Preventing Someone From Using My Form Field

[chadrt]

I have a very simple database query that uses a single entry text box to lookup something but I dont want anyone using it to hijack my website what can be done to prevent that?

 

I hesitate with the amount of information I give out here so that someone doesnt see this post and target my site for hacking. It is a text box that in all actuality should never contain more than 6 characters. Someone told me once that it would be possible to put PHP code into that text box and execute commands on my system. Is that true or am I being paranoid here?

[Psycho]

Can't really answer since you have not posted any code. But, you should definitely do a couple things:

 

1. Update the code to properly validate/escape the content before running it in a query

 

2. You could set up a very simple password check. Just hard code it into the page. Set a session value once the password check is done. Then only display/execute the form if that valule is set.

[PFMaBiSmAd]

Is that true ...

 

In the case of PHP code being entered in the form field, there would only be a danger if you were causing the content from the form field to be executed as php code, either by eval'ing it at some point or saving it to a file as valid php code with <?php ?> tags around it and including it back into a .php script. I trust you are not doing either of these things, without fully validating what was entered in the form before using it.

 

In the case of SQL being entered in the form field, see Psycho's post above.

 

Posting your logic that is processing the form data before putting it into the query statement would be the best way for anyone to determine if it has any security holes.

Edited November 4, 2012 by PFMaBiSmAd

[chadrt]

Ok here goes...

 

The script in question here is a callsign lookup script I built while I was just learning PHP (still have only limited knowledge) and it is not laid out logically. Things are very redundant and I know it could be improved a whole lot. The crazy notes were not so much for others to be able to follow what was happening but more for my own bennefit so I could go back and remember why I did those things I dont really know PHP I just hacked a BUNCH of commands together to acomplish the lookup. It was a painfull process that took me a long time.

 

The page is located at www.allstarnode.com and the lookup is the top left of the page. You can use "KI4MVI" as a test lookup if you like. The data from there is POSTed to a php page callsign.php which is a basic page. I keep carrying the data from one page to another passing it to a different varriable name. You will see this when you look at the pages.

 

callsign-switch.php is included in the callsign_body.php page and because the varriable for the callsign to be looked up is carried to it. The switch file determines what commands are going to be performed and what scripts will do what. The "list" and "details" pages are where the magic really happens. The details page was the first PHP page ever written by me I knew nothing about joining tables so it is very sloppy forgive me.

 

I will attach a zip of all the php pages I have written for this project!

Edited November 14, 2012 by chadrt

[chadrt]

Oh and here is the code that is in the overall_header.html to form the lookup box that is displayed on the top of every page.

 

<font size=3><form method=post action=callsign.php><input type=text size=8 maxlength=8 name=cs><input type=submit value="Callsign Lookup"></form></font>

 

I think I may have answered my own question here. The fact that I am using a maxlength=8 option in my text box would most likely keep anything from ever happening malicious?

Edited November 14, 2012 by chadrt

[Zane]

The fact that I am using a maxlength=8 option in my text box would most likely keep anything from ever happening malicious?

 

HTML is not security nor is Javascript. They are both client side languages, meaning they can be changed by the user as they see fit. There are plugins out there to do just that, they are also used as debugging tools. An example is Firebug for Firefox. With it, anyone can see where the data is going, which PHP files are being included, they can change the HTML .. in a live fashion, they can execute Javascript commands live as well. Do not fret though and consider Firebug a threat. It is a very very useful tool in web development.

 

Psycho answered your question the best... though he didn't exactly elaborate on it the best, it is indeed the answer to your question

 

Sanitize, filter, escape, sanitize, etcetera. YOU are in complete control of what goes into your database, the same way as you are in complete control of what foods you ingest. The key here is knowledge.

 

If you want to make sure nothing bad gets into your system, you will have to code on the side of your system... known as server-side....AKA PHP. Here are a few PHP functions to start you off..

 

http://www.php.net/mysql_real_escape_string

http://www.php.net/trim

http://www.php.net/filter_var

 

IMO, you're pretty safe with just mysql_real_escape_string. It is the only function that actually sanitizes the input for database entry. The other two are simply a way to reject unwanted things... like extra spaces ... or a malformed email address.

[chadrt]

wow, I have read the page http://www.php.net/mysql_real_escape_string twice now and I cant say I understood a thing it was saying. I will take your information and try to find some explanations on the internet and see if I can research the usage and meanings that dont look like gibrish.

[Muddy_Funster]

Nothing on that page is gibberish, it's just jargon. Maybe this will help you -

 

 

usage :

mysql_real_escape_string($rawString, $resourceLink)

 

this takes $rawString and runs a sanitization process on it, making it safe to send to the database that is defined in $resourceLink.

a Resource Link is what is returned by performing mysql_connect('server','user','pass')

so if you have $con = mysql_connect('localhost','root',''); then $con is your resource link.

so taking $rawString as the user input form value by doing $rawString = $_POST['textField'];

you would get a safe sanitized string, which for arguments sake I'll call $safeString by puting it all together to get

$con = mysql_connect('localhost','root','');
$rawString = $_POST['textField'];
$safeString = mysql_real_escape_string($rawString, $con);

this gives you a safe string that you can now use in a query against the database a la :

$sql = "SELECT dataField FROM tableName WHERE checkField = $safeString";
$result = "mysql_query($sql) or die (mysql_error());

[Manixat]

simply use mysql_real_escape_string everytime before you use user input in a query and say "game over" to mysql hijackers

Edited November 14, 2012 by Manixat

[Muddy_Funster]

simply use mysql_real_escape_string everytime before you use user input in a query and say game over to mysql hijackers

....Probably the most pointless post I've seen all week

 

You restate the same function again that someone else already gave and do nothing what so ever to validate your statement (I wonder if you code like that too....)

[PFMaBiSmAd]

So, it sounds like your callsign value is being used to determine what happens in your code, rather than being used in a database query? In which case using any mysql_ function on the data won't actually prevent anything.

 

P.S. Your code attachment didn't actually work in your post above. You should actually post your code in the thread as most people won't visit links or download files found in posts.