Re: [asterisk-users] PHP can't insert - Can someone please help
Hi Bruce, On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce bruceb...@gmail.com wrote: I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: *'201,0); drop database YOUR_DATABASE'; *would fail due to big length and also I tested with inputing letters and my IF function caught it and exited. Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right? Another moment of trepidation should be triggered when you use the words input field as related to forms. While most people will use an ordinary web browser and whatever fields you provide, hackers aren't most people. Anyone wanting to break your site isn't going to be nice and follow the nice rules and use the forms which might have validation. Even beginner not-nicers can put together a simple form with your POST as their target and whatever field lengths and values as they want. You have to treat all input as hostile, since it all can be. It's the only way you can be safe. Thanks, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Bruce, These two links may be helpful to you: PHP: SQL Injection - Manual http://www.php.net/manual/en/security.database.sql-injection.php PHP: mysql_real_escape_string - Manual http://www.php.net/manual/en/function.mysql-real-escape-string.php Regards, Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Its not wise to haste in posting for help without first spending sometime thinking yourself. Your mysql syntax is not right, you can clearly see the missing single quotes starting from 'ext-local. I would also suggest to use a different syntax for this mysql statement, i.e. using SET instead of VALUES, which makes the syntax much clearer, i.e. INSERT INTO `table` SET `col1` = 'value1', `col2`= 'val2' and so on. Zeeshan A Zakaria -- www.ilovetovoip.com On 2010-07-10 12:13 AM, bruce bruce bruceb...@gmail.com wrote: Hi Guys, I am making another module for Voicemail. I have three fields in a POST form that have to be connected together to make it a single 10 digit number but there is something wrong in my syntax probably. $npaa = ('$_POST[anpa]'); $nxxa = ('$_POST[anxx]'); $blocka = ('$_POST[ablock]'); *$grplist = $npaa.$nxxa.$blocka;* $sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]'); It seems that $grplist is the problem. Can someone please point what is wrong? Error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at line 3 Thanks, Bruce -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Thank you for the amazing reply. First few lines of your e-mail was EXACTLY getting me to where I made a mistake. I guess I didn't take the () and ' ' at their face value and was looking somewhere else for the problem. For sanatizing you mean checking the numbers to make sure they are valid numbers and not alphabet or other charecters? or, are you pointing the fact that I am keeping mysql root password in plain .php file? I have done an include of a php file which has mysql root password and that is insert as an #incldue in the html file. So, if someone checks source for html can't see mysql root password. Even though root is user on mysql is to accept only from localhost. I would really appreciate it if you can weigh in on it a bit. Thanks, Bruce On Sat, Jul 10, 2010 at 7:42 AM, Gerald A geraldabli...@gmail.com wrote: Hi Bruce, First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at that. Next, you seem to be accepting user input and not sanatizing it. DANGER WILL ROBINSON!!! This is bad, because it leaves you open to something known as a SQL injection attack. Now, as to syntax: On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce bruceb...@gmail.com wrote: I am making another module for Voicemail. I have three fields in a POST form that have to be connected together to make it a single 10 digit number but there is something wrong in my syntax probably. $npaa = ('$_POST[anpa]'); $nxxa = ('$_POST[anxx]'); $blocka = ('$_POST[ablock]'); *$grplist = $npaa.$nxxa.$blocka;* Ok, so suppose arpa=111, anxx=222 and ablock=. grplist would then be ('111')('333')(''). $sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]'); It seems that $grplist is the problem. Can someone please point what is wrong? Error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at line 3 Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok. Let's write the line as SQL: INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('0','ringall','0','0',('111')('333')(''),'0','0','','','0','0','Ring','0'); Clear now? You are trying to insert the raw value -- ('111')('333')('') -- into your database. This can't make any sense except as string, And this isn't one. I think what you might have meant is to quote the _whole thing_ as a string, and not the individual pieces. Then: $grplist = '(.$npaa.$nxxa.$blocka.)'; and $blocka = ($_POST[ablock]); # and for all of them above This would make the value '(111)(333)()', which should work fine. Now, if you really meant to add in the quotes, you'll have to quote the quotes, which can be hard to do in good times. Hope this helps, Gerald. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably) if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPAN or 2XX2. Thanks On Sat, Jul 10, 2010 at 10:21 AM, bruce bruce bruceb...@gmail.com wrote: Thank you for the amazing reply. First few lines of your e-mail was EXACTLY getting me to where I made a mistake. I guess I didn't take the () and ' ' at their face value and was looking somewhere else for the problem. For sanatizing you mean checking the numbers to make sure they are valid numbers and not alphabet or other charecters? or, are you pointing the fact that I am keeping mysql root password in plain .php file? I have done an include of a php file which has mysql root password and that is insert as an #incldue in the html file. So, if someone checks source for html can't see mysql root password. Even though root is user on mysql is to accept only from localhost. I would really appreciate it if you can weigh in on it a bit. Thanks, Bruce On Sat, Jul 10, 2010 at 7:42 AM, Gerald A geraldabli...@gmail.com wrote: Hi Bruce, First, your problem isn't PHP, it seems to be SQL and I'm guessing MySQL at that. Next, you seem to be accepting user input and not sanatizing it. DANGER WILL ROBINSON!!! This is bad, because it leaves you open to something known as a SQL injection attack. Now, as to syntax: On Sat, Jul 10, 2010 at 12:07 AM, bruce bruce bruceb...@gmail.comwrote: I am making another module for Voicemail. I have three fields in a POST form that have to be connected together to make it a single 10 digit number but there is something wrong in my syntax probably. $npaa = ('$_POST[anpa]'); $nxxa = ('$_POST[anxx]'); $blocka = ('$_POST[ablock]'); *$grplist = $npaa.$nxxa.$blocka;* Ok, so suppose arpa=111, anxx=222 and ablock=. grplist would then be ('111')('333')(''). $sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]'); It seems that $grplist is the problem. Can someone please point what is wrong? Error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at line 3 Look closesly, grasshopper. See it? (Does the hint above help?) Hmmm, ok. Let's write the line as SQL: INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('0','ringall','0','0',('111')('333')(''),'0','0','','','0','0','Ring','0'); Clear now? You are trying to insert the raw value -- ('111')('333')('') -- into your database. This can't make any sense except as string, And this isn't one. I think what you might have meant is to quote the _whole thing_ as a string, and not the individual pieces. Then: $grplist = '(.$npaa.$nxxa.$blocka.)'; and $blocka = ($_POST[ablock]); # and for all of them above This would make the value '(111)(333)()', which should work fine. Now, if you really meant to add in the quotes, you'll have to quote the quotes, which can be hard to do in good times. Hope this helps, Gerald. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Hi Bruce, On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce bruceb...@gmail.com wrote: Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably) if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPAN or 2XX2. There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous. The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't. So, are your tests sufficient? I can't remember off the top of my head if the string - integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables). Really, you should never see $_POST(var) (or any PHP CGI variable) that derives directly from user input. It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection. Hope this helps, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Thanks again. Apparently all POST variables come through as strings. The function you pointed out is I think already built in php as is_numeric() http://www.php.net/manual/en/function.is-numeric.php. http://php.net/manual/en/function.is-int.php http://www.php.net/manual/en/function.is-numeric.php http://www.php.net/manual/en/function.is-numeric.phpIf that runs TRUE and if I keep my =200 and !=911 or !900 I should be safe from SQL injections. And along with dial-out routes rules, I think I can make this stronger. I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: *'201,0); drop database YOUR_DATABASE'; *would fail due to big length and also I tested with inputing letters and my IF function caught it and exited. Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right? By using form POST there should be no other loop holes left opened right? It's not like php $_GET so people can't try typing to the browser in this format: http://www.w3schools.com/welcome.php?fname=Peterage=37 Thanks a lot, Bruce On Sat, Jul 10, 2010 at 1:41 PM, Gerald A geraldabli...@gmail.com wrote: Hi Bruce, On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce bruceb...@gmail.com wrote: Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably) if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPAN or 2XX2. There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous. The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't. So, are your tests sufficient? I can't remember off the top of my head if the string - integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables). Really, you should never see $_POST(var) (or any PHP CGI variable) that derives directly from user input. It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection. Hope this helps, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
Here is the steel strong sanitizer: $npaa = $_POST[anpa]; $nxxa = $_POST[anxx]; $blocka = $_POST[ablock]; # Sanitize $blocka_san = strspn($blocka, 0123456789); *if ($blocka_san==4 is_numeric($npaa) is_numeric($nxxa) is_numeric($blocka) $npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) * * * * {* echo Number passed sanitization; } What do you think? :-) -Bruce On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce bruceb...@gmail.com wrote: Thanks again. Apparently all POST variables come through as strings. The function you pointed out is I think already built in php as is_numeric() http://www.php.net/manual/en/function.is-numeric.php. http://php.net/manual/en/function.is-int.php http://www.php.net/manual/en/function.is-numeric.php http://www.php.net/manual/en/function.is-numeric.phpIf that runs TRUE and if I keep my =200 and !=911 or !900 I should be safe from SQL injections. And along with dial-out routes rules, I think I can make this stronger. I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: *'201,0); drop database YOUR_DATABASE'; *would fail due to big length and also I tested with inputing letters and my IF function caught it and exited. Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right? By using form POST there should be no other loop holes left opened right? It's not like php $_GET so people can't try typing to the browser in this format: http://www.w3schools.com/welcome.php?fname=Peterage=37 Thanks a lot, Bruce On Sat, Jul 10, 2010 at 1:41 PM, Gerald A geraldabli...@gmail.com wrote: Hi Bruce, On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce bruceb...@gmail.comwrote: Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably) if ($npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPAN or 2XX2. There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous. The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't. So, are your tests sufficient? I can't remember off the top of my head if the string - integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables). Really, you should never see $_POST(var) (or any PHP CGI variable) that derives directly from user input. It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection. Hope this helps, Gerald -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PHP can't insert - Can someone please help
On Sat, 10 Jul 2010, bruce bruce wrote: Here is the steel strong sanitizer: $npaa = $_POST[anpa]; $nxxa = $_POST[anxx]; $blocka = $_POST[ablock]; # Sanitize $blocka_san = strspn($blocka, 0123456789); if ($blocka_san==4 is_numeric($npaa) is_numeric($nxxa) is_numeric($blocka) $npaa=200 $nxxa=200 $npaa!=900 $npaa!=911) { echo Number passed sanitization; } What do you think? :-) Yuk. On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce bruceb...@gmail.com wrote: Thanks again. Apparently all POST variables come through as strings. You may want to read the relevant RFCs. Look for ENCTYPE. The function you pointed out is I think already built in php as is_numeric(). http://www.php.net/manual/en/function.is-numeric.php You may want to read the function definition again. It allows plus, exponential notation and hexadecimal notation as well. I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: '201,0); drop database YOUR_DATABASE'; would fail due to big length and also I tested with inputing letters and my IF function caught it and exited. Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right? By using form POST there should be no other loop holes left opened right? It's not like php $_GET so people can't try typing to the browser in this format: You may want to read the man pages for curl and wget -- both can submit POST requests. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] PHP can't insert - Can someone please help
Hi Guys, I am making another module for Voicemail. I have three fields in a POST form that have to be connected together to make it a single 10 digit number but there is something wrong in my syntax probably. $npaa = ('$_POST[anpa]'); $nxxa = ('$_POST[anxx]'); $blocka = ('$_POST[ablock]'); *$grplist = $npaa.$nxxa.$blocka;* $sql=INSERT INTO findmefollow(grpnum, strategy, grptime, grppre, grplist, annmsg_id, postdest, dring, needsconf, remotealert_id, toolate_id, ringing, pre_ring) VALUES ('$_POST[grpnum]','ringall','$_POST[grptime]','$_POST[grppre]',$grplist,'0','$_POST[postdest]','','','0','0','Ring','$_POST[pre_ring]'); It seems that $grplist is the problem. Can someone please point what is wrong? Error: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('333')(''),'0','ext-local,vmb2000,1','','','0','0','Ring','0')' at line 3 Thanks, Bruce -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users