Query String and Security (php, mysql)

Forum Moderators: coopster

Message Too Old, No Replies

Query String and Security (php, mysql)

How far do you go?

ukgimp

10:53 am on Jun 23, 2003 (gmt 0)

Imagine the scene, you have a search feature to a db. There are obvious ones that you do in the form part but how far do you go with the query string to stop muppets trying to find an exploit or just break your results page.

For example if there are 10 pages of results you throw a warning if they change the number to 11 or and non numeric parameter.

Are there risks with an SQL injection and how do you cover all the angles and prevent naughtiness occurring.

Any online resources that you would recommend.

Cheers

DaveN

11:07 am on Jun 23, 2003 (gmt 0)

The main problems occur when you don't trap and exclude ' most exclude file for some reason are!#$%^&*()=+{}[]¦\;:/?>,< so there is a vulnerability exists take another piece of forum software snitz.

They don't or at least they didn't trap for '

therefore in members.asp page,
the input (M_NAME) is not checked for.

As a result, you can add extra SELECT statement to the query with UNION and you can view any data in the forum's database.

also check for exact match's with an exclude filter!#$%^&*()=+{}[]¦\;:/?>,<'

Dave

daisho

2:35 pm on Jun 23, 2003 (gmt 0)

since you are using mysql pass _ALL_ user supplied untrusted params threw "mysql_escape_string". This will drop SQL Injection in it's tracks...

For your number parameters you can use "is_numeric()" to confirm it's a valid number.

daisho.

DrDoc

7:55 pm on Jun 23, 2003 (gmt 0)

In addition to that, make sure that as much information as possible is kept within the script, or calculated by the script, without requiring user input through the query string.

Also, make sure the search returns some form of "normal" page if any values are invalid. You don't want the user to know that his/her manipulation caused an error. You want them to think that it just returned another valid set of data.

ukgimp

7:38 am on Jun 24, 2003 (gmt 0)

Thanks thats the sort of thing I am thinking of. I had better go and impliment your suggestions.

grahamstewart

10:51 am on Jun 24, 2003 (gmt 0)

My current project involves a lot of the typical 'take the data from this form and store it into the database'.

To handle this I keep magic_quotes turned off (because I don't like them) and instead I run all my text data through this function..


function textToHtml( $text, $flags=0) { 
     
    $html = $text; 
      
    if ( ($flags & TEXTTOHTML_CONVERT_ENTITIES) > 0 ) { 
        // Convert weird characters to entity tags 
        $html = htmlentities($html, ENT_QUOTES); 
             
        // Handle euros 
        $html = str_replace( "\x80", '&euro;', $html ); 
    } 
     
    if ( ($flags & TEXTTOHTML_IGNORE_NEWLINES) == 0 ) { 
        // Use \n for newline on all systems 
        $html = preg_replace("/(\r\n¦\n¦\r)/", "\n", $html); 
     
        // Only allow two newline in a row. 
        $html = preg_replace("/\n\n+/", "\n\n", $html); 
     
        // Put <p>..</p> around paragraphs 
        $html = preg_replace('/\n?(.+?)(\n\n¦\z)/s', "<p>$1</p>", $html); 
     
        // Convert newlines not preceded by </p> to a <br /> tag 
        $html = preg_replace('¦(?<!</p>)\s*\n¦', "<br />", $html); 
    } 
     
    return $html; 
}

Its a little basic at the moment (I'm still in the testing stages) but basically it converts plain text into html.

If you set the TEXTTOHTML_CONVERT_ENTITIES flag then it will handle all weird characters and quotes for you.

If you don't set the TEXTTOHTML_IGNORE_NEWLINES then it will also add <p> around paragraphs (i.e. text seperated by a blank line) and <br> for line breaks.

vincevincevince

11:38 pm on Jun 25, 2003 (gmt 0)

since you are using mysql pass _ALL_ user supplied untrusted params threw "mysql_escape_string".

yes, yes, yes, yes :-)