Sorry - Another Security Question - Drop down menus

gazalec · January 26, 2007

i was just wondering if a drop down menu is secure against SQL injection attacks? i was wondering because i was thinking about using this method rather than user input

Cep · January 26, 2007

Its not really more secure, anything client side isn't secure because people can view your source, rip it and then send what they like back to your script. However drop downs are a good way or helping to validate user input for the general user who for example may type in an address line differently to someone else.

Orio · January 26, 2007

Nothing is perfect. Let's take this example:

Lets there's a form with a drop-down at www.random-domain-name.com/form.htm
[code]<form action="process.php" method="POST">
<select name="dropdown">
<option value="index.htm">main page</option>
<option value="forum.php">forum</option>
</select>
<input type="submit" value="go!">
</form>[/code]
This is a regular form, nothing special about it.

Let's say process.php looks like this:
[code]<?php
include($_POST['dropdown']);
?>[/code]

What can a hacker do?
Make a regular html page on [b]his[/b] PC that looks like this:
[code]<form action="www.random-domain-name.com/process.php">
<input type="text" name="dropdown">
<input type="submit">
</form>[/code]
The hacker now enters the page he made himself, and submits the value of http://www.hackers-domain.com/virus.exe
In this case, the virus the hacker sent to the server will execute and I believe there's no need of further explanations of the consequences.

So my suggestion- make heavy validation on everything that comes. You dont want anyone to make any harm to you. Never trust your users.
Of course this example was drastic, but it's just for you to understand my point.

Orio.

gazalec · January 26, 2007

how do u mean rip it. it'll tell u my situation and see if it makes it clearer. I have customer login and on the login screen there is a drop down menu with all the customers and the customer chooses their name this takes them to the next php page which uses the drop down choice to search the database for the record with that name i.e

[code]select * from login where cust_name = "'.$name."'";[/code]

this then start a new form with their customer number in a read-only box they then insert their password and that takes them to their section of the website.

P.S this isn't for online purchasing, the company i work for wants to hold a customers previous orders, so the customers can look back on them or print them off

Orio · January 26, 2007

Read up my example. The hacker can also enter strings that will inject your database and will cause many problems.
In this case, the solution is rather simple- use mysql_real_escape_string() on everything that comes into the database. Just don't forget to use stripslashes() if magic_quotes_gpc is set before using this function.

Orio.

gazalec · January 26, 2007

ok thnks, so how does someone go about validating input by using the sql_real_escape_string() function or some other one.... sorry i'm quite new to this

Cep · January 26, 2007

[quote author=gazalec link=topic=124116.msg513849#msg513849 date=1169812123]
how do u mean rip it.
[/quote]

Well for example just go to your site and in your net browser right click the page and view source, now you have the HTML framework and any client side script. Copy the code to a new document and alter one of the dropdown options with a fake client name. Now use the form in a webserver and now you have "ripped" your work.

Orio's example is a good one.

gazalec · January 26, 2007

but i dont use it to insert data like for e.g. say the drop down'n name is 'cust_name' i would use

[code]$cust_name=$_POST{'cust_name'];

Access database //

select * from login where cust_name = '".$cust_name."'";
[/code]

Cep · January 26, 2007

Ok well I could do this if on your cust_name input I wrote,

[code=php:0]
"" OR cust_name = "Barney"
[/code]

I have just sucessfully SQL injected your script by adding an OR statement to your sql

as now your script would be

[code=php:0]
$cust_name=$_POST{'cust_name'];

Access database //

select * from login where cust_name = "" OR cust_name = "Barney"'";
[/code]

gazalec · January 26, 2007

So Wot Do I Do To Stop This?

Orio · January 26, 2007

I believed I answered your question already...

[quote author=Orio link=topic=124116.msg513851#msg513851 date=1169812327]In this case, the solution is rather simple- use mysql_real_escape_string() on everything that comes into the database. Just don't forget to use stripslashes() if magic_quotes_gpc is set before using this function.[/quote]

Read here about [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url] & [url=http://www.php.net/manual/en/security.database.sql-injection.php]database security[/url].

Orio.

gazalec · January 26, 2007

in fact i just realised this part doesn't matter because all that select * from function does is selects all the data for the row that has the cust_name, whatever the drop down menu select is, this then transfers them to a new page where their cust_no is displayed in a Readonly text box and they must enter their password

[code] select * from login where cust_no='".$cust_no."'">

/assign each field a variable //

then if($pass != $password || $cust_no != $cust){

//Send Back To Login

exit:
}[/code]
the only place vulnrable to injection is the password field and i dont know how to make it more secure

Orio · January 26, 2007

And that's where you are wrong...
If an attacker enters (in the way I had shown) the following string, you won't be very happy:
[code]x'; DROP TABLE login; --[/code]

That's why you [b]have to use[/b] mysql_real_escape_string() (more info in my previous post).

Orio.

Cep · January 26, 2007

You would need to write validation on your inputs and I mean ANY input be it a textbox, dropdown, checkbox, radio button or even Hidden types!

Validation is not a one stop shop you have to work on figuring what you want from the user but at the same time prevent them from accidently breaking your script or deliberatly hacking it.

For your example above you could do the following simple validations,

[code=php:0]
$cust_name=$_POST{'cust_name'];

// Remove OR from the string to cause a deliberate sql crash so any attack cannot be carried through.
$cust_name = str_replace(" OR ", "", $cust_name);

// I've spaced this one out as its hard to see the single apostrophe ' mark but names like O'brian cause sql errors
$cust_name = str_replace (" ' ", "", $cust_name);

//Access database

select * from login where cust_name = '".$cust_name."'";
[/code]

mysql_real_escape_string() will only work on a MySQL database (as far as I am aware) and your example shows an access database.

Orio · January 26, 2007

@Cep-
You dont need to replace stuff, you just need to escape. Something like this:
[code]$cust_name = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslahses($_POST['cust_name'])) : mysql_real_escape_string($_POST['cust_name']);[/code]

Or a more clear way:
[code]$cust_name = $_POST['cust_name'];
if(get_magic_quotes_gpc())
$cust_name = stripslahses($cust_name);
$cust_name = mysql_real_escape_string($cust_name);[/code]

Orio.

Cep · January 26, 2007

Hehe just quick examples really but Orio is right there are ways to prevent damaging inputs you just need as I said earlier figure out what you want and don't want the user to input.

gazalec · January 26, 2007

ok so do i use

[code]
$cust_name = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslahses($_POST['cust_name'])) : mysql_real_escape_string($_POST['cust_name']);
[/code]

everytime i use the $cust_name variable or just when assigning it?

gazalec · January 26, 2007

so do i use

[code]
$cust_name = $_POST['cust_name'];
if(get_magic_quotes_gpc())
$cust_name = stripslahses($cust_name);
$cust_name = mysql_real_escape_string($cust_name);
[/code]
everytime i use the $cust_name variable or just when assigning it?

Cep · January 26, 2007

Not when your using the variable just when your assinging $_POST, $_GET, $_REQUEST data to a variable do you need to check its validity.

gazalec · January 26, 2007

ok Thanks Alot guys phew! knowing me though i'll be back on in a few hours asking more questions lol

Orio · January 26, 2007

Both pieces of code I provided do the same job. It doesnt matter which one you choose.
You need to use it only once, before the query runs.
Are you running a MySQL database?

Orio.

Cep · January 26, 2007

He mentioned Access in his example which is why I wasnt sure mysql functions would work.

Orio · January 26, 2007

He just wrote "access database" as in "The following line accesses the database".

Orio.

gazalec · January 26, 2007

no i'm using MySQL ??? and i'm just wondering can you use this function with sessions?

Sign In

Sorry - Another Security Question - Drop down menus

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information