on 3/5/02 5:35 AM, Andy at [EMAIL PROTECTED] appended the following bits
to my mbox:
> No I was reading in a mysql book, that chars like ' are bad for db
> PHP provides the function addslashes. Is this the way to check for bad
> entries a user provides? What happens
> if a hacker tryes to delete my db entries with a input like 'delete ...
addslashes() is a good function to use on data before inputting it into a
database. It is also good practice to pass every value as quoted. Further,
you should use regular expressions to see if text values are really text,
and number values are really numbers, etc.
Most of the security problems I've seen with PHP and MySQL come down to
something like this, both of which can be avoided with add slashes and
quoting:
You have a "user table" that has some integer values to determine something,
say, whether to save cookies or not. So save_cookies should have a value of
0 or 1, depending on a checkbox on a web form. You also have a field in the
db for user_type that should be "normal" or "admin".
Let's say the query code on your page is:
$query = 'INSERT INTO my_table
SET username="' . $username . '",
save_cookies=' . $save_cookies;
If it goes as expected the query is:
'INSERT INTO my_table SET username="burney", save_cookies=1';
If a malicious user is familiar with your table structure, though, they
could pass the value of {0, user_type='admin'} for the save_cookie variable,
giving:
'INSERT INTO my_table SET username="burney", save_cookies=1,
user_type="admin"';
And now their user has admin access to the application. There was a problem
like this with the phpBB discussion board last year.
Similar problems exist with select queries if a user can get the query:
SELECT * FROM my_table WHERE visible="yes" AND some_field LIKE "keyword";
to turn into:
SELECT * FROM my_table WHERE visible="yes" AND some_field LIKE "keyword" OR
1="1";
If keyword is a user defined field, and the value {keyword" OR 1="1} is
passed to it, the above query will result and the user will see all data in
the table.
As you can see if you addslashes, quote all values in queries, and/or use a
regular expression to remove quotes, these types of problems don't occur.
People always say that "they can pass a query including a semicolon and then
a delete statement" and delete your entire database. With PHP and MySQL
(not sure about other RDBMS), only one command can be processed per call so
that particular attack won't work, but as you can see, the above ones could.
> Are there any good articles on the web about checking user input, securing
> webapps against hackers?
Security Focus <http://securityfocus.com/> runs something called Web App
Security that you might find interesting.
HTH.
Paul
<?php
while ($self != "asleep") {
$sheep_count++;
}
?>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
