Jump to content

Need help creating secure PHP,

Blaze97

By Blaze97
in PHP Coding Help

 Share

Recommended Posts

Blaze97 Newbie

Blaze97

Posted
Posted

Hey, Some of you may have noticed me posting this morning about needing help creating a comment system and securing down my PHP,

 

I have been hard at work and have nearly finished my comment system all I need to do now is the post form and insert script, and I have been looking into the various suggestions for securing my PHP from Injection attacks and the likes.

 

However I am really really not getting it, How these attacks work, what they do or how to prevent them,

 

I could really use some advice, and not just a link to a article on the matter I have read about 15 of them and it still doesn't make sense to me. 

 

Can anyone give me some advice or an explanation.

 

If someone could secure this page here for me the I should be able to work out the rest. If you need my config.php file just shout.

 

<?php include("config/config.php");
$data = mysql_query("SELECT * FROM blog WHERE articleid = {$_GET['articleid']} ORDER by date ASC")
or die(mysql_error()); 
while($row = mysql_fetch_array($data))
  {
echo "<table class='main'> <tr> <td> <a href='/news.php?articleid=" . $row['articleid'] . "' class='article_title'>" . $row['title'] . "</a>
<p>" . $row['introduction'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] .  ",</td></tr></table>";
  }
?>

COMMENTS:

<?
$data = mysql_query("SELECT * FROM comments WHERE articleid = {$_GET['articleid']} ORDER by date ASC")
or die(mysql_error()); 
while($row = mysql_fetch_array($data))
  {
echo "<table class='main'><tr><td> <p>"
. $row['comment'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] .  ",</td></tr></table>";
  }

?>

 

Thanks

Blaze

Link to comment
https://forums.phpfreaks.com/topic/235048-need-help-creating-secure-php/
Share on other sites
Fadion Newbie

Fadion

Posted
Posted

To answer your questions.

 

Q: I currently have no forms so do I need to worry?

A: An SQL Injection attack can be performed anywhere there is an input that is used in a SQL query. It can be a GET, POST or COOKIE (although quite rarely) variable. The rule of thumb is to never trust input from users and consider everything an attack. If you want to try if an input breaks a query, just put a single quote in the string (ex: index.php?page=about').

 

Q: What can they accomplish using an Injection attack?

A: An SQL Injection vulnerability gives the attacker the possibility to exploit your SQL tables. They can get sensitive user data, add new rows or even delete tables if appropriate permissions haven't been set.

 

To respond to the other 2 questions, I'll give more theory and code examples than the simple answers above.

 

Most SQL Injection vulnerabilities occur when input hasn't been sanitized. Sanitizing means removing all characters that can break a query or let attackers extend it. Let's see some examples with GET variables, but the same applies to POST or COOKIE.

 

URL: index.php?title=phpfreaks

//not sanitized - SQL Injection prone
$results = mysql_query("SELECT content FROM pages WHERE title='" . $_GET['title'] . "'");

//sanitized - SQL Injection free
$title = mysql_real_escape_string($_GET['title']);
$results = mysql_query("SELECT content FROM pages WHERE title='$title'");

 

In the example above, I used the vendor-specific function for sanitizing a string: mysql_real_escape_string(). Basically, you have to run through that function every input.

 

XSS works in basically the same way, just that it involves the use of arbitrary data in input; mostly HTML and Javascript. A scenario could be a form where visitors can post comments on an article. If the visitor posts HTML or Javascript data, everything will be visible to other users. Those data could be redirects to scam sites, cookie stealing and whatever can be accomplished with the aforementioned languages. Fortunately, it can be sanitized using just a simple function.

 

//not sanitized - XSS prone
$title = $_POST['title'];
$comment = $_POST['comment'];
$results = mysql_query("INSERT INTO comments (title, comment) VALUES ('$title', '$comment')");

//sanitized - XSS free
$title = htmlentities($_POST['title'], ENT_QUOTES);
$comment = htmlentities($_POST['title'], ENT_QUOTES);
$results = mysql_query("INSERT INTO comments (title, comment) VALUES ('$title', '$comment')");

 

htmlentities() will convert most characters to HTML Entities, thus eliminating the possibility to enter arbitrary data.

 

What I wrote here is just a short roundup of how to prevent SQL Injections and XSS. This isn't brain surgery, but however there is more to security than a post on a forum. There are plenty of resources online and books too (this one is straight to the point), but the most important part is how you code. If you get the basic principle of not trusting input, you got every typical security hole covered.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.