#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Location
    New Mexico
    Posts
    2
    Rep Power
    0
    I have programmed a noticeboard for a client recently using PHP and MySQL. However I am concerned for its security. Because the noticeboard accepts data from the user and submits that data to MySQL, is it possible for someone to include malicious commands in the form that might do something like erase the database contents? If this is possible, how can I foil this? One idea I had was to use a regex function to run through all the inputs before they are passed to the database and strip all the semicolons out.

    I was worried that someone might do this in a field:

    none; MYSQL_QUERY(delete from noticeboard);

    thus erasing the database. I want to avoid this, or it's my *** if something unforetold happens!

    Please, someone respond to this so I can resolve the security issues.


    Don Sanchez (don_sanchez@hotmail.com)
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Location
    Washington, USA
    Posts
    52
    Rep Power
    15
    Hi Don

    Great question You can and should check the form input to make sure it is what you intend it to be and nothing malicious. Here's a couple steps you can take to make your form input more secure:

    1) Make sure the form being submitted is coming from only the domain(s) authorized to submit the form data. This way people can't make up their own forms with extra <SELECT> options and things and submit them to your script. A basic regular expression compared to the domain will work here. If bad then redirect them elsewhere, if good process the form. An example of the code for this and further explanation is available here: http://www.php-scripts.com/php_diary/122299.php3

    2) You can and should strip out malicious form input. IE. if you are taking a phone number from a text box, then by all means it should LOOK like a phone number. The php function strlen() will be helpful in checking the length of a string. Also let's say you have the following SQL update command:

    UPDATE members set phone='$variable1'

    If someone tries to make $variable1 be "DELETE from members" in your form input and you did nothing to look for this in the form input there would be an error since this query is invalid. However if you let people directly enter mySQL queries into a form without checking at all ... well, the data is ripe for the picking by malicious users.



    ------------------
    <UL TYPE=SQUARE>
    <LI> TD Scripts
    <LI> Script School
    <LI>php-scripts
    </UL>
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Location
    New Mexico
    Posts
    2
    Rep Power
    0
    Thanks TDavid,

    I don't have a field that allows people to run their own SQL queries as that would be a bit thick

    The only fields I have are ones to enter the body of the message and the title of the message: these are inserted into the database with a pre-defined INSERT query.

    Good idea about the HTTP_REFERER - I didn't think of that But there doesn't seem much point in the user adding extra <SELECT> commands as these need to be defined and picked up by the script, don't they? With the HTTP_REFERER I am planning on defining it as a constant at the start of the script. If we later have two versions (mirrors?) of the site set up in case one goes down, do I just add the other domain name next to the other one in the constant definition, separated by a comma, like:

    <?

    define ("REFERER", "www.domain1.com, <A HREF="http://www.domain2.com");" TARGET=_blank>www.domain2.com");</A>

    ?>

    (our server doesn't support wildcard DNS settings so there would be no domain.com just www.domain.com)

    Is this valid,

    Thanks very much for your help TDavid,

    Don Sanchez (don_sanchez@hotmail.com)

    [This message has been edited by Don Sanchez (edited August 26, 2000).]

Similar Threads

  1. HELP! PHP - Mime email attachment problems
    By Jbafia in forum PHP Development
    Replies: 7
    Last Post: January 8th, 2005, 02:46 PM
  2. php sessions and security problems.
    By mochico in forum PHP Development
    Replies: 7
    Last Post: February 18th, 2004, 04:51 PM
  3. Remote login problems and security
    By betterlife18 in forum Security and Cryptography
    Replies: 0
    Last Post: February 17th, 2004, 12:31 AM
  4. Email form in PHP was told having problems on a MAC?
    By solcjoye in forum HTML Programming
    Replies: 0
    Last Post: February 12th, 2004, 03:32 PM
  5. problems with php includes
    By boseph in forum PHP Development
    Replies: 9
    Last Post: January 23rd, 2004, 05:27 PM

IMN logo majestic logo threadwatch logo seochat tools logo