Topic awaiting preservation: PHP injection security? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28059" title="Pages that link to Topic awaiting preservation: PHP injection security? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: PHP injection security? <span class="small">(Page 1 of 1)</span>\$

H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 06-09-2006 06:26 Hi all... Just wondering, ive turned magic quotes off on my server as it causes all amounts of problems! Obviously now I have to manually addslashes to my $_POST and $_GET variables which i am using, before I use them in my mysql Query. To do this I am using mysql_real_escape_string... this part is all fine. The question I have: is there a vulnerability in using these variables around a php script before they have slasshes added. E.g Say i have a simple POST form, with an input field called myVar. So in php to use this i do code: $myVar = $_POST['myVar']; I then use $myVar around the script, check it for characters I want to allow and that sort of thing. If it contains invalid characters i will do somethign like code: print $myVar . 'contains invalid characters, please try again'; So ... can someone enter something into the input field with some php code, to break out and enter any php they want? Like could they do "'somavar'; <?php insert some bad php here ?> Basically can they use the $_POST variable to break out of my code and enter there own in the current script?
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 06-09-2006 06:29 Or is it only a security issue if you use eval() ?
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 06-09-2006 10:26 That would only be an issue if you were using eval(), but, you're always open to cross site scripting if you don't php->htmlentity() everything you output (preferably: When you output it). Eval() is very very rarely used. In all truth, the only time I've found it usefully and sensible was in factory methods, since PHP apperantly doesn't like code: $obj = new $var ( ... ); so you had to do it like code: $obj = eval('return new '. get_class($this). '();'); so long, ->Tyberius Prime
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 06-09-2006 11:00 Thanks TP, yeh ive just set it up a bit better, a few scripts for error handling, sql injection preventing, anti magic quotes and htmlentitying everything before I output it.. Is there a way that you can do that on a larger level, as far as i can tell it has to be done for each variable you are about to output. Cant do it on all of your html because it will just print code!
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 06-12-2006 15:29 So just to clarify... I prevent SQL injection by doing adding slasshes to my variables before they go in the sql I prevent some other strange stuff by htmlentities on any variables just before I output them I have register globals off and always declare my variables before I use them. I never use eval, so even though the variables are unprotected, unslashed and may contain harmful code, they shouldnt be able to do anything Apart from dealing with email injection, is that really all I need to protect against? Am i missing anything?
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 06-12-2006 17:21 Globals overwrite - in case your code ever runs under a system with register globals on. on the same node - unregistering autogloabls if register_globals is on.
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 06-13-2006 01:40 Cool thanks, yeh I turn register globals off in htaccess, but i have never actually used registered globals anyway. I do use $_SERVER a bit, I wonder if these can be hacked and set in the same way as globals? I think they are superglobals, not sure at what point they are set etc though. The other thing i need to do is start using strong passwords, I want to make sure my database is secure so strong passwords is a must i guess! On a side note, i don't use PEAR for anything, is it just a set of common functions to do things or is there something special about it?
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 06-15-2006 19:51 TP I was just wondering why you suggest doing htmlentities() on output rather then doing it before you store the input in question? - Butcher -
H][RO Bipolar (III) Inmate From: Australia Insane since: Oct 2002	posted 06-16-2006 01:57 Actually i can't remember what I was reading but they said you shouldn't store htmlentitied data in your database. Its meant to be used for the html you are about to output, purely so that certain characters (say quotes ") show up. You are better off storing the raw data in your database, that way you always have the option of changing how you output it and what you do to it.
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 06-16-2006 10:07 because one of these day, you might wish to do something else with the data in your database - and then the entitites are going to be a hazzle. Nevertheless, this very forum does just that - it's not a general no no, you can easily get by with a smart unhtmlentities() routine, but, conceptually, you are wrapping the text for a special kind of output, so do it when you do that special output.
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 06-17-2006 01:32 Makes sense. Thanks guys. - Butcher -

Topic awaiting preservation: PHP injection security? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28059" title="Pages that link to Topic awaiting preservation: PHP injection security? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: PHP injection security? <span class="small">(Page 1 of 1)</span>\$

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 06-09-2006 06:26

Hi all...

Just wondering, ive turned magic quotes off on my server as it causes all amounts of problems! Obviously now I have to manually addslashes to my $_POST and $_GET variables which i am using, before I use them in my mysql Query.

To do this I am using mysql_real_escape_string... this part is all fine.

The question I have: is there a vulnerability in using these variables around a php script before they have slasshes added.

E.g

Say i have a simple POST form, with an input field called myVar.

So in php to use this i do

code:

$myVar = $_POST['myVar'];

I then use $myVar around the script, check it for characters I want to allow and that sort of thing. If it contains invalid characters i will do somethign like

code:

print $myVar . 'contains invalid characters, please try again';

So ... can someone enter something into the input field with some php code, to break out and enter any php they want? Like could they do "'somavar'; <?php insert some bad php here ?>

Basically can they use the $_POST variable to break out of my code and enter there own in the current script?

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 06-09-2006 06:29

Or is it only a security issue if you use eval() ?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 06-09-2006 10:26

That would only be an issue if you were using eval(), but, you're always open to cross site scripting if you don't php->htmlentity() everything you output (preferably: When you output it).

Eval() is very very rarely used. In all truth, the only time I've found it usefully and sensible was in factory methods, since PHP apperantly doesn't like

code:

$obj = new $var ( ... );

so you had to do it like

code:

$obj = eval('return new '. get_class($this). '();');

so long,

->Tyberius Prime

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 06-09-2006 11:00

Thanks TP,

yeh ive just set it up a bit better, a few scripts for error handling, sql injection preventing, anti magic quotes and htmlentitying everything before I output it..

Is there a way that you can do that on a larger level, as far as i can tell it has to be done for each variable you are about to output. Cant do it on all of your html because it will just print code!

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 06-12-2006 15:29

So just to clarify...

I prevent SQL injection by doing adding slasshes to my variables before they go in the sql

I prevent some other strange stuff by htmlentities on any variables just before I output them

I have register globals off and always declare my variables before I use them.

I never use eval, so even though the variables are unprotected, unslashed and may contain harmful code, they shouldnt be able to do anything

Apart from dealing with email injection, is that really all I need to protect against? Am i missing anything?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 06-12-2006 17:21

Globals overwrite - in case your code ever runs under a system with register globals on.

on the same node - unregistering autogloabls if register_globals is on.

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 06-13-2006 01:40

Cool thanks, yeh I turn register globals off in htaccess, but i have never actually used registered globals anyway.

I do use $_SERVER a bit, I wonder if these can be hacked and set in the same way as globals? I think they are superglobals, not sure at what point they are set etc though.

The other thing i need to do is start using strong passwords, I want to make sure my database is secure so strong passwords is a must i guess!

On a side note, i don't use PEAR for anything, is it just a set of common functions to do things or is there something special about it?

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 06-15-2006 19:51

TP

I was just wondering why you suggest doing htmlentities() on output rather then doing it before you store the input in question?

- Butcher -

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted 06-16-2006 01:57

Actually i can't remember what I was reading but they said you shouldn't store htmlentitied data in your database. Its meant to be used for the html you are about to output, purely so that certain characters (say quotes ") show up.

You are better off storing the raw data in your database, that way you always have the option of changing how you output it and what you do to it.

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 06-16-2006 10:07

because one of these day, you might wish to do something else with the data in your database - and then the entitites are going to be a hazzle.

Nevertheless, this very forum does just that - it's not a general no no, you can easily get by with a smart unhtmlentities() routine, but, conceptually, you are wrapping the text for a special kind of output, so do it when you do that special output.

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 06-17-2006 01:32

Makes sense.

Thanks guys.

- Butcher -