Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2006
    Posts
    41

    Unanswered: Need some help with PHP security

    Hi,

    I've recently completed a website for my brothers band which is backed by a mySQL database and uses PHP to allow users to add comments, sign the guest book, add messages to the forum etc.

    What I need is a safeguard against people running malicious scripts or executing SQL commands which may affect the way the website looks and/or operates or delete things from the mySQL database.

    If someone could take a look at the website (here) and tell me which bits might need a bit of work doing.

    Thanks

  2. #2
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    Your main issue with any comment form is going to be someone trying to hijack the site or inject some dodgy SQL .

    So first off Id be wanting to make sure the user cannot issue any SQL directly or via the comments they leave. perhaps you may car to do a google on PHP security & SQL injection
    I'd rather be riding on the Tiger 800 or the Norton

  3. #3
    Join Date
    Mar 2007
    Location
    636f6d7075746572
    Posts
    770
    Rule # 1 : escape ALL user input.

    If you follow the above rule you are ridding yourself of 99% of the attempted hacks.

  4. #4
    Join Date
    Mar 2006
    Posts
    41
    Thanks for the replies.

    Would mysql_real_escape_string() do the trick for escaping user input?

  5. #5
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    Quote Originally Posted by uraknai
    Thanks for the replies.

    Would mysql_real_escape_string() do the trick for escaping user input?

    having read the php manual / php site what do you think?
    I'd rather be riding on the Tiger 800 or the Norton

  6. #6
    Join Date
    Mar 2007
    Location
    636f6d7075746572
    Posts
    770
    mysql_real_escape_string will be sufficient if you are attempting to escape MySQL input ONLY. What you want to do is sanitize ALL your input from a user.

    So for a SQL string :
    Code:
    $sql = "select uid 
              from users
              where username='".mysql_real_escape_string($_POST['username'])."' 
              AND password ='".mysql_real_escape_string($_POST['password'])."' ";
    However you could also use a regex and sanitize the username and password POST variables before that. You probably want usernames (for registration) without _!@^% in them. So before you even get to your SQL statement make sure your inputs conform to your expectations.
    e.g.
    Code:
    $username = "badly ! formed * name";
    
    if(preg_match('/[_@"*!%^\'-]/',$username)){
    	die("failed to provide a valid username");
    }
    n.b. in the above statement the ' (single inverted comma) has to be escaped in the preg expression.

    For things like dropdown boxes you should sanitize them by comparing them against an expected set of results.
    e.g.
    Code:
    $arr_of_vals = array('apple','pear','orange');
    if(in_array($_POST['dropdown_val'],$arr_of_vals)){
       // carry on
    } else {
       die("you did not provide a valid input");
    }
    It's best that you don't use die in your scripts and instead correctly handle incorrect data, but i'm using a simple example to demonstrate my point.

    n.b. Just providing a dropdown box does not stop XSS (cross site scripting) and thus you are in fact not limiting the input that can be provided by a user. Always sanitize on the server side (as well as client side).

    Basically EVERYTHING that is given by a user is ALWAYS corrupt until you sanitize it. No input data can be trusted.
    Last edited by aschk; 05-11-07 at 07:27.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •