Jump to content

DETECTING injection by comparing POST vars to an array?

deadonarrival

By deadonarrival
in PHP Coding Help

 Share

Recommended Posts

deadonarrival Member

deadonarrival

Posted
Posted

I'm intending to do some sanitising of user input, and also logging of certain contents of text boxes.

 

Essentially I want to take the $_POST array, walk through the variables and see if certain keywords, such as JAVASCRIPT: <script> UPDATE INSERT SELECT DROP or any of a dozen other SQL/XSS related keywords.

 

Could anyone suggest a decent way of seeing if each word is in the variable, without using a dozen preg_match or similar functions for each variable?

 

Or rather, how would you go about it?

 

(Also, if anyone has any suggestions for words to check for, that'd be great)

Link to comment
Share on other sites
deadonarrival Member

deadonarrival

Posted
  • Author
Posted

they aren't, i'm retrofitting this sanitization/logging over someone elses script.

 

I'll pseudo what I think my method will be though

 

badwords = array(-some bad words such as update, select, javascript, session)

foreach(post variable as key->value)
{
key = sanitise(value)
if(the variable contains any of the bad words)
{
  insert the username, ip, script, field and value into the log table
}
}

 

I really just need to work out how to check if the variable contains any of the forbidden words in the array

Link to comment
Share on other sites
papaface Advanced Member

papaface

Posted
Posted

Something like:

<?php
$badwords = array("f***","b******");
$string = "hello f*** you b******";
$parts = explode(" ",$string);

foreach($parts as $k => $v)
{
if(in_array($v,$badwords))
{
  echo "bad word detected: " . $v . "<br />";
}
}
?>

But there are much more complex examples out there.

Link to comment
Share on other sites
deadonarrival Member

deadonarrival

Posted
  • Author
Posted

I thought of exploding it, but the problem is that there's nothing to say they'll leave the convenient spaces in...

 

Javascript, for example, can work with virtually no white spaces, and I've not tested it but I'd imagine SQL alllows UPDATE`table`SET`key`='val`WHERE`key`='val' Is the best thing to do a preg_match?

Link to comment
Share on other sites
papaface Advanced Member

papaface

Posted
Posted

I'm not entirely sure what you're wanting to do.

Are you trying to prevent SQL injections?

If so, then you dont need to filter out words, all you have to do it have a good level of checking.

Why would someone use javascript?

All you have to do is use mysql_real_escape_string($str)

Link to comment
Share on other sites
deadonarrival Member

deadonarrival

Posted
  • Author
Posted

No, I know how to prevent SQL injection, what I want to do is log attempts at it.

 

I'm helping a fella out with a website which was poorly coded to start with, and has been the victim of some sql injection. I'm in the process of finishing santitizing all user input, but he'd really like to find out who is doing it.

 

Simply, I want to check each submitted variable and see if it contains any of the keywords likely to be used during injection attacks - then log the information if it does. Then an admin can trawl through and see if any were actual directed attacks.

 

All I need is something to check if a given value contains one or more of an array of words.

 

Walk through the POST array, and see if any contain one of the bad things. If they do, store the username, IP etc to a log table in mysql. But it has to do it without worrying about the exact layout. I'm just looking for, for example, the word "UPDATE" anywhere within a string.

Link to comment
Share on other sites
deadonarrival Member

deadonarrival

Posted
  • Author
Posted

No, they can say it...

 

All I'm doing is making sure that they can't actually inject sql, and logging any instances where people do use one of those terms. If valid, the variable will be used as normal - but admins will hopefully be able to catch the people doing it, and find out where exactly they're targetting.

 

A quick glance down the list of logs will quickly show up any SQL statements. The fields aren't personal information such as personal messages, so there's no invasion of privacy. It's usually monetary values or short strings.

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Use mysql_real_escape_string and store the data as usual. Log user ids beside the data they enter in the table

 

Run a cron job twice a day searching through your database for query-like strings, or xss attacks. Email the results, and verify manually. You now know who dun it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.