Jump to content

[SOLVED] Is _POST vulnerable? my website index keeps vanishing

newbtophp

By newbtophp
in PHP Coding Help

 Share

Recommended Posts

newbtophp Advanced Member

newbtophp

Posted
Posted

Im using _POST on forms nearly on every page of my site, and my index page keeps being removed.

 

This has never happend before, I've only experienced this today. When I replace the index with a file, after ten minutes or so its disapeared and my whole directory or so is viewable.

 

Like someone is hacking me?!

 

Can someone reply with an example of how to secure forms/scripts which _POST.

 

Im not sure if its to do with _POST, but I was recomend quite a while ago to improve the security on another forum.

 

 

Below is the base to nearly every page of my site is: (its a web tool site)

 

<form method="post" action="<?php echo $PHP_SELF; ?>" enctype="multipart/form-data">
<input type="file" name="Upload" value="Upload" /> 
<input type="submit" name="submit" value="Upload" />
<br />

</form>

<?php
if (isset($_FILES['Upload'])) {
$file = file_get_contents($_FILES['Upload']['tmp_name']);
$submit = $_POST['submit'];
if($file == "") echo "";
else {
    if($submit == "Upload") {
    


echo "<textarea style=\"width:100%; height:300px;\">$file</textarea>\n";

    }
}
}
?>

 

Link to comment
Share on other sites
SilveR316 Newbie

SilveR316

Posted
Posted

You should never use the values contained in $_POST directly in your code without first sanitizing them.

 

You need to make sure that you strip all bad characters from the values or escape them.

 

Functions you can use to escape bad characters: htmlspecialchars(), htmlentities(), filter_var(), mysql_real_escape_string()

 

 

 

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted

You should never use the values contained in $_POST directly in your code without first sanitizing them.

 

You need to make sure that you strip all bad characters from the values or escape them.

 

Functions you can use to escape bad characters: htmlspecialchars(), htmlentities(), filter_var(), mysql_real_escape_string()

 

So for example:

 

how would i apply the above on:

 

<form method="post" action="<?php echo $PHP_SELF; ?>" enctype="multipart/form-data">
<input type="file" name="Upload" value="Upload" /> 
<input type="submit" name="submit" value="Upload" />
<br />

</form>

<?php
if (isset($_FILES['Upload'])) {
$file = file_get_contents($_FILES['Upload']['tmp_name']);
$submit = $_POST['submit'];
if($file == "") echo "";
else {
    if($submit == "Upload") {
    


echo "<textarea style=\"width:100%; height:300px;\">$file</textarea>\n";

    }
}
}
?>

Link to comment
Share on other sites
SilveR316 Newbie

SilveR316

Posted
Posted

That form won't be directly responsible for making your website disappear, since you're not storing the files anywhere, or executing any commands or file includes based on the $_POST values.

 

I'm willing to bet that you're using $_POST values somewhere else as well.

 

Something like this would more or less sanitize your inputs. It assumes you have a mysql database connection open for mysql_real_escape_string().

 

Depending on how you use your data, using another method instead of mysql_real_escape_string() may be better.

 

function sanitize($array)
{
if (is_array($array)) 
{
	foreach($array as $ley => $val) 
	{
		$clean[$key] = sanitize($val);
	}
}
else 
{
	if (get_magic_quotes_gpc()) 
	{
		$input = stripslashes($array);
	}

	$clean = mysql_real_escape_string($array);
}
return $clean;
}
sanitize($_POST);

 

 

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted

Ok thanks.

 

How would I only allow certain file types/extensions to be uploaded, and if its not one of the file extensions defined their'd be an error?

 

<form method="post" action="<?php echo $PHP_SELF; ?>" enctype="multipart/form-data">
<input type="file" name="Upload" value="Upload" /> 
<input type="submit" name="submit" value="Upload" />
<br />

</form>

<?php
if (isset($_FILES['Upload'])) {
$file = file_get_contents($_FILES['Upload']['tmp_name']);
$submit = $_POST['submit'];
if($file == "") echo "";
else {
    if($submit == "Upload") {
    


echo "<textarea style=\"width:100%; height:300px;\">$file</textarea>\n";

    }
}
}
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.