Re: [PHP] Re: Protecting MySQL Injection from PHP form
check this, check that. granted the OP posted quite a bit of irrelevant code with regard to SQL injection protection. BUT his use of parameterized queries should protect against injection because MySQL knows what to do with the data (i.e. escape it), which only leaves the question as to whether the character encoding is correctly setup so that nothing funky can get through (although I believe an article by Chris Shiftlett pointed out a situation where even if you got everything right it was possible to do sql injection in some edge cases by submitting specific 'broken' strings). Jared Farrish wrote: Also, you should be checking against type (expecting a number? a boolean value? a string?) and then checking against expected length requirements (such as firstname can only be 80 characters long max, so maybe check for code if (strlen($var) 80) { do something; } /code In unit testing, you build your objects first against types and perform object checks using type verification and expected element attributes (such as length, non-null values, etc...). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Protecting MySQL Injection from PHP form
On May 25, 2007, at 8:47 AM, Jochem Maas wrote: check this, check that. granted the OP posted quite a bit of irrelevant code with regard to SQL injection protection. BUT his use of parameterized queries should protect against injection because MySQL knows what to do with the data (i.e. escape it), which only leaves the question as to whether the character encoding is correctly setup so that nothing funky can get through (although I believe an article by Chris Shiftlett pointed out a situation where even if you got everything right it was possible to do sql injection in some edge cases by submitting specific 'broken' strings). I apologize for posting the entire add script, but I wasn't sure what was needed to check if I was doing it right or not. I figured in this case it was better to give to much info rather then not enough. My big main goal it to make this bit of software as secure/safe as possible. I will double check the character encoding, which would be done on the database correct? Now if only I could get a check box to show up so I can delete multiple people at one time :) But I'm still learning about that. Thanks for looking! I really appreciate it! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Protecting MySQL Injection from PHP form
On 5/25/07, Jason Pruim [EMAIL PROTECTED] wrote: I apologize for posting the entire add script, but I wasn't sure what was needed to check if I was doing it right or not. I figured in this case it was better to give to much info rather then not enough. My big main goal it to make this bit of software as secure/safe as possible. No apology necessary. As long as you're not posting 90 lines for a one-line question, you're ok. Regardless of what one person or another thinks, I find that it's often useful to see how other people approach problems and get around them. For instance, checking for character encoding is something I really have never done. I happen to think it's a useful best practice to use unit testing techniques to verify posted data, but some people (obviously) view this as overkill. To each his own. Now if only I could get a check box to show up so I can delete multiple people at one time :) But I'm still learning about that. I sure hope you're testing on test data, and not live data... -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: If the only tool you have is a hammer, you tend to see every problem as a nail. $$
[PHP] Re: Protecting MySQL Injection from PHP form
Jared Farrish wrote: On 5/25/07, Jason Pruim [EMAIL PROTECTED] wrote: I apologize for posting the entire add script, but I wasn't sure what was needed to check if I was doing it right or not. I figured in this case it was better to give to much info rather then not enough. My big main goal it to make this bit of software as secure/safe as possible. No apology necessary. As long as you're not posting 90 lines for a one-line question, you're ok. Regardless of what one person or another thinks, I find that it's often useful to see how other people approach problems and get around them. For instance, checking for character encoding is something I really have never done. I happen to think it's a useful best practice to use unit testing techniques to verify posted data, but some people (obviously) view this as overkill. To each his own. Now if only I could get a check box to show up so I can delete multiple people at one time :) But I'm still learning about that. I sure hope you're testing on test data, and not live data... Brings back bad memories :( -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Protecting MySQL Injection from PHP form
On May 25, 2007, at 10:44 AM, Darren Whitlen wrote: Jared Farrish wrote: On 5/25/07, Jason Pruim [EMAIL PROTECTED] wrote: I apologize for posting the entire add script, but I wasn't sure what was needed to check if I was doing it right or not. I figured in this case it was better to give to much info rather then not enough. My big main goal it to make this bit of software as secure/safe as possible. No apology necessary. As long as you're not posting 90 lines for a one-line question, you're ok. Regardless of what one person or another thinks, I find that it's often useful to see how other people approach problems and get around them. For instance, checking for character encoding is something I really have never done. I happen to think it's a useful best practice to use unit testing techniques to verify posted data, but some people (obviously) view this as overkill. To each his own. Now if only I could get a check box to show up so I can delete multiple people at one time :) But I'm still learning about that. I sure hope you're testing on test data, and not live data... Brings back bad memories :( No... No live data, just a little web application I'm working on to give my customers another option for their mailing lists. I've done to much on live data before and I don't like it... Too many issues happen :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Protecting MySQL Injection from PHP form
I'm not sure exactly what kind of sanitization you think you're doing, but if all you do is check to see if it's empty (empty() implements isset(), empty() checks to see if it's set, then if it evaluates to an empty variable), that's not much sanitization. What you need to do is check for SQL injections, which means you need to sanitize GPC (GET, POST, COOKIES) to prevent the following (only a demonstration): SELECT `colname` FROM `tablename` WHERE id='$variable' LIMIT 0,10 What happens if $variable is equal to: $variable = $_POST['somedata']; And $_POST['somedata'] ~ 'INSERT INTO users VALUES('name','password','AdminGroup')' ; This is an example of a possible SQL injection (which means unknown SQL code is running through your script access). The way to prevent this is to escape single quotes before insert/select, and also turn all html entities into escaped values (so that someone cannot put a script/script block into the signature for their user, for example). The good thing is, there are numerous help sites online that describe how to do this. Generally, you're better off wrapping your SQL commands into a class or at least a series of functions, so that you can implement your sanitization once and use it for all database interactions. Google: http://www.google.com/search?q=php+sanitize+sql+statement PHP.net: http://www.php.net/manual/en/security.database.sql-injection.php -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: If the only tool you have is a hammer, you tend to see every problem as a nail. $$
[PHP] Re: Protecting MySQL Injection from PHP form
Jason Pruim wrote: Hi Everyone, I think I have found away to prevent SQL code injection into my database and just wanted to get everyones comments on my method. ?PHP include 'defaults.php'; // Setting error message variable to nothing $errmsg = ; // Check form info if (!isset($_POST['FName']) || empty($_POST['FName'])) $errmsg .=PPlease enter your name/P; if (!isset($_POST['LName']) || empty($_POST['LName'])) $errmsg .=PPlease enter your address/P; if (!isset($_POST['Add1']) || empty($_POST['Add1'])) $errmsg .=PPlease enter your city/P; if (!isset($_POST['City']) || empty($_POST['City'])) $errmsg .=PPlease enter your state/P; if (!isset($_POST['State']) || empty($_POST['State'])) $errmsg .=PPlease enter your zip code/P; if (!isset($_POST['Zip']) || empty($_POST['Zip'])) $errmsg .=PPlease include your zipe code/P; if (!isset($_POST['subName']) || empty($_POST['subName'])) $errmsg .=P Please enter your submitter name/P; // Tell script what to do if there is a error message if ($errmsg!= ) { echo $errmsg; echo a href=\javascript:history.back();\Please go back and fill out the missing fields/a; exit; } else { echo psuccess: all fields were filled out/p; } $FName= $_POST['FName']; $LName= $_POST['LName']; $Add1= $_POST['Add1']; $Add2= $_POST['Add2']; $City= $_POST['City']; $State= $_POST['State']; $Zip= $_POST['Zip']; $Date= $_SERVER['REQUEST_TIME']; $Record= \t; $subName= $_POST['subName']; $subEmail= $_POST['subEmail']; $subPhone= $_POST['subPhone']; $chkMember=serialize($_POST['chkMember']); $chkAdd=serialize($_POST['chkAdd']); $chkDel=serialize($_POST['chkDel']); echo $FName First NameBR; $link = mysqli_connect($server, $username, $password, $database) or die('Could not connect: ' . mysql_error()); echo 'Connected successfully BR'; //mysqil_select_db('legion') or die('Could not select database' . mysql_error()); echo 'DB selected BR'; //Create the statement $stmt = mysqli_prepare($link, INSERT INTO current VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)); mysqli_stmt_bind_param($stmt, 'sss', $FName, $LName,$Add1, $Add2, $City, $State, $Zip, $Date, $Record, $subName, $subEmail, $subPhone, $chkMember, $chkAdd, $chkDel); //Add the record mysqli_stmt_execute($stmt); printf(%d Row Inserted.\n, mysqli_stmt_affected_rows($stmt)); //Close the statement mysqli_stmt_close($stmt); ? The reason I am echoing $FName just above the link was a debugging tool to make sure that it was filling at least SOME of the field properly before inserting them into the database. Also, just for planning purposes, I do plan on adding authentication to the form (Which I think I can do and track with sessions) but I have alot more reading to do before I can get that right. One other thing... What I did to test it was in the $FName field I typed: Jason; SELECT * FROM table; and it inserted the value, but didn't execute the code, Am I correct in thinking that I'm fairly safe from the bad people and the stupid users? I cannot see any sql-injection protection in your code anywhere? Seems as your using mysqli, take a look at the mysqli_real_escape_string() function. You need to run each _POST variable throught it. $FName = mysqli_real_escape_string($_POST['FName']); Or if your post data only contains data to be entered into the database, you might consider running everything through the function to make things easier: foreach($_POST as $k = $v) $_POST[$k] = mysqli_real_escape_string($v); Darren -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Protecting MySQL Injection from PHP form
Also, you should be checking against type (expecting a number? a boolean value? a string?) and then checking against expected length requirements (such as firstname can only be 80 characters long max, so maybe check for code if (strlen($var) 80) { do something; } /code In unit testing, you build your objects first against types and perform object checks using type verification and expected element attributes (such as length, non-null values, etc...). If someone is posting a string of 8000 letters into a field that is supposed to contain a number two letters long, before it is stored, maybe you manage that... On 5/24/07, Jared Farrish [EMAIL PROTECTED] wrote: I'm not sure exactly what kind of sanitization you think you're doing, but if all you do is check to see if it's empty (empty() implements isset(), empty() checks to see if it's set, then if it evaluates to an empty variable), that's not much sanitization. What you need to do is check for SQL injections, which means you need to sanitize GPC (GET, POST, COOKIES) to prevent the following (only a demonstration): SELECT `colname` FROM `tablename` WHERE id='$variable' LIMIT 0,10 What happens if $variable is equal to: $variable = $_POST['somedata']; And $_POST['somedata'] ~ 'INSERT INTO users VALUES('name','password','AdminGroup')' ; This is an example of a possible SQL injection (which means unknown SQL code is running through your script access). The way to prevent this is to escape single quotes before insert/select, and also turn all html entities into escaped values (so that someone cannot put a script/script block into the signature for their user, for example). The good thing is, there are numerous help sites online that describe how to do this. Generally, you're better off wrapping your SQL commands into a class or at least a series of functions, so that you can implement your sanitization once and use it for all database interactions. Google: http://www.google.com/search?q=php+sanitize+sql+statement PHP.net: http://www.php.net/manual/en/security.database.sql-injection.php -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: If the only tool you have is a hammer, you tend to see every problem as a nail. $$ -- Jared Farrish Intermediate Web Developer Denton, Tx Abraham Maslow: If the only tool you have is a hammer, you tend to see every problem as a nail. $$