Keep Track of Your Services! (Lightweight PHP script)

[KuJoe]

Here's a simple PHP script I put together to help me keep track of my VPSs, web hosting, dedicated servers, and colocated boxes. It's extremely basic for the moment, but it replaced me spreadsheet that I was using. The goal was simplistic (it uses SQLite so it's all file-based).

I'll be adding more functionality in the future but for now it's a nice little script for organizing your services and making it easy to see various specs about them. I highly recommend using .htaccess or some other method of password protecting the folder if you plan on hosting this on a public server. I'll try to add some authentication functions in the future but for this current version, that's all on you.

Here's a link to the GitHub if you want to browse the code or download it: https://github.com/KuJoe/KToYS

Here's a link to a demo I've setup so you can see it in action and play with it before you go through the hassle of downloading all 31KB of it: http://iam.clouded.us/ktoys/

 

[splitice]

 

[KuJoe]

@splitice What's wrong with the code exactly? Should I assume users won't know the difference between text and HTML?

 

[splitice]

It was not me, but from what I gather its lack of HTML escaping.

 

[KuJoe]

It was not me, but from what I gather its lack of HTML escaping.

I don't see a problem with it.

 

[splitice]

I have submitted an example, imagine what mischief I could get up to. Could redirect you to a site that look like your company intranet login for example

 

[KuJoe]

Again, I don't see a problem unless I use the demo site for real usage.

 

[splitice]

Good practice isn't enough? I am not going to argue with you over it.

 

[Wintereise]

Abysmal code, please use prepared statements in the very least.

 

[Zigara]

Abysmal code, please use prepared statements in the very least.

This. I found a SQL injection nearly instantly.

 

[KuJoe]

Good practice isn't enough? I am not going to argue with you over it.

Maybe in the future, honestly I was looking for a script to replace an Excel spreadsheet and it does.

Abysmal code, please use prepared statements in the very least.

I'm not comfortable with this yet, maybe in the future I'll explore that option but for now it's really not needed.

This. I found a SQL injection nearly instantly.

Weird, I thought that SQLite3::escapeString prevented that. Either way, it won't impact the script at all unless the user gives somebody else access to it.

Thanks for the feedback everyone. Feel free to continue providing suggestions (although security related ones are low priority since they are not a real concern for this script yet).

 

[Zigara]

...

Weird, I thought that SQLite3::escapeString prevented that. Either way, it won't impact the script at all unless the user gives somebody else access to it.

...

https://github.com/KuJoe/KToYS/blob/master/functions.php#L95

https://github.com/KuJoe/KToYS/blob/master/admin.php#L54

 

[KuJoe]

https://github.com/KuJoe/KToYS/blob/master/functions.php#L95

https://github.com/KuJoe/KToYS/blob/master/admin.php#L54

Good catch, not a huge issue though but I'll get that fixed in a future update.

 

[Zigara]

It's alarming how lightly you take the security concerns. I don't see anyone taking this project seriously in that case.

 

[KuJoe]

It's alarming how lightly you take the security concerns. I don't see anyone taking this project seriously in that case.

The script is not meant to be hosted on a public webserver or at the very least not publicly accessible. If somebody has access to your internal webserver then you have bigger problems than a script I threw together last night.

I take security seriously but for this script, the only security required is NOT having it accessible to anybody except the person using it. Hell, the SQL injections mean nothing when the admin.php file is accessible to the world.

 

[KuJoe]

Ok, pushed an update so now the worst that somebody can do is edit and delete your whole database. LoL.

 

[lbft]

I'm not comfortable with [prepared statements] yet

WTF. Does this imply that Wyvern doesn't use prepared statements?

 

[splitice]

WTF. Does this imply that Wyvern doesn't use prepared statements?

He could be using an ORM, that's acceptable too.

 

[Zigara]

WTF. Does this imply that Wyvern doesn't use prepared statements?

I would certainly hope he is not the sole developer on that project after reading this code. It doesn't matter if it's 'internal', it's really basic security practices.

 

[KuJoe]

WTF. Does this imply that Wyvern doesn't use prepared statements?

We mostly use WHMCS's MySQL Helpers for Wyvern since they don't support MySQLi yet.

I would certainly hope he is not the sole developer on that project after reading this code. It doesn't matter if it's 'internal', it's really basic security practices.

I am but luckily I invested many months into Wyvern before putting it into production versus this script which I threw together in about an hour and purposely focused on getting it working versus making it secure. If you don't trust my abilities then at least trust vld's auditing skills.

On the plus side I learned what SQLite3 is last night and how to use it somewhat.