this quote business is driving me nutz!!!!

I have a form:
i have something like this:


<form action=mainquery.php><select name='TYPE'>
<option value=''>(doesn't matter)</option>
<option value="MAIN.TYPE = 'CFI' AND">CFI</option>
</select>



In the page that the above calles upon (mainquery.php) i have a query.

The query has ends up looking like this at one point:

WHERE $TYPE etc ect...

When people select CFI from the select form, the quesry is suppose to look like this:

WHERE MAIN.TYPE = 'CFI' AND ... etc ect..

But it doesn't. - it looks like HWERE MAIN.TYPE =\'CFI\' AND ...


I tried everything:
Which way should i arrange these quotes?
<option value="MAIN.TYPE = 'CFI' AND">CFI</option>


Thanks
Noam

Some istallations of PHP add slashes to incoming data. I think that's where the slashes come from in your query. This can be turned off by various methods, you can start reading here: http://ca2.php.net/manual/en/functio...quotes-gpc.php

Also, I suggest you don't put parts of your query directly in the form. A malicious user could do bad things to your system that way.

really, how do most people accomplish having dynamic queries wihtout putting variable from a FORM inside the query line...

It's a SELECT query which if i understand correctly is not able to delete or change data...

thanks
Noam

One way to do this would be to have an array
An in the form put the 0
Then in the query

noam, have a look at this article, it may help you some --

The "any" option in dynamic search SQL


rudy

I read that article. What i do is give an empty value to a <select>.

for example:
<select name="TYPE">
<option value="">Any</option>
<option value="MAIN.DATE='12/12/1999'">12/12/1999</option>
</select>

The sql code would go like:
..... WHERE $TYPE AND MAIN.PER_ID=$username.......


If the user selects Any, it would just skip the $TYPE since $TYPE = nothing.

I'm only a beginner so i don't know if it's the best way but it seems simple.

If i understand Dylan Leblanc correctly i need to do this instead:

<select name="TYPE">
<option value="">Any</option>
<option value="1">12/12/1999</option>
</select>

And in another page -> $1=MAIN.DATE='12/12/1999';

and the SQL-> ..... WHERE $1AND MAIN.PER_ID=$username.......

Is this more secure?

no, if $TYPE= nothing then you have WHERE AND which gives a syntax error

you will probably have "AND" problems if you do not use the WHERE 1=1 trick

rudy

my bad
I see where you are coming from but in my case it would work.
I messed up on my last post


...WHERE $TYPE $TYPE2 $TYP3 PER_ID='$username'......



Now look at the values of TYPE1 /2 and 3

TYPE value="MAIN.DATE='12/12/1999' AND"

TYPE2 value="MAIN.DATE='12/12/2000' AND"

TYPE3 value="MAIN.DATE='12/12/2001' AND"

On my previouse post I forgot to add the "AND" to the end of the value...

I don't see how this could result in an error in the syntax...
Thanks for your replies
Noam

okay, i can see how you wouldn't get a syntax error

but you wouldn't get any rows, either

you have

... WHERE X=1 AND X=2 AND X=3 AND PER_ID='$username

what you probably want is

... WHERE (X=1 OR X=2 OR X=3) AND PER_ID='$username

Don't use something like

<option value="MAIN.DATE='12/12/1999'">12/12/1999</option>

in your form. I could just copy your form, change the value to "MAIN.DATE='12/12/1999';DROP TABLE MAIN" and all your data would be gone

Instead write:
....
<option value="any">any</option>
<option value="12/12/1999">12/12/1999</option>

in your php script write:

When the value is any or nothing, no filter is used.

your freaking me out!!!!!!!!! That's good though i need to start thinking about security.

I tried what you have said.
This resulted in this query


SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.DATE='12/12/1999';DROP TABLE MAIN AND MAIN.PER_ID='542458257'

This query returned me an error and my table called MAIN was never erased.

Any other ideas on how to erase my tables?

(need to learn to be a hacker, to keep hackers out )
Noam

Try this:

value = "MAIN.DATE='12/12/1999';DROP TABLE MAIN;#"


result:
SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.DATE='12/12/1999';DROP TABLE MAIN;# AND MAIN.PER_ID='542458257'


Another example:

login form
check routine
Input:
user = xyz
pass = "xx' OR user='administrator"

results in:
SELECT id, user, permissions FROM users WHERE user='xyz' AND password='xx' OR user='administrator'

The user xyz does not exist, so the first result of this query is the user administrator and this would give me full permissions.

to prevent this:

To make these "hacks" work, it's a little more work, because the quotes and special chars must be escaped, e.g. %22 (`"'), %23 (`#') and %27 (`'')

didn't work
i even had the page echo the query....
I got error when trying what you said:
"
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\Documents and Settings\Noamkrief\Desktop\logbookphp\mainquery.ph p on line 20

Warning: extract(): First argument should be an array in C:\Documents and Settings\Noamkrief\Desktop\logbookphp\mainquery.ph p on line 21

Notice: Undefined variable: TOTALTIME in C:\Documents and Settings\Noamkrief\Desktop\logbookphp\mainquery.ph p on line 22
Your total night time is: hours.

SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.TYPE='CFI' ;DROP TABLE MAIN;# MAIN.PER_ID='542458257'
"
My MAIN table is still there... na di didn't even set priviliges yet! Username is root and password is empty.

But i see what you are saying.

The user would copy the form code locally, change the connection from localhost to the domain in which the SQL server is at correct?
Then the hacker would change the values.

But how would the hacker retreive the mysql username and password to connect? The username and password are stored as variables and are retreived from a page that's not in the wwwroot folder.

Also, this wouldn't work if the user tries to connect to the MYSQL server via the doamin name since th port to connect to mysql is closed. Only thing that is open is port 80...

Am i making sense?

Check the syntax, i want this to work:
SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.TYPE='CFI' ;DROP TABLE MAIN;# MAIN.PER_ID='542458257'


thanks again
Noam

I tried a similar query with phpMyAdmin and it worked.

But with the form:
It's just HTML code. The line
<form action=mainquery.php>
tells the browser to send all entered data to the "mainquery.php" script. It's your script which connects to the database not the user who fills out the form. Your script has the permission to access the database and this can be abused, if you blindly trust the user's inputs. That's all what I wanted to point out. There are several ways to do that and a lot of websites don't pay attention to this, and they are vulnerable.
Ask google for "php security" and you will find a lot of information.


PS: I hope my English is understandable

you are 100% correct.
I see now.
They can copy my html code, change it to drop a table and in the form action instead of doing:

<form action="query.php">

they would do:
<form action="http://mydomain.com/query.php">

A user can also add "WHERE PER_ID='another person' and edit and delete other people's entries!!!!

This is very volerable!
I don't like it.
I need to write a script that will exit you out unless your session is valid...

How about this:
when a user logs in, they have "session_registers"
I'll add their username and password as registers.
Then every single page will have an authentication



$sql = mysql_query("SELECT * FROM PERSON WHERE PER_ID='$username' AND PASSWORD='$password'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}

else{echo "You could not be logged in! Please check your user name and password and try again!<br />
Please try again!<br />";
include 'index.html';
}

Will this work? Then i can add a thing that will make sure that there is a current session or else it forwards them back to index.html

This will solve the problem of a user editing/viewing/deleting other person's entries right?
Then, on my connection to the sql, i'll have it as a restriced user that cannot add/drop tables...

Will this work?
Noam