. The goal is to try and minimize sharing of this content until the physical release date in March.
Does anyone know much about this subject, ie do they have packages for this, or will I need to program it from scratch, and if so, which language is most ideal for me to program this in, and (@iago) what steps would I have to take to prevent vulnerabilities?
Hash the (time . email) and use that as a token, then store it along with what email it was sent to. When they download, mark it used.
so I imagine I would store it in an SQL database, using PHP to execute the "if"s and "write"s? and if I were to store this data in its own SQL database, I imagine there wouldn't be anything important they could exploit?
sweet... A little over 8 hours later without leaving the room, I've successfully accomplished my first project in PHP/MySQL.
Thanks for the direction, rabbit. :)
Though I'm still curious about how I should go about preventing anyone from taking advantage of SQL vulnerabilities and gathering the email addresses (most important), and also maliciously changing any table data. Any suggestions would be greatly appreciated. :D
The easiest thing you can do is probably to use something like MDB2 (http://pear.php.net/package/MDB2/redirected) as a database wrapper and use prepared statements (http://pear.php.net/manual/en/package.database.mdb2.intro-execute.php) to prevent SQL injection.
Do that and you'll probably be fairly well off.
If you post the code somewhere - or send it to me - I can probably give you some advice.
I'd suggest that instead of storing the email address in the database, you store a hash of the email address - md5($address). When the user does the request, take the md5() of the address they submit and compare it to the md5 stored in the database to see if it matches. That way, you never have to store their actual email address.
Quote from: iago on February 01, 2012, 11:26:46 AM
If you post the code somewhere - or send it to me - I can probably give you some advice.
I'd suggest that instead of storing the email address in the database, you store a hash of the email address - md5($address). When the user does the request, take the md5() of the address they submit and compare it to the md5 stored in the database to see if it matches. That way, you never have to store their actual email address.
But then hackers don't have anything juicy to get to when they infiltrate your mainframez. :(
Quote from: Sidoh on February 01, 2012, 02:57:43 PM
But then hackers don't have anything juicy to get to when they infiltrate your mainframez. :(
Aha! So that was your plan all along. Never trust a Hawaiian!
Quote from: Sidoh on January 31, 2012, 05:30:56 AM
The easiest thing you can do is probably to use something like MDB2 (http://pear.php.net/package/MDB2/redirected) as a database wrapper and use prepared statements (http://pear.php.net/manual/en/package.database.mdb2.intro-execute.php) to prevent SQL injection.
Do that and you'll probably be fairly well off.
Thank you sir! I will look into this probably tomorrow.
Quote from: iago on February 01, 2012, 11:26:46 AM
If you post the code somewhere - or send it to me - I can probably give you some advice.
I'd suggest that instead of storing the email address in the database, you store a hash of the email address - md5($address). When the user does the request, take the md5() of the address they submit and compare it to the md5 stored in the database to see if it matches. That way, you never have to store their actual email address.
Great advice. I already launched the distribution at midnight last night, so I'll have to migrate the email data.
In the meantime, here is the code I used only once to initially add the users into the database (I deleted the script from the server after running it):
<?php$con = mysql_connect("server_removed","user_removed","password_removed"); //Establishes SQL connectionif (!$con) { die('Could not connect: ' . mysql_error()); //Ends script in case of connection error}$inpEmail = "emails@are.listed here@with.spaces seperating@each.email"; //List of Email Input$arrEmail=(explode(" ",$inpEmail)); //Explodes Email Input into an arraymysql_select_db("database_removed", $con); //selects the databaseforeach ($arrEmail as $email) { //For each email in the array do: $gToken=hash('md5', $email . time()); //Creates token as md5 hash of email . time $sql="INSERT INTO TableRemoved (Email, Token, Used) VALUES ('$email','$gToken','0')"; //Inserts 3 values into the SQL Table: Email, Token, number of uses if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); //Ends script in case of connection error } $DownloadURL="http://www.link.com/removed?email=". $email ."&token=" . $gToken; //Generates download URL $subject="blah blah blah"; $message="blah blah blah" . $DownloadURL . ; $header="From:VAYDEN <contact@vaydenmusic.com>"; mail($email,$subject,$message,$header); //Sends URL to email address echo "1 record added.<br />"; //Success!}mysql_close($con); //Closes SQL connection?>
and here is the code I use for when the user tries to download the file:
<?php$n=0; //Defines "email found" counter$email=$_GET["email"]; //GETs email from URL$token=$_GET["token"]; //GETS token from URL$con = mysql_connect("removed","removed","removed"); //Establishes connection with SQL serverif (!$con) { die('Could not connect: ' . mysql_error()); //Ends script in case of connection error}mysql_select_db("removed", $con); //Selects appropriate databse$result = mysql_query("SELECT * FROM removedWHERE Email='$email'"); //Creates array for the email + all associated datawhile($row = mysql_fetch_array($result)) { ++$n; //Increments "email found" counter -- I use this because there is no 'while {} else {}' if ($row['Token']!=$token) { //If the token does not match, do: $gToken=hash('md5', $email . time()); //Generates new Token mysql_query("UPDATE removed SET Token = '$gToken', Used = '0' WHERE Email = '$email'"); //Adds new token to database, resets uses to '0' $DownloadURL = "removed". $email ."&token=" . $gToken; //Generates new download URL $subject="blah blah blah"; $message = $DownloadURL . "blah blah blah"; $header="From:VAYDEN <contact@vaydenmusic.com>" mail($email,$subject,$message,$header); //Sends new download URL to email address die('blah blah blah'); //Ends script with "token expired" error message } elseif ($row['Used']>='3') { //If the token has been used 3 or more times, do: $gToken=hash('md5', $email . time()); //Generates new Token mysql_query("UPDATE removed SET Token = '$gToken', Used = '0' WHERE Email = '$email'"); //Adds new token to database, resets uses to '0' $DownloadURL = "removed". $email ."&token=" . $gToken; //Generates new download URL $subject="blah blah blah"; $message = $DownloadURL . "blah blah blah"; $header="From:VAYDEN <contact@vaydenmusic.com>" mail($email,$subject,$message,$header); //Sends new download URL to email address die('blah blah blah'); //Ends script with "token expired" error message } elseif ($row['Token']==$token && $row['Used']!='3') { //If token matches and has not been used more than 3 times, do: $incToken=$row['Used']; ++$incToken; //Increments token used variable mysql_query("UPDATE removed SET Used = '$incToken' WHERE Email = '$email'"); //Updates database with number of token uses if ($fd = fopen ($fullPath, "r")) { //Runs this following download script: $path = $_SERVER['DOCUMENT_ROOT']."/hidden/"; $fullPath = $path.$_GET['download_file']; $fsize = filesize($fullPath); $path_parts = pathinfo($fullPath); $ext = strtolower($path_parts["extension"]); switch ($ext) { case "pdf": header("Content-type: application/pdf"); header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); break; case "mp4": header("Content-type: video/mp4"); header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); break; default; header("Content-type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\""); } header("Content-length: $fsize"); header("Cache-control: private"); while(!feof($fd)) { $buffer = fread($fd, 2048); echo $buffer; } } fclose ($fd); exit; }}if ($n==0) { //This is my "while {} else {}" solution for if the email is not found die "blah blah blah"; //Ends script with "email not found" error message}?>
I plan to clean this up by having the emails be sent from a separate PHP script, among other things. Also, forgive me for being new to programming. :P
http://en.wikipedia.org/wiki/Indent_style#K.26R_style pls
Sorry, is that better? Also, that article doesn't say anything about empty new lines, even though some examples included them. Is there a time and place for them?
Quote from: rabbit on February 01, 2012, 08:26:22 PM
http://en.wikipedia.org/wiki/Indent_style#K.26R_style pls
I've stopped caring about this kind of stuff. I used to be a total K&R nazi, but I've since worked for enough companies using alternative standards that I've grown accustomed to using whatever style people are comfortable with.
It's not like you can't just paste it into an IDE and press some keys to get it to look exactly how you want it to. :P
Vulnerbilties:
You do not sanitize 'email' on your download page which leads to a SQL injection (http://ca2.php.net/manual/en/function.mysql-real-escape-string.php)
You do not sanitize your "$_GET['download_file']" request on the download page which leads to full web-server-user access to the filesystem. A crafty attacker could make their file '../../../../../../../../../etc/passwd' and access any file that your web server has access to. There are several ways to correct this, you could do a regex filter for just "A-Za-z0-9\." which would only allow alpha-num and periods, or you can filter out slashes. There are several other methods, but I prefer the regex.
Errors:
You set "$fullPath" after you have used it first (logical error)
Your switch at the end uses a semicolon instead of a colon for "default"
You are missing a semicolon in your $header assignments. (I assume this is because you just edited these in quickly at the end)
Die is a function, not a language construct: you must surround paramaters with parenthesis. (The last die in your script should be die("blah blah blah"); instead of die "blah blah blah";)
Suggestions:
You do not sanitize your URLs (http://ca3.php.net/manual/en/function.urlencode.php)
Convert all user-enterable values as a single case when hashing. ie, $gToken = hash('md5', $email . time()); would be $gToken = hash('md5', strtolower($email) . time());
Do not store your downloadable content in a 'hidden' web-accessible folder. If possible, keep the content is a folder below your web accessible folder (ie, if your content was in /var/www/htdocs/, keep your downloadable content in /var/www/downloads/)
Change your 'Used Increment' statement to use the DB value rather than a fetched value. This prevents users from accessing the page all at once quickly and the counter not incrementing properly. (Allows for more than 3 possible downloads). The query would be "UPDATE removed SET Token = Token + 1, Used = '0' WHERE Email = '" . mysql_real_escape_string($email, $con) . "'"
Avoid printing mysql_errors in non-dev environments, and just leave the 'could not connect' message.
While not wrong, I suggest you include your link identifier ($con) in your query and sanitation function calls. It's a good habit to be specific when you can. :)
And that's just a quick scan. It is really easy to make vulnerable code in PHP as you can tell. :)
hahaha shit man. I really opened up a Pandora's box with this ambitious idea. I spent equally as much time today failing to figure out why Internet Explorer times out halfway through the 713MB download (something to do with the download script, or server-side PHP settings [I wish my host would install mod_xsendfile]), as I did figuring out how to write this token script.
Due to this issue, and that of the scope of the vulnerabilities, I temporarily bypassed this system altogether with a direct link to the download. I will re-implement these features after I fix these issues.
When I first started this project on Monday, I took a small 5mg dose of Vyvanse (http://en.wikipedia.org/wiki/Lisdexamfetamine) to help me focus on this logical task. Later that night, shortly after I made the post about 'accomplishing' the project, loud sirens were coming from up and down my neighborhood streets, and some dude evading arrest walked into my apartment, out of my line of sight, and took refuge in my out-of-town roommate's bedroom.
My Vyvanse-strung-out, 3AM logic kicked in, and I asked if anyone was there. "And if anyone is there, it's okay. I'm going to my room," where I subsequently fell asleep. Albeit, a very skiddish sleep, but sleep nonetheless. [spoiler]of course, because of the day's tedious events + Vyvanse intake + lack of sleep, the entire experience was actually a paranoid hallucination.[/spoiler]
In other words, I need to play music for the next couple of days, or I may fall off into the deep end. :)
Many endless thanks for the suggestions, Blaze. I look forward to finishing this up over the next week so I can use it, along the knowledge I gained from this experience, on future releases/projects.
Blaze pointed out the things I noticed, plus a whooooole bunch more.
This is why PHP is dangerous, it's just too darn easy. :)
Yeah, it is farrrrrrrr too easy to make really bad code in PHP.
There are a lot of bad tutorials around which are also vulnerable to these sort of things, which does not help new programmers. People do not treat security as an important part of the learning process, it's more of a "what you'll learn later when you get good!", which leads to bad, bad things happening.
So I need to get a system like this finalized. There's too much money we've been missing out on by not having a way to sell downloads directly from our website, without using a middle man.
Someone pointed me in the direction of the PEAR code repository (http://pear.php.net/). I did a couple searches, but perhaps it was just my search terms that fell short. Any suggestions?
Overall, I plan on having a guest and login shopping cart system + the token system for downloads.
PEAR is pretty pitiful when compared to most modern extension repositories (ruby gems, for example). If you're okay with investing a bit of time learning how to use it, something like CakePHP might be worth a try. Its user-supported content is probably a little more modern:
http://plugins.cakephp.org/
As much as I like to reinvent the wheel myself, I think you would be better off spending some time exploring some of the free open source e-commerce solutions out there already. A quick Google search found me this (http://www.webappers.com/2010/07/09/15-best-free-open-source-ecommerce-platforms/) and this (http://www.developer.com/lang/php/top-10-free-php-shopping-carts-pros-and-cons.html).
I'd do some research on what's already out there that overlaps with your needs and determine how extensible it is (does it offer a custom module system?). Hell, there may even exist a custom module to do what you want for whatever e-commerce/shopping cart solution you end up choosing.
I think in the long run you're going to save yourself time, frustration, and potentially loss of profits if you go with an existing, established e-commerce solution than attempt to roll out your own. You're going to find that a lot of the popular open source e-commerce solutions have administrative and content management features which you won't have to write from scratch yourself.
Quote from: while1 on January 13, 2013, 08:34:25 PM
I think in the long run you're going to save yourself time, frustration, and potentially loss of profits if you go with an existing, established e-commerce solution than attempt to roll out your own. You're going to find that a lot of the popular open source e-commerce solutions have administrative and content management features which you won't have to write from scratch yourself.
Yeah, this is why I started looking into code repositories, just didn't know exactly what I was looking for. But thanks to yours and Sidoh's suggestions, I have somewhere to start. Thanks guys!