PHP - I Need Help With Code To Prevent Sql Injections!
I am having problems with a search feature I am using for a website I am building. Everything was working fine when I was testing on my local machine using EasyPHP 3.0. The issue I am having is that once I uploaded the site to a "live" server and tested it, my search function wouldn't work. The issue resides in the two lines with the magic quotes and the real escape string, for some reason those lines worked fine while testing using EasyPHP 3.0, but now I must delete those lines in order for my search function to work. The problem is that deleting those lines makes me vulnerable to an SQL injection. I have tried deleting just the magic quotes line and everything works properly, but then I am not seeing any kind of strip slashing/sanitizing when I enter in a statement like this into my search: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't.
Any help on this issue would be greatly appreciated! //get data $button = $_GET['submit']; if (get_magic_quotes_gpc() == 0){ $search = mysql_real_escape_string($_GET['search']); // clean up the search string } else { $search = $_GET['search']; $limit = 9; $page = $_GET['page']; if($page) $start = ($page - 1) * $limit; I also tried using the mysql_real_escape_string on my construct, but I get syntax errors because of the | being used before and after the $search_each. That | character must remain in place in order for my search to work the way I want it to. $x++; if ($x==1) $construct .= "keywords LIKE '%".mysql_real_escape_string(|$search_each|)."%'"; else $construct .= "AND keywords LIKE '%|$search_each|%'"; } Similar TutorialsHere is the code that i am using to accept data and display the data. To accept and add it in database i am using : $comment = $_POST['txtcomment']; $comment = @mysql_real_escape_string($comment); To display the data from DB i am using : $comment = $rowscomment['comment']; <?php echo nl2br($comment); ?> Please help me correct it....... I am still learning PHP. I'd like to use a text editor like this one: http://tinymce.moxiecode.com/examples/full.php for my forums. But I am not sure exactly how I would prevent abuse and injects to messed up the page, rather than being contained in the designated area it is meant for. Could some one please help me, I know htmlspecailchars will not work, since some of the code needs to render as html I am trying to protect my guestbook entries from injections such as html, xss, and mysql injections. My php knowledge is very little. If possible, can I have some help please with protecting my entries. I have a few bits and pieces of code to protect my guestbook from injections that I got from some tutorials that I was reading. Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Author: Reality Software Website: http://www.realitysoftware.ca Note: This is a free template released under the Creative Commons Attribution 3.0 license, which means you can use it in any way you want provided you keep the link to the author intact. --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link href="style.css" rel="stylesheet" type="text/css" /></head> <body> <!-- header --> <div id="header"> <div id="logo"><a href="index.html">Header</a></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="">Link 1</a></li> <li><a href="">Link 2</a></li> <li><a href="">Link 3</a></li> <li><a href="">Contact</a></li> <li><a href="guestbook.php">Guestbook</a></li> </ul> </div> </div> <div id="icon"><a href="twitter.com/"> <img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> </a></div> <!--end header --> <!-- main --> <div id="main"> <div id="content"> <div id="text"> <h1><strong>Guestbook</strong></h1> </div> <?php $input = is_numeric($input) ? intval($input) : mysql_real_escape_string($input);function sanitizeString($string) { return htmlentities( (string) $string, ENT_COMPAT, "UTF-8" ); } $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); $rows = $preparedStatement->fetchAll(); $mysql_host = "localhost"; $mysql_database = "a7560006_guest"; $mysql_user = "a7560006_host"; $mysql_password = "mypassword"; // Connect to server and select database. mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server"); mysql_select_db("$mysql_database") or die("cannot select DB"); $tbl_name="guestbook"; // Table name $name = ($_POST['name']); $comment = ($_POST['comment']); $comment = stripslashes($comment); $name = stripslashes($name); $comment = str_replace("<","<",$comment); $name = str_replace("<","<",$name); $datetime=date("M-d-Y h:i:s A"); //date time $verif_box = ($_POST['verif_box']); if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> <table width="400" border="0" align="center"> <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr> </table> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> <? exit; } if(empty($name) || empty($comment)) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr> </table> <? } else { $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')"; $result=mysql_query($sql); //check if query successful if($result) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr> </table> <? echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view guestbook page } else { echo "ERROR"; } mysql_close(); } ?> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> Hi everyone, I have been the victim (at least i think) of SQL injection attacks!? I believe this as my contact us db table is full of 1's. How can i stop this from happening? Here's the contact form: Code: [Select] <form method="get" action="contact-send.php"> Name:<br /> <input type="text" name="name" id="name" size="30" /><br /> Email:<br /> <input type="email" name="email" id="email" size="30" /><br /> Your Question:<br /> <textarea name="question" id="question" rows="10" cols="50"></textarea><br /> <input type="submit" name="submit" value="send" /> </form> And here's the script 'contact-send.php': Code: [Select] <?PHP session_start(); include ('php only scripts/db.php'); if(isset($_POST['submit'])){ $name = $_POST['name']; $email = $_POST['email']; $question = $_POST['question']; //your code to insert variables into db can go here or after the if statement $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; $result = mysql_query($query) or die(mysql_error()); echo $name."<br/>".$email."<br/>".$question; } header( 'Location: http://www.removalspace.com/contactconf.php' ); ?> Do i have to have if(isset on EACH variable? like on name, email and question too? Hello, I have been using the preg_match() to throw out invalid form characters and then both mysql_real_escape_string() and stripslashes() to escape data variables before using them with mysql. But how about messages from a text area for example on a contact form. You cant limit the characters for the user. Is escaping variables good enough to eliminate sql injections from user input? htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text ); $text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text ); $text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text ); $text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text ); //Spoiler $text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text ); //Beautiful Colors $text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text ); $text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure. Edited by Monkuar, 10 January 2015 - 06:33 PM. htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text ); $text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text ); $text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text ); $text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text ); //Spoiler $text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text ); //Beautiful Colors $text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text ); $text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure. Edited by Monkuar, 10 January 2015 - 06:33 PM. Basically, I have the following code ($c2 is my connection variable): Code: [Select] $rid = $_GET['id']; $q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error()); $report = mysql_fetch_array($q); $report is used later on to gather more information that is outputted to the user. However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit. How would I go about fixing this, and also preventing SQL Injection? Thanks a bunch, Mark Hello Guys, Iam making a new ad serving script. In that site every publisher can register & they will get a url to serve ads. When a user click on that url the publisher will get earnings. But my problem is someone using something like this <iframe src="http://my-site.com/adserve.php" width = "100" height = "100"></iframe> & it will helps to get earnings without clicking on that url. I want to prevent this type of cheating & how it can be possible ?? I hope a expert will replay for me. Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.
The code works fine. <?php include 'db.php'; error_reporting(E_ALL | E_WARNING | E_NOTICE); ini_set('display_errors', TRUE);  if(isset($_POST['submit']))  {     $username = $_POST['username']; $password =  ($_POST['password']); $sql = "SELECT * FROM customer WHERE username = ?"; $stmt = $connection->prepare($sql); $stmt->bind_param('s', $username); $stmt->execute(); $result = $stmt->get_result(); $count =  $result->num_rows;   if($count == 1)              { while ($row = $result->fetch_assoc())  {   if ($row['status'] == 'blocked')  {  echo'your account is suspended'   session_destroy();   exit();  }  else if($row['status'] == 'active') { if($username !== $row['username'])  { echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>'; } if($password !== $row['password']) {  echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';     } if($username == $row['username'] && $password == $row['password']) { header('Location:cpanel/'); else { } }//if count }//while loop }//submit ?>  Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } Hi is there any way we can prevent suppose <textarea></textarea> when page reload it refresh and set default text i wanted to know is there any way to prevent certain things not to get refreshed is there any method in php which prevent to reload this ! <?php echo "<textarea > Enter your favorite quote!</textarea> \n" ; Code: [Select] if (isset($_GET['edit']) && $_GET['edit'] == 'textupdate'){ } <a href= \"{$_SERVER['PHP_SELF']}?page=1&edit=textupdate \" >Click</a>?> I am loading a link with ajax. When the link pops on the screen and I click it, I get redirected to my 404 page and my lightbox doesn't load. If the link pops in and I refresh my browser, then I click the link my lightbox will show up. How can I do a prevent default on the <a href> in pure JS? No frameworks please. Is this a correct approach to prevent email injection? $to: me@mydomain.com, myPartner@mydomain.com, $emailer; //then the rest of the stuff. $emailCheck = $_POST["emailer"]; if (eregi("(\r|\n)", $emailCheck)) { die("Why ?? "); } mail($to, $subject, "", $headers); As the title says, I would like to know how exactly CSRF can be 100% (or close to it) prevented.
One of the most recommended solutions is to create a token and insert it into a hidden field, but I've tested it on another domain and you can just do a cURL request and retrieve the token then make another request with it included. Proof:
<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "URL"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $response = curl_exec($ch); curl_close($ch); $exploded = explode('type="hidden" name="token" value="', $response); $token = substr($exploded[1], 0, 64); echo $token; // ebd9ab96d40bdb21bbaa2e1a18d657be2e413105ae86ecc14def6137f38a1571 ?>I would hate to include captcha on all my forms, so how exactly does one prevent CSRF? $_POST['user_name'] = "CLUEL3SS"; $_POST['user_pass'] = "test123"; $_POST['confirm_pass'] = "test123"; $_POST['user_email'] = "user@email.com"; $_POST['confirm_pass'] = 'user@email.com'; function testFunc($inputVars){ foreach($inputVars as $key=>$value){ $escapeData[$key] = mysql_real_escape_string($value); } return $escapeData; } var_dump(testFunc($_POST)); I'm trying to make a user system for my site and I want to make sure its secure enough to void off injection attackers. Any useful advice and and suggestions would be greatly appreciated! Thanks! Hi all, I am trying to make a emailscript with PEAR to send quite some people a personalized messaged. But i thought this could very well cause the script to time out. Now i read http://php.net/manual/en/function.set-time-limit.php, but i thought does maybe someone knows a way to prevent a time out instead of setting the time-limit to a larger amount. Some terms i saw floating around we ob_start, flush, sleep and a few others but i really never worked with these. If someone could point me in the right direction of thinking or maybe knows a tutorial or guide i really would love to hear it. Thank you! I have my template files and some functions in my server which are available for direct reach. like ; my "index.php" file includes "loginpage.php" form which is ok when I enter www.site.com/index.php but also when I enter to www.site.com/loginpage.php it works and shows me just login page. So this is what I dont want. How can I prevent to reach the files directly like this, I want them to work just for other pages of my website, not for directly seeing. By the way can this problem also be solved by hosting settings or mod_rewrite ? I have my script protected against all types of sql injection, XSS injection, cookies and bots. But now i want to know whats the best way of preventing session hijacking? I know nothing can be 100% secured but i want to know how to prevent it And u know it: prevention is better than cure! I have a problem which is why I am here. What I am trying to achieve I am creating a very very basic timetabling system online, using php and sql. I am still in the process of completing it and changing bits from here to there. Although I am fully aware that the current design / implementation needs several changes and amendments, but however it performs most of the basic functionalities from a login system to the ability to add data delete data and also reset the database and recreate. The problem I have a table called tCourse althouogh a full ERD implementation has not taken place, it is still trial and error period. The table consists of the following: - Course - Unit - Course_Code - Year (i.e. Yr1, Yr2, Yr3) - Credits (Value of the unit) - Day - Semester - Start_Time - End_Time - Room - Tutor At the moment the primary keys for the table a - Day - Start_Time - Room_ - Semester This basically prevents a particular day, a semester, a room having been booked at the same time. Which for a very basic one is ok. The only problem is though, if someone books for example: Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (ok) Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (Not ok, which is good, as it is a repeat and prevents double booking) However the problem comes he Monday >> 12:00:00 To 14:00:00 >> 205 >> Sem1 (ok) So this is allowing a booking even though that room will be busy i.e. booked between 13:00 to 14:00 So is there a way I can limit it, so if there is a room booked for that particular period it will not do it. I have done a bit of research and friend's have suggested doind several for loops and quering the database beforehand. I came here, mainly because there are a lot of experienced individuals here whom may have a simpler solution, although I can understand it won't be a one liner . I would appreciate any help, if not, it is still ok. |