homepage Welcome to WebmasterWorld Guest from 54.227.11.45
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
security
tr8er8




msg:3580763
 4:17 am on Feb 21, 2008 (gmt 0)

I have this article script and this admin panel where I can post articles and stuff to a database, but I think it can be injected and like hacked pretty easily. Is there a way to check because I've seen things where people put like &password=123example&login=lolwhut at the end of the url or something and then they mess up your site.

Can you tell me if this is secure or not?

[edited by: eelixduppy at 4:36 am (utc) on Feb. 21, 2008]
[edit reason] no URLs, please [/edit]

 

eelixduppy




msg:3580776
 4:37 am on Feb 21, 2008 (gmt 0)

There are many different ways to secure your applications. The best thing for you to do right now is to read up on different security problems and how to avoid them. Start with the following link: [phpsec.org...]

tr8er8




msg:3580783
 5:07 am on Feb 21, 2008 (gmt 0)

Ok I read on the sql injections and the form one, but for the sql injections, it doesn't provide a way to protect against it, except put "" quotes around all your variables and stuff, and also include your login and password and stuff in a sepertate file in a seperate location. Is that all I can do?

eelixduppy




msg:3580785
 5:11 am on Feb 21, 2008 (gmt 0)

If you are using mysql, you should be escaping those variables with mysql_real_escape_string [php.net] in order to prevent from SQL injection. Aside from just escaping input (and by input I mean ANYTHING that can be altered by the user, including the referrer, etc), you should also make sure that it contains what it is suppose to contain, and not anything else that you wouldn't want to allow.

tr8er8




msg:3580786
 5:13 am on Feb 21, 2008 (gmt 0)

Oh so liek for a name input field, only accept letters? And do you have to include other characters besides letters for an injection?

eelixduppy




msg:3580814
 6:04 am on Feb 21, 2008 (gmt 0)

Injections come in a variety of different ways, so no, there aren't just comprised of letters, if that's what you mean. Escaping your input should be enough to prevent SQL injection, however validating the input is extra security so that you KNOW you will not get unexpected results somewhere in your application; it doesn't necessarily mean that it will occur with the database, but it could very well be somewhere else. You always just want to know what to expect in a variable, and that is why we check :)

tr8er8




msg:3580824
 6:14 am on Feb 21, 2008 (gmt 0)

By validating you mean that its a required field right? And also I found some videos on youtube abuot the commands to get past and stuff, and I tried it all on my site, but none of them worked. I made some changes.

eelixduppy




msg:3580828
 6:20 am on Feb 21, 2008 (gmt 0)

>> By validating you mean that its a required field right?

Not exactly. First off, by validation I do not mean measures to prevent SQL injection, but general security measures that should be taken. But an example of making sure the input is validated (clean), is for instance say you are looking for an integer to be input in a form. You want to check to first see if this is indeed an integer, and if it is not prompt for it to be submitted again. And then once it is an integer, be safe and still escape it before using it in a query. The reason you want to validate it to make sure it is an integer, is so that you don't get unexpected results from functions, etc, when you think you have an integer but in reality, with the validation, you may have a string of other random characters that will cause your application to fail.

tr8er8




msg:3580830
 6:26 am on Feb 21, 2008 (gmt 0)

Yeah so should I make sure ONLY letters/numbers are included becuase I noticed to do an SQL injection they use the (') a few times, and the (-) and(=) sometimes. Would that be a good means of security, becuase Im not sure how to make it not be used in a query or w/e.

eelixduppy




msg:3580846
 6:57 am on Feb 21, 2008 (gmt 0)

What you allow in the field is up to what you actually NEED to allow in the field. If you need to allow other characters other than alphanumerics then you can without any further security issues, as long as you escape the data correctly. Here is an example:

#connect to db server, select database...
$input = $_POST['input'];
#validate input...
$query = "SELECT * FROM `table` WHERE `field` = '".mysql_real_escape_string($input)."'";
#etc...

This should sufficiently protect you from SQL injection.

tr8er8




msg:3580855
 7:11 am on Feb 21, 2008 (gmt 0)

Oh so liek this?:

$query = "SELECT * FROM `mahtable` WHERE `name` = '".mysql_real_escape_string($input)."'";

and then input would be the name of the field?

eelixduppy




msg:3580856
 7:13 am on Feb 21, 2008 (gmt 0)

yup

tr8er8




msg:3580868
 7:36 am on Feb 21, 2008 (gmt 0)

Ok but how do I make it for like a login field, becuase my login fields I dont think like connect to the database, it connects to my admin panel.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved