Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Join Date
    Dec 2003
    Posts
    61

    Unanswered: need help with quotes " " " " " ' ' ' '

    this quote business is driving me nutz!!!!

    I have a form:
    i have something like this:


    <form action=mainquery.php><select name='TYPE'>
    <option value=''>(doesn't matter)</option>
    <option value="MAIN.TYPE = 'CFI' AND">CFI</option>
    </select>



    In the page that the above calles upon (mainquery.php) i have a query.

    The query has ends up looking like this at one point:

    WHERE $TYPE etc ect...

    When people select CFI from the select form, the quesry is suppose to look like this:

    WHERE MAIN.TYPE = 'CFI' AND ... etc ect..

    But it doesn't. - it looks like HWERE MAIN.TYPE =\'CFI\' AND ...


    I tried everything:
    Which way should i arrange these quotes?
    <option value="MAIN.TYPE = 'CFI' AND">CFI</option>


    Thanks
    Noam

  2. #2
    Join Date
    May 2002
    Location
    Vancouver Canada
    Posts
    26
    Some istallations of PHP add slashes to incoming data. I think that's where the slashes come from in your query. This can be turned off by various methods, you can start reading here: http://ca2.php.net/manual/en/functio...quotes-gpc.php

    Also, I suggest you don't put parts of your query directly in the form. A malicious user could do bad things to your system that way.

  3. #3
    Join Date
    Dec 2003
    Posts
    61
    really, how do most people accomplish having dynamic queries wihtout putting variable from a FORM inside the query line...

    It's a SELECT query which if i understand correctly is not able to delete or change data...

    thanks
    Noam

  4. #4
    Join Date
    May 2002
    Location
    Vancouver Canada
    Posts
    26
    One way to do this would be to have an array
    PHP Code:
    $where = array(
        
    => "MAIN.TYPE = 'CFI' AND"

    An in the form put the 0
    PHP Code:
    <option value="0">CFI</option
    Then in the query
    PHP Code:
    SELECT FROM table WHERE {$where[$_POST['type']]} 

  5. #5
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    noam, have a look at this article, it may help you some --

    The "any" option in dynamic search SQL


    rudy

  6. #6
    Join Date
    Dec 2003
    Posts
    61
    I read that article. What i do is give an empty value to a <select>.

    for example:
    <select name="TYPE">
    <option value="">Any</option>
    <option value="MAIN.DATE='12/12/1999'">12/12/1999</option>
    </select>

    The sql code would go like:
    ..... WHERE $TYPE AND MAIN.PER_ID=$username.......


    If the user selects Any, it would just skip the $TYPE since $TYPE = nothing.

    I'm only a beginner so i don't know if it's the best way but it seems simple.

    If i understand Dylan Leblanc correctly i need to do this instead:

    <select name="TYPE">
    <option value="">Any</option>
    <option value="1">12/12/1999</option>
    </select>

    And in another page -> $1=MAIN.DATE='12/12/1999';

    and the SQL-> ..... WHERE $1AND MAIN.PER_ID=$username.......

    Is this more secure?

  7. #7
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    Originally posted by noamkrief
    The sql code would go like:
    ..... WHERE $TYPE AND MAIN.PER_ID=$username.......

    If the user selects Any, it would just skip the $TYPE since $TYPE = nothing.
    no, if $TYPE= nothing then you have WHERE AND which gives a syntax error

    you will probably have "AND" problems if you do not use the WHERE 1=1 trick

    rudy

  8. #8
    Join Date
    Dec 2003
    Posts
    61
    my bad
    I see where you are coming from but in my case it would work.
    I messed up on my last post


    ...WHERE $TYPE $TYPE2 $TYP3 PER_ID='$username'......



    Now look at the values of TYPE1 /2 and 3

    TYPE value="MAIN.DATE='12/12/1999' AND"

    TYPE2 value="MAIN.DATE='12/12/2000' AND"

    TYPE3 value="MAIN.DATE='12/12/2001' AND"

    On my previouse post I forgot to add the "AND" to the end of the value...

    I don't see how this could result in an error in the syntax...
    Thanks for your replies
    Noam

  9. #9
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    okay, i can see how you wouldn't get a syntax error

    but you wouldn't get any rows, either

    you have

    ... WHERE X=1 AND X=2 AND X=3 AND PER_ID='$username

    what you probably want is

    ... WHERE (X=1 OR X=2 OR X=3) AND PER_ID='$username


  10. #10
    Join Date
    Jan 2004
    Location
    Germany
    Posts
    17
    Don't use something like

    <option value="MAIN.DATE='12/12/1999'">12/12/1999</option>

    in your form. I could just copy your form, change the value to "MAIN.DATE='12/12/1999';DROP TABLE MAIN" and all your data would be gone

    Instead write:
    ....
    <option value="any">any</option>
    <option value="12/12/1999">12/12/1999</option>

    in your php script write:

    PHP Code:
    $condition "MAIN.PER_ID=$username";

    // check if there is some input
    if(isset($_POST['TYPE']) && $_POST['TYPE'] != 'any') {

        if(
    is_array($_POST['TYPE'])) { // -> multiple choice?
            
    $allvalues = array();
            foreach(
    $_POST['TYPE'] as $value) {
                
    $allvalues[] = "MAIN.DATE = '".date('Y-m-d'strtotime($value))."'";
            }

            
    $condition "(".join(' OR '$allvalues).") AND MAIN.PER_ID=$username"// put together

        
    else {
            
    $value "MAIN.DATE = '".date('Y-m-d'strtotime($value))."'";
            
    $condition "$value AND MAIN.PER_ID=$username";

        }
    }

    $sql_query "SELECT * FROM $table WHERE $condition"
    When the value is any or nothing, no filter is used.

  11. #11
    Join Date
    Dec 2003
    Posts
    61
    your freaking me out!!!!!!!!! That's good though i need to start thinking about security.

    I tried what you have said.
    This resulted in this query


    SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.DATE='12/12/1999';DROP TABLE MAIN AND MAIN.PER_ID='542458257'

    This query returned me an error and my table called MAIN was never erased.

    Any other ideas on how to erase my tables?

    (need to learn to be a hacker, to keep hackers out )
    Noam

  12. #12
    Join Date
    Jan 2004
    Location
    Germany
    Posts
    17
    Try this:

    value = "MAIN.DATE='12/12/1999';DROP TABLE MAIN;#"


    result:
    SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.DATE='12/12/1999';DROP TABLE MAIN;# AND MAIN.PER_ID='542458257'


    Another example:

    login form
    PHP Code:
    <input type="text" name="user">
    <
    input type="password" name="pass"
    check routine
    PHP Code:
    ...
    mysql_query("SELECT id, user, permissions FROM users WHERE user='$user' AND password='$pass' "); 
    Input:
    user = xyz
    pass = "xx' OR user='administrator"

    results in:
    SELECT id, user, permissions FROM users WHERE user='xyz' AND password='xx' OR user='administrator'

    The user xyz does not exist, so the first result of this query is the user administrator and this would give me full permissions.

    to prevent this:
    PHP Code:
    ...
    // security
    if(!preg_match("^[0-9a-zA-Z_]+$"$user)) { // [0-9a-zA-Z_] -> allowed characters
         
    die("unknown user!");
    }

    if(!
    preg_match("^[0-9a-zA-Z_]+$"$pass)) {
         die(
    "wrong password!");
    }

    ...

    mysql_query("SELECT id, user, permissions FROM users WHERE user='$user' AND password='$pass' "); 

    To make these "hacks" work, it's a little more work, because the quotes and special chars must be escaped, e.g. %22 (`"'), %23 (`#') and %27 (`'')

  13. #13
    Join Date
    Dec 2003
    Posts
    61
    didn't work
    i even had the page echo the query....
    I got error when trying what you said:
    "
    Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\Documents and Settings\Noamkrief\Desktop\logbookphp\mainquery.ph p on line 20

    Warning: extract(): First argument should be an array in C:\Documents and Settings\Noamkrief\Desktop\logbookphp\mainquery.ph p on line 21

    Notice: Undefined variable: TOTALTIME in C:\Documents and Settings\Noamkrief\Desktop\logbookphp\mainquery.ph p on line 22
    Your total night time is: hours.

    SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.TYPE='CFI' ;DROP TABLE MAIN;# MAIN.PER_ID='542458257'
    "
    My MAIN table is still there... na di didn't even set priviliges yet! Username is root and password is empty.

    But i see what you are saying.

    The user would copy the form code locally, change the connection from localhost to the domain in which the SQL server is at correct?
    Then the hacker would change the values.

    But how would the hacker retreive the mysql username and password to connect? The username and password are stored as variables and are retreived from a page that's not in the wwwroot folder.

    Also, this wouldn't work if the user tries to connect to the MYSQL server via the doamin name since th port to connect to mysql is closed. Only thing that is open is port 80...

    Am i making sense?

    Check the syntax, i want this to work:
    SELECT Sum(DAY+NIGHT) AS TOTALTIME FROM MODEL LEFT JOIN MAIN ON MODEL.MODEL_ID = MAIN.MODEL_ID WHERE MAIN.TYPE='CFI' ;DROP TABLE MAIN;# MAIN.PER_ID='542458257'


    thanks again
    Noam

  14. #14
    Join Date
    Jan 2004
    Location
    Germany
    Posts
    17
    I tried a similar query with phpMyAdmin and it worked.

    But with the form:
    It's just HTML code. The line
    <form action=mainquery.php>
    tells the browser to send all entered data to the "mainquery.php" script. It's your script which connects to the database not the user who fills out the form. Your script has the permission to access the database and this can be abused, if you blindly trust the user's inputs. That's all what I wanted to point out. There are several ways to do that and a lot of websites don't pay attention to this, and they are vulnerable.
    Ask google for "php security" and you will find a lot of information.


    PS: I hope my English is understandable

  15. #15
    Join Date
    Dec 2003
    Posts
    61
    you are 100% correct.
    I see now.
    They can copy my html code, change it to drop a table and in the form action instead of doing:

    <form action="query.php">

    they would do:
    <form action="http://mydomain.com/query.php">

    A user can also add "WHERE PER_ID='another person' and edit and delete other people's entries!!!!

    This is very volerable!
    I don't like it.
    I need to write a script that will exit you out unless your session is valid...

    How about this:
    when a user logs in, they have "session_registers"
    I'll add their username and password as registers.
    Then every single page will have an authentication



    $sql = mysql_query("SELECT * FROM PERSON WHERE PER_ID='$username' AND PASSWORD='$password'");
    $login_check = mysql_num_rows($sql);

    if($login_check > 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $key => $val ){
    $$key = stripslashes( $val );
    }

    else{echo "You could not be logged in! Please check your user name and password and try again!<br />
    Please try again!<br />";
    include 'index.html';
    }

    Will this work? Then i can add a thing that will make sure that there is a current session or else it forwards them back to index.html

    This will solve the problem of a user editing/viewing/deleting other person's entries right?
    Then, on my connection to the sql, i'll have it as a restriced user that cannot add/drop tables...

    Will this work?
    Noam

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •