[EMAIL PROTECTED] wrote:
The question is, actually multiple related questions:
First how did that bad guy "execute" the query without hitting the
submit button or entering the captcha code and how did it bypass the
check function. It seems like the query was sent directly to the
database though the registration.php program but I have no clue how
that could have happened. I need to plug this hole but don't have any
idea where to start looking for it.
First, and easiest thing I'd do is rename registration.php. I assume it took
about 3 1/2 guesses to find that out. Does the form include the action to be
registration.php? If yes, you may want to pipe everything through a dummy
file....or not so dummy file. You could check the input from the text field
and see if there is
- a semicolon (separates SQL commands)
- if there are any of the common SQL key words used (SELECT, INSERT, UPDATE,
DROP, DELETE) and based on that reject the entry
- use the prepapre statement or equal mechanism as discussed on this list in
the past days
- write the input to text file outside of the file system accessible through
the server, maybe even encrypt it, and use some naming scheme that contains a
time string, session ID, or such
- have your renamed registration script read only from that file from the
local system and ignore anything that comes in via POST, GET (should not use
that in this case anyway), or SESSION
- before you start writing to the db, do the content checks again
The only disadvantage that I see is that one isn't allowed to be called
me';DROP TABLE 'Users'; or sth like that.
I have tried running the query like registration.php?query but that
didn't work.
That is good.
Any ideas about how I can reproduce this problem would greatly
appreciate and any suggestions about how to fix it would be even more
greatly appreciated. 8-)
Thanks for your attention.
I am sure there are other, better solutions to this. I think my approach would
make it at least more difficult.
David
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
