Re: [asterisk-users] PHP can't insert - Can someone please help
Hi Bruce, On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce bruceb...@gmail.com wrote: I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: *'201,0); drop database YOUR_DATABASE'; *would fail due to big length and also I tested with inputing letters and my IF function caught it and exited. Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right? Another moment of trepidation should be triggered when you use the words input field as related to forms. While most people will use an ordinary web browser and whatever fields you provide, hackers aren't most people. Anyone wanting to break your site isn't going to be nice and follow the nice rules and use the forms which might have validation. Even beginner not-nicers can put together a simple form with your POST as their target and whatever field lengths and values as they want. You have to treat all input as hostile, since it all can be. It's the only way you can be safe. Thanks, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Bruce, These two links may be helpful to you: PHP: SQL Injection - Manual http://www.php.net/manual/en/security.database.sql-injection.php PHP: mysql_real_escape_string - Manual http://www.php.net/manual/en/function.mysql-real-escape-string.php Regards, Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Its not wise to haste in posting for help without first spending sometime
thinking yourself. Your mysql syntax is not right, you can clearly see the
missing single quotes starting from 'ext-local. I would also suggest to use
a different syntax for this mysql statement, i.e. using SET instead of
VALUES, which makes the syntax much clearer, i.e. INSERT INTO `table` SET
`col1` = 'value1', `col2`= 'val2' and so on.
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-07-10 12:13 AM, bruce bruce bruceb...@gmail.com wrote:
Hi Guys,
I am making another module for Voicemail. I have three fields in a POST form
that have to be connected together to make it a single 10 digit number but
there is something wrong in my syntax probably.
$npaa = ('$_POST[anpa]');
$nxxa = ('$_POST[anxx]');
$blocka = ('$_POST[ablock]');
*$grplist = $npaa.$nxxa.$blocka;*
$sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
pre_ring)
VALUES
('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]');
It seems that $grplist is the problem. Can someone please point what is
wrong?
Error:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at
line 3
Thanks,
Bruce
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Thank you for the amazing reply. First few lines of your e-mail was EXACTLY
getting me to where I made a mistake. I guess I didn't take the () and ' '
at their face value and was looking somewhere else for the problem.
For sanatizing you mean checking the numbers to make sure they are valid
numbers and not alphabet or other charecters? or, are you pointing the fact
that I am keeping mysql root password in plain .php file? I have done an
include of a php file which has mysql root password and that is insert as an
#incldue in the html file. So, if someone checks source for html can't see
mysql root password. Even though root is user on mysql is to accept only
from localhost.
I would really appreciate it if you can weigh in on it a bit.
Thanks,
Bruce
On Sat, Jul 10, 2010 at 7:42 AM, Gerald A geraldabli...@gmail.com wrote:
Hi Bruce,
First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at
that.
Next, you seem to be accepting user input and not sanatizing it. DANGER
WILL ROBINSON!!!
This is bad, because it leaves you open to something known as a SQL
injection attack.
Now, as to syntax:
On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce bruceb...@gmail.com wrote:
I am making another module for Voicemail. I have three fields in a POST
form that have to be connected together to make it a single 10 digit number
but there is something wrong in my syntax probably.
$npaa = ('$_POST[anpa]');
$nxxa = ('$_POST[anxx]');
$blocka = ('$_POST[ablock]');
*$grplist = $npaa.$nxxa.$blocka;*
Ok, so suppose arpa=111, anxx=222 and ablock=.
grplist would then be ('111')('333')('').
$sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre,
grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id,
ringing, pre_ring)
VALUES
('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]');
It seems that $grplist is the problem. Can someone please point what is
wrong?
Error:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at
line 3
Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok.
Let's write the line as SQL:
INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
pre_ring)
VALUES
('0','ringall','0','0',('111')('333')(''),'0','0','','','0','0','Ring','0');
Clear now? You are trying to insert the raw value --
('111')('333')('') -- into your database. This can't make any sense
except as string, And this isn't one.
I think what you might have meant is to quote the _whole thing_ as a
string, and not the individual pieces. Then:
$grplist = '(.$npaa.$nxxa.$blocka.)';
and
$blocka = ($_POST[ablock]); # and for all of them above
This would make the value '(111)(333)()', which should work fine.
Now, if you really meant to add in the quotes, you'll have to quote the
quotes, which can be hard to do in good times.
Hope this helps,
Gerald.
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Further to my last post, I added this to santize. I also created a new mysql
user with access to only findmefollow portion of the asterisk table for
limited access and assigned only two simultaneous connections with only 10
changes queries per hour (as I know that no more queries will be put through
probably)
if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911)
Should that suffice against SQL injections? The if condition changes the
string to number so it removes the chance of people adding
other characters and it also sticks to format NPAN or 2XX2.
Thanks
On Sat, Jul 10, 2010 at 10:21 AM, bruce bruce bruceb...@gmail.com wrote:
Thank you for the amazing reply. First few lines of your e-mail was EXACTLY
getting me to where I made a mistake. I guess I didn't take the () and ' '
at their face value and was looking somewhere else for the problem.
For sanatizing you mean checking the numbers to make sure they are valid
numbers and not alphabet or other charecters? or, are you pointing the fact
that I am keeping mysql root password in plain .php file? I have done an
include of a php file which has mysql root password and that is insert as an
#incldue in the html file. So, if someone checks source for html can't see
mysql root password. Even though root is user on mysql is to accept only
from localhost.
I would really appreciate it if you can weigh in on it a bit.
Thanks,
Bruce
On Sat, Jul 10, 2010 at 7:42 AM, Gerald A geraldabli...@gmail.com wrote:
Hi Bruce,
First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL
at that.
Next, you seem to be accepting user input and not sanatizing it. DANGER
WILL ROBINSON!!!
This is bad, because it leaves you open to something known as a SQL
injection attack.
Now, as to syntax:
On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce bruceb...@gmail.comwrote:
I am making another module for Voicemail. I have three fields in a POST
form that have to be connected together to make it a single 10 digit number
but there is something wrong in my syntax probably.
$npaa = ('$_POST[anpa]');
$nxxa = ('$_POST[anxx]');
$blocka = ('$_POST[ablock]');
*$grplist = $npaa.$nxxa.$blocka;*
Ok, so suppose arpa=111, anxx=222 and ablock=.
grplist would then be ('111')('333')('').
$sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre,
grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id,
ringing, pre_ring)
VALUES
('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]');
It seems that $grplist is the problem. Can someone please point what is
wrong?
Error:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at
line 3
Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok.
Let's write the line as SQL:
INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
pre_ring)
VALUES
('0','ringall','0','0',('111')('333')(''),'0','0','','','0','0','Ring','0');
Clear now? You are trying to insert the raw value --
('111')('333')('') -- into your database. This can't make any sense
except as string, And this isn't one.
I think what you might have meant is to quote the _whole thing_ as a
string, and not the individual pieces. Then:
$grplist = '(.$npaa.$nxxa.$blocka.)';
and
$blocka = ($_POST[ablock]); # and for all of them above
This would make the value '(111)(333)()', which should work fine.
Now, if you really meant to add in the quotes, you'll have to quote the
quotes, which can be hard to do in good times.
Hope this helps,
Gerald.
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Hi Bruce, On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce bruceb...@gmail.com wrote: Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably) if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPAN or 2XX2. There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous. The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't. So, are your tests sufficient? I can't remember off the top of my head if the string - integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables). Really, you should never see $_POST(var) (or any PHP CGI variable) that derives directly from user input. It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection. Hope this helps, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Thanks again. Apparently all POST variables come through as strings. The function you pointed out is I think already built in php as is_numeric() http://www.php.net/manual/en/function.is-numeric.php. http://php.net/manual/en/function.is-int.php http://www.php.net/manual/en/function.is-numeric.php http://www.php.net/manual/en/function.is-numeric.phpIf that runs TRUE and if I keep my =200 and !=911 or !900 I should be safe from SQL injections. And along with dial-out routes rules, I think I can make this stronger. I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: *'201,0); drop database YOUR_DATABASE'; *would fail due to big length and also I tested with inputing letters and my IF function caught it and exited. Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right? By using form POST there should be no other loop holes left opened right? It's not like php $_GET so people can't try typing to the browser in this format: http://www.w3schools.com/welcome.php?fname=Peterage=37 Thanks a lot, Bruce On Sat, Jul 10, 2010 at 1:41 PM, Gerald A geraldabli...@gmail.com wrote: Hi Bruce, On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce bruceb...@gmail.com wrote: Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably) if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPAN or 2XX2. There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous. The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't. So, are your tests sufficient? I can't remember off the top of my head if the string - integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables). Really, you should never see $_POST(var) (or any PHP CGI variable) that derives directly from user input. It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection. Hope this helps, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Here is the steel strong sanitizer:
$npaa = $_POST[anpa];
$nxxa = $_POST[anxx];
$blocka = $_POST[ablock];
# Sanitize
$blocka_san = strspn($blocka, 0123456789);
*if ($blocka_san==4 is_numeric($npaa) is_numeric($nxxa)
is_numeric($blocka) $npaa=200 $nxxa=200 $npaa!=900
$npaa!=911) *
*
*
* {*
echo Number passed sanitization;
}
What do you think? :-)
-Bruce
On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce bruceb...@gmail.com wrote:
Thanks again. Apparently all POST variables come through as strings. The
function you pointed out is I think already built in php as
is_numeric() http://www.php.net/manual/en/function.is-numeric.php.
http://php.net/manual/en/function.is-int.php
http://www.php.net/manual/en/function.is-numeric.php
http://www.php.net/manual/en/function.is-numeric.phpIf that runs TRUE
and if I keep my =200 and !=911 or !900 I should be safe from SQL
injections. And along with dial-out routes rules, I think I can make this
stronger.
I have my html/php file set so that the input field only takes 3 digit 3
digit 4 digit (NPA, NXX, Block) so your purposal of: *'201,0); drop
database YOUR_DATABASE'; *would fail due to big length and also I tested
with inputing letters and my IF function caught it and exited.
Further more, everything else (other than phone input fields) is drop down
boxes with specific numbers or letters inserted in them. I should be 100%
safe with those right?
By using form POST there should be no other loop holes left opened right?
It's not like php $_GET so people can't try typing to the browser in this
format:
http://www.w3schools.com/welcome.php?fname=Peterage=37
Thanks a lot,
Bruce
On Sat, Jul 10, 2010 at 1:41 PM, Gerald A geraldabli...@gmail.com wrote:
Hi Bruce,
On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce bruceb...@gmail.comwrote:
Further to my last post, I added this to santize. I also created a new
mysql user with access to only findmefollow portion of the asterisk table
for limited access and assigned only two simultaneous connections with only
10 changes queries per hour (as I know that no more queries will be put
through probably)
if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911)
Should that suffice against SQL injections? The if condition changes the
string to number so it removes the chance of people adding
other characters and it also sticks to format NPAN or 2XX2.
There are two things -- the first is, who call this script? If it's
something you control 100%, you can mitigate the risk a bit. I don't really
like this tact, because if the script gets repurposed, you end up with
something that could be very dangerous.
The second thing is simple -- most people think small here, but you have
to think big and know a bit about how PHP works. PHP strings are pretty
amazing things, and one of the pesky things is that you can put all kinds of
things in it. Now, if that string variable is created as a result of a form
input, then that string can be anything. For a moment, think about if it
$npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty,
and it would muck up further SQL injections, but now you get the idea. You
should always check to make sure the data you are getting is what you are
expecting, and exclude what you aren't.
So, are your tests sufficient? I can't remember off the top of my head if
the string - integer only considers the first number, or it considers the
whole string. (PHP usually errs on the side of ease of use, so I think my
snippet above would still pass your test). If your expecting only numbers,
I'd write a function that ensures that only numbers are parts of the input.
(And not just for the 3 above variables).
Really, you should never see $_POST(var) (or any PHP CGI variable) that
derives directly from user input.
It takes a few minutes extra, but it'll save hours of sorting later if you
get hit by a SQL injection.
Hope this helps,
Gerald
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
On Sat, 10 Jul 2010, bruce bruce wrote:
Here is the steel strong sanitizer:
$npaa = $_POST[anpa];
$nxxa = $_POST[anxx];
$blocka = $_POST[ablock];
# Sanitize
$blocka_san = strspn($blocka, 0123456789);
if ($blocka_san==4 is_numeric($npaa) is_numeric($nxxa)
is_numeric($blocka) $npaa=200 $nxxa=200 $npaa!=900
$npaa!=911)
{
echo Number passed sanitization;
}
What do you think? :-)
Yuk.
On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce bruceb...@gmail.com
wrote:
Thanks again. Apparently all POST variables come through as strings.
You may want to read the relevant RFCs. Look for ENCTYPE.
The function you pointed out is I think already built in php
as is_numeric().
http://www.php.net/manual/en/function.is-numeric.php
You may want to read the function definition again. It allows plus,
exponential notation and hexadecimal notation as well.
I have my html/php file set so that the input field only takes 3 digit 3
digit 4 digit (NPA, NXX, Block) so your purposal of: '201,0); drop
database YOUR_DATABASE'; would fail due to big length and also I tested
with inputing letters and my IF function caught it and exited.
Further more, everything else (other than phone input fields) is drop
down boxes with specific numbers or letters inserted in them. I should
be 100% safe with those right?
By using form POST there should be no other loop holes left opened
right? It's not like php $_GET so people can't try typing to the browser
in this format:
You may want to read the man pages for curl and wget -- both can submit
POST requests.
--
Thanks in advance,
-
Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] PHP can't insert - Can someone please help
Hi Guys,
I am making another module for Voicemail. I have three fields in a POST form
that have to be connected together to make it a single 10 digit number but
there is something wrong in my syntax probably.
$npaa = ('$_POST[anpa]');
$nxxa = ('$_POST[anxx]');
$blocka = ('$_POST[ablock]');
*$grplist = $npaa.$nxxa.$blocka;*
$sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist,
annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing,
pre_ring)
VALUES
('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]');
It seems that $grplist is the problem. Can someone please point what is
wrong?
Error:
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at
line 3
Thanks,
Bruce
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
