[PHP-DB] php_mssql - 'space' instead of empty string
I've found that since PHP 4.3.4 many people had problems with MSSQL extension. PHP developers are saying that is problem with MS libraries, and there is no possibility to fix it in PHP: http://bugs.php.net/bug.php?id=29292edit=1 http://bugs.php.net/bug.php?id=26315edit=1 Right now I'm using PHP 4.4.0, and still have problem with it. I understand that php_mssql binaries are compiled using ntwdblib.lib, and that very library is causing trouble, am I right? Is it possible to recompile php_mssql with old version of ntwdblib.lib (used in PHP 4.3.3) without negative consequences (memory leaks, unstability, whatever)? Or using old PHP 4.3.3 is the only solution? -- Bartosz Jakubiak -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] SQL Injection attack
Greetings all: Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes). I've got a ton of forms that use the $_POST variable to send information into the database, and I'm worried about injection attacks. My server has magic_quotes enabled, which I thought would handle most things, but am wondering now if I need to use mysql_escape_string on everything, which would mean, of course, a lot of find-and-replace and rewriting. Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user when the site is live. Any suggestions on how to tighten up the form security, or does magic_quotes help enough? For what it's worth, I've tried to enter things like pw='' and other simulated attackes using the $_GET method, but haven't been able to crack the site. But I'm a noob at that kind of thing, so I try not to get too carried away with myself. Thanks, V -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection attack
I'm pretty amateur at this too, but have done a little reading on the subject.
Here's some nuggets to ponder while the real experts write their responses: :)
1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
general opinion is the magic quotes is evil, but I'm sure some people like it.
I prefer to use mysql_escape_string() since it escapes things more specific to
MySQL than magic quotes does. Using mysql_escape_string should be good enough
by itself.
2. Check data type. If an item is supposed to be an integer, use intval()
before inserting into the database.
3. What your SQL statements for variables that can turn your statement into a
WHERE 1 = 1 situation that will always return TRUE.
Here's something I've been playing with.. a generic function to sanitize data
before inserting into the database. You pass it the data and the type of data
and it'll clean it up. Nice thing about this is I designed it so if you say
type = phone and you process it the same as type = numeric.. then later you
decide you want to process phone and numeric types separately, you only
have to check this function, not all your lines of code.
If someone has better ways of doing this, I'm all for hearing it. Please opine
or criticize what I've posted above too. I want to learn as well.
-TG
Code:
?php
/**
*~DBSanitizeData() prepares data for inserting/updating into or selecting from
* MySQL by making sure that string data is properly escaped so as not to allow
* 'SQL injection' type security issues from happening. No direct $_POST or
$_GET
* data should ever be used in a SQL string.
*
* Returns sanitized copy of data sent to it.
*
* Current sanitization only performs a mysql_escape_string() function but could
do
* more later.
*
* Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES ('
. DBSanitizeData($_POST['somevar']) . ')');
*
* pre
* Modification Log:
* --
* Created: ~~Trevor Gryffyn - 03/28/2005
*
* /pre
*
* @author Trevor Gryffyn [EMAIL PROTECTED]
* @category Database Functions
*
*/
function DBSanitizeData($dbdata, $datatype = alpha) {
switch ($datatype) {
case binary:
case truefalse:
$trues = array(YES, Y, 1, ON, TRUE, T);
$falses = array(NO, N, 0, OFF, FALSE, F);
if (in_array(trim(strtoupper($dbdata)), $trues)) {
$dbdata = Y;
} else {
$dbdata = N;
}
break;
case phone:
case numeric:
case ssn:
$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata);
break;
case float:
case money:
case percent:
// TODO: Should this be handled with floatval() or something else?
// Yes.. it probably should. Maybe this is better.
if (strstr($dbdata, .) AND trim($dbdata) ) {
#$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) . .00;
$dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100);
} else {
#$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . .00;
$dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata));
}
break;
case name:
case address:
$dbdata = ucwords($dbdata);
break;
case state:
$dbdata = strtoupper($dbdata);
break;
case date:
$dbdata = date(Y-m-d, strtotime($dbdata));
if ($dbdata == 1969-12-31) $dbdata = ;
break;
case alpha:
default:
// Nothing special, just jump down to the trim/escape
break;
}
return trim(mysql_escape_string($dbdata));
}
?
= = = Original message = = =
Greetings all:
Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
I've got a ton of forms that use the $_POST variable to send information into
the database, and I'm worried about injection attacks.
My server has magic_quotes enabled, which I thought would handle most things,
but am wondering now if I need to use mysql_escape_string on everything, which
would mean, of course, a lot of find-and-replace and rewriting.
Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user when
the site is live.
Any suggestions on how to tighten up the form security, or does magic_quotes
help enough?
For what it's worth, I've tried to enter things like pw='' and other
simulated attackes using the $_GET method, but haven't been able to crack the
site. But I'm a noob at that kind of thing, so I try not to get too carried
away with myself.
Thanks,
V
___
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection attack
NOTE: http://www.php.net/mysql_escape_string Version: 4.3.0 Description: This function became deprecated, do not use this function. Instead, use mysql_real_escape_string(). Jordan On Aug 25, 2005, at 2:15 PM, [EMAIL PROTECTED] tg- [EMAIL PROTECTED] wrote: Using mysql_escape_string should be good enough by itself. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SQL Injection attack
Haha.. what the hell? Ok, I know this is an older copy of the script I wrote
because I know I took out the All this does is escape the data comment and I
KNOW I saw the thing about mysql_escape_string() being deprecated... don't
know why it's still in there. Hah
Thanks for pointing that out. Now off to find my newer version and make sure I
chaned it there too.
-TG
= = = Original message = = =
no !!!
mysql_real_escape_string()
anyhow.. good luck with your security endeavors!
On 8/25/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I'm pretty amateur at this too, but have done a little reading on the
subject. Here's some nuggets to ponder while the real experts write their
responses: :)
1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
general opinion is the magic quotes is evil, but I'm sure some people like
it. I prefer to use mysql_escape_string() since it escapes things more
specific to MySQL than magic quotes does. Using mysql_escape_string should
be good enough by itself.
2. Check data type. If an item is supposed to be an integer, use intval()
before inserting into the database.
3. What your SQL statements for variables that can turn your statement into a
WHERE 1 = 1 situation that will always return TRUE.
Here's something I've been playing with.. a generic function to sanitize data
before inserting into the database. You pass it the data and the type of
data and it'll clean it up. Nice thing about this is I designed it so if you
say type = phone and you process it the same as type = numeric.. then
later you decide you want to process phone and numeric types separately,
you only have to check this function, not all your lines of code.
If someone has better ways of doing this, I'm all for hearing it. Please
opine or criticize what I've posted above too. I want to learn as well.
-TG
Code:
?php
/**
*~DBSanitizeData() prepares data for inserting/updating into or selecting from
* MySQL by making sure that string data is properly escaped so as not to allow
* 'SQL injection' type security issues from happening. No direct $_POST or
$_GET
* data should ever be used in a SQL string.
*
* Returns sanitized copy of data sent to it.
*
* Current sanitization only performs a mysql_escape_string() function but
could do
* more later.
*
* Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES
(' . DBSanitizeData($_POST['somevar']) . ')');
*
* pre
* Modification Log:
* --
* Created: ~~Trevor Gryffyn - 03/28/2005
*
* /pre
*
* @author Trevor Gryffyn [EMAIL PROTECTED]
* @category Database Functions
*
*/
function DBSanitizeData($dbdata, $datatype = alpha)
switch ($datatype)
case binary:
case truefalse:
$trues = array(YES, Y, 1, ON, TRUE, T);
$falses = array(NO, N, 0, OFF, FALSE, F);
if (in_array(trim(strtoupper($dbdata)), $trues))
$dbdata = Y;
else
$dbdata = N;
break;
case phone:
case numeric:
case ssn:
$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata);
break;
case float:
case money:
case percent:
// TODO: Should this be handled with floatval() or something else?
// Yes.. it probably should. Maybe this is better.
if (strstr($dbdata, .) AND trim($dbdata) )
#$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) . .00;
$dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100);
else
#$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . .00;
$dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata));
break;
case name:
case address:
$dbdata = ucwords($dbdata);
break;
case state:
$dbdata = strtoupper($dbdata);
break;
case date:
$dbdata = date(Y-m-d, strtotime($dbdata));
if ($dbdata == 1969-12-31) $dbdata = ;
break;
case alpha:
default:
// Nothing special, just jump down to the trim/escape
break;
return trim(mysql_escape_string($dbdata));
?
= = = Original message = = =
Greetings all:
Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
I've got a ton of forms that use the $_POST variable to send information into
the database, and I'm worried about injection attacks.
My server has magic_quotes enabled, which I thought would handle most things,
but am wondering now if I need to use mysql_escape_string on everything,
which would mean, of course, a lot of find-and-replace and rewriting.
Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user
when the site is live.
Any suggestions on how to tighten up the form security, or does magic_quotes
help enough?
For what it's worth, I've tried to enter things like pw='' and
Re: [PHP-DB] SQL Injection attack
Estimado veditio,
you wrote:
I've got a ton of forms that use the $_POST variable to send
information into the database [...]
Any suggestions on how to tighten up the form security, or does
magic_quotes help enough?
I'm not a security expert but after some attacks I have implemented
this simple thing. Until today it works for me.
You can put it before be connected to your database. I have one
only script to connect my database placed outside the /public_html.
It is and requested by means one include() in every oho script.
In this way, this security works in the whole site.
?
$req = $_SERVER['REQUEST_URI'];
$cadena = explode(?, $req);
$mi_url = $cadena[0];
$resto = $cadena[1];
// here you can put your suspicions chains at will. Just be careful with
// the names of your variables passing by you URLs
$inyecc='/script|http|||%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i';
...etc
// detecting
if (preg_match($inyecc, $resto)) {
// make something, in example sending an e-mail alert
$ip = $HTTP_SERVER_VARS[HTTP_CLIENT_IP];
$forwarded = $HTTP_SERVER_VARS[HTTP_X_FORWARDED_FOR];
$remoteaddress = $HTTP_SERVER_VARS[REMOTE_ADDR];
$message = attack injection in $mi_url \n\nchain: $resto \n\n
from: (ip-forw-RA):- $ip - $forwarded - $remoteaddress\n\n
- end ;
mail([EMAIL PROTECTED], Attack injection, $message,
From: [EMAIL PROTECTED]'SERVER_NAME']}, [EMAIL
PROTECTED]'SERVER_NAME']});
// kill execution
echo 'illegal url';
die();
}
// DB connection
$connection=mysql_connect(...etc.
?
if you can encode this script with Zend Encoder or a similar thing.
It will be an additional measure to avoid the reading of this file.
hope it can be useful,
Vicente,
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] php_mssql - 'space' instead of empty string
I don't think this is an issue with an old vs new ntwdblib.lib. The reason is because I don't belieeve there is a new ntwdblib.lib. Microsoft has not made any changes to this library since SQL Server 6.5. Therefore, the problem lies in the PHP 4.4.0 source code for the mssql extension. -- bob On Thu, 25 Aug 2005, Bartosz Jakubiak wrote: I've found that since PHP 4.3.4 many people had problems with MSSQL extension. PHP developers are saying that is problem with MS libraries, and there is no possibility to fix it in PHP: http://bugs.php.net/bug.php?id=29292edit=1 http://bugs.php.net/bug.php?id=26315edit=1 Right now I'm using PHP 4.4.0, and still have problem with it. I understand that php_mssql binaries are compiled using ntwdblib.lib, and that very library is causing trouble, am I right? Is it possible to recompile php_mssql with old version of ntwdblib.lib (used in PHP 4.3.3) without negative consequences (memory leaks, unstability, whatever)? Or using old PHP 4.3.3 is the only solution? -- Bartosz Jakubiak -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] php_mssql - 'space' instead of empty string
All versions of ntwdblib.lib has this problem. The problem was introduced when it was decided to fix another problem haver a char column with value 'aaa ' would be reduced to 'aaa' by the php extension. I have not tested this issue with the FreeTDS version of this extension (so far only available under php5) but the problem could be fixed there. Just replace php_mssql.dll with php_dblib.dll. You can download a copy from my site (http://kromann.info/php.php). - Frank I've found that since PHP 4.3.4 many people had problems with MSSQL extension. PHP developers are saying that is problem with MS libraries, and there is no possibility to fix it in PHP: http://bugs.php.net/bug.php?id=29292edit=1 http://bugs.php.net/bug.php?id=26315edit=1 Right now I'm using PHP 4.4.0, and still have problem with it. I understand that php_mssql binaries are compiled using ntwdblib.lib, and that very library is causing trouble, am I right? Is it possible to recompile php_mssql with old version of ntwdblib.lib (used in PHP 4.3.3) without negative consequences (memory leaks, unstability, whatever)? Or using old PHP 4.3.3 is the only solution? -- Bartosz Jakubiak -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] session confusion| can anyone help?
here is the code for accesscontrol.php which control the access to protected
page, the server gives an error as of
Notice: Undefined index: uid in E:\www\signup\accesscontrol.php on line 7
Notice: Undefined index: pwd in E:\www\signup\accesscontrol.php on line 8
I tried input username and password and it will give the error as:
Access Denied
Your user ID or password is incorrect, or you are not a registered user on
this site. To try logging in again, click here. To register for instant
access, click here.
code
//
?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
session_start();
$suid = isset($_POST['suid']) ? $_POST['suid'] : $_SESSION['suid']; //line 7
$spwd = isset($_POST['spwd']) ? $_POST['spwd'] : $_SESSION['spwd']; //line 8
if(!isset($suid)) {
?
!DOCTYPE html PUBLIC -//W3C/DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;
head
title Please Log In for Access /title
meta http-equiv=Content-Type
content=text/html; charset=iso-8859-1 /
/head
body
h1 Login Required /h1
pYou must log in to access this area of the site. If you are
not a registered user, a href=signup.phpclick here/a
to sign up for instant access!/p
pform method=post action=?=$_SERVER['PHP_SELF']?
User ID: input type=text name=suid size=8 /br /
Password: input type=password name=spwd SIZE=8 /br /
input type=submit value=Log in /
/form/p
/body
/html
?php
exit;
}
$_SESSION['suid'] = $suid;
$_SESSION['spwd'] = $spwd;
dbConnect(cartoon);
$sql = SELECT * FROM userinfo WHERE
uid = '$suid' AND pwd = PASSWORD('$spwd');
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\nIf this error persists, please '.
'contact [EMAIL PROTECTED]');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['suid']);
unset($_SESSION['spwd']);
?
!DOCTYPE html PUBLIC -//W3C/DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;
head
title Access Denied /title
meta http-equiv=Content-Type
content=text/html; charset=iso-8859-1 /
/head
body
h1 Access Denied /h1
pYour user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
a href=?=$_SERVER['PHP_SELF']?here/a. To register for instant
access, click a href=signup.phphere/a./p
/body
/html
?php
exit;
}
$username = mysql_result($result,0,'unick');
echo $username;
?
//
Thanks.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] session confusion| can anyone help?
session_start() should be given at the starting of the file before others
u can include anthing after the session_satrt() functon only
On Fri, 26 Aug 2005, bo wrote:
here is the code for accesscontrol.php which control the access to protected
page, the server gives an error as of
Notice: Undefined index: uid in E:\www\signup\accesscontrol.php on line 7
Notice: Undefined index: pwd in E:\www\signup\accesscontrol.php on line 8
I tried input username and password and it will give the error as:
Access Denied
Your user ID or password is incorrect, or you are not a registered user on
this site. To try logging in again, click here. To register for instant
access, click here.
code
//
?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
session_start();
$suid = isset($_POST['suid']) ? $_POST['suid'] : $_SESSION['suid']; //line 7
$spwd = isset($_POST['spwd']) ? $_POST['spwd'] : $_SESSION['spwd']; //line 8
if(!isset($suid)) {
?
!DOCTYPE html PUBLIC -//W3C/DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;
head
title Please Log In for Access /title
meta http-equiv=Content-Type
content=text/html; charset=iso-8859-1 /
/head
body
h1 Login Required /h1
pYou must log in to access this area of the site. If you are
not a registered user, a href=signup.phpclick here/a
to sign up for instant access!/p
pform method=post action=?=$_SERVER['PHP_SELF']?
User ID: input type=text name=suid size=8 /br /
Password: input type=password name=spwd SIZE=8 /br /
input type=submit value=Log in /
/form/p
/body
/html
?php
exit;
}
$_SESSION['suid'] = $suid;
$_SESSION['spwd'] = $spwd;
dbConnect(cartoon);
$sql = SELECT * FROM userinfo WHERE
uid = '$suid' AND pwd = PASSWORD('$spwd');
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\nIf this error persists, please '.
'contact [EMAIL PROTECTED]');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['suid']);
unset($_SESSION['spwd']);
?
!DOCTYPE html PUBLIC -//W3C/DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml;
head
title Access Denied /title
meta http-equiv=Content-Type
content=text/html; charset=iso-8859-1 /
/head
body
h1 Access Denied /h1
pYour user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
a href=?=$_SERVER['PHP_SELF']?here/a. To register for instant
access, click a href=signup.phphere/a./p
/body
/html
?php
exit;
}
$username = mysql_result($result,0,'unick');
echo $username;
?
//
Thanks.
--
*
You wouldn't know an OS if it hit you in the face ...
Linux Baby !
*
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
