Jump to content

Sorry - Another Security Question - Drop down menus


gazalec

Recommended Posts

Its not really more secure, anything client side isn't secure because people can view your source, rip it and then send what they like back to your script. However drop downs are a good way or helping to validate user input for the general user who for example may type in an address line differently to someone else.
Nothing is perfect. Let's take this example:


Lets there's a form with a drop-down at www.random-domain-name.com/form.htm
[code]<form action="process.php" method="POST">
<select name="dropdown">
<option value="index.htm">main page</option>
<option value="forum.php">forum</option>
</select>
<input type="submit" value="go!">
</form>[/code]
This is a regular form, nothing special about it.

Let's say process.php looks like this:
[code]<?php
include($_POST['dropdown']);
?>[/code]


What can a hacker do?
Make a regular html page on [b]his[/b] PC that looks like this:
[code]<form action="www.random-domain-name.com/process.php">
<input type="text" name="dropdown">
<input type="submit">
</form>[/code]
The hacker now enters the page he made himself, and submits the value of http://www.hackers-domain.com/virus.exe
In this case, the virus the hacker sent to the server will execute and I believe there's no need of further explanations of the consequences.


So my suggestion- make heavy validation on everything that comes. You dont want anyone to make any harm to you. Never trust your users.
Of course this example was drastic, but it's just for you to understand my point.

Orio.
how do u mean rip it. it'll tell u my situation and see if it makes it clearer. I have customer login and on the login screen there is a drop down menu with all the customers and the customer chooses their name this takes them to the next php page which uses the drop down choice to search the database for the record with that name i.e

[code]select * from login where cust_name = "'.$name."'";[/code]

this then start a new form with their customer number in a read-only box they then insert their password and that takes them to their section of the website.

P.S this isn't for online purchasing, the company i work for wants to hold a customers previous orders, so the customers can look back on them or print them off
Read up my example. The hacker can also enter strings that will inject your database and will cause many problems.
In this case, the solution is rather simple- use mysql_real_escape_string() on everything that comes into the database. Just don't forget to use stripslashes() if magic_quotes_gpc is set before using this function.

Orio.
[quote author=gazalec link=topic=124116.msg513849#msg513849 date=1169812123]
how do u mean rip it.
[/quote]

Well for example just go to your site and in your net browser right click the page and view source, now you have the HTML framework and any client side script. Copy the code to a new document and alter one of the dropdown options with a fake client name. Now use the form in a webserver and now you have "ripped" your work.

Orio's example is a good one.
Ok well I could do this if on your cust_name input I wrote,

[code=php:0]
"" OR cust_name = "Barney"
[/code]

I have just sucessfully SQL injected your script by adding an OR statement to your sql

as now your script would be

[code=php:0]
$cust_name=$_POST{'cust_name'];

Access database //

select * from login where cust_name = "" OR cust_name = "Barney"'";
[/code]
I believed I answered your question already...

[quote author=Orio link=topic=124116.msg513851#msg513851 date=1169812327]In this case, the solution is rather simple- use mysql_real_escape_string() on everything that comes into the database. Just don't forget to use stripslashes() if magic_quotes_gpc is set before using this function.[/quote]

Read here about [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url] & [url=http://www.php.net/manual/en/security.database.sql-injection.php]database security[/url].

Orio.
in fact i just realised this part doesn't matter because all that select * from function does is selects all the data for the row that has the cust_name, whatever the drop down menu select is, this then transfers them to a new page where their cust_no is displayed in a Readonly text box and they must enter their password

[code] select * from login where cust_no='".$cust_no."'">

/assign each field a variable //

then if($pass != $password || $cust_no != $cust){

//Send Back To Login

exit:
}[/code]
the only place vulnrable to injection is the password field and i dont know how to make it more secure
And that's where you are wrong...
If an attacker enters (in the way I had shown) the following string, you won't be very happy:
[code]x'; DROP TABLE login; --[/code]

That's why you [b]have to use[/b] mysql_real_escape_string() (more info in my previous post).

Orio.
You would need to write validation on your inputs and I mean ANY input be it a textbox, dropdown, checkbox, radio button or even Hidden types!

Validation is not a one stop shop you have to work on figuring what you want from the user but at the same time prevent them from accidently breaking your script or deliberatly hacking it.

For your example above you could do the following simple validations,

[code=php:0]
$cust_name=$_POST{'cust_name'];

// Remove OR from the string to cause a deliberate sql crash so any attack cannot be carried through.
$cust_name = str_replace(" OR ", "", $cust_name);

// I've spaced this one out as its hard to see the single apostrophe ' mark but names like O'brian cause sql errors
$cust_name = str_replace (" ' ", "", $cust_name);

//Access database

select * from login where cust_name = '".$cust_name."'";
[/code]

mysql_real_escape_string()  will only work on a MySQL database (as far as I am aware) and your example shows an access database.
@Cep-
You dont need to replace stuff, you just need to escape. Something like this:
[code]$cust_name = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslahses($_POST['cust_name'])) : mysql_real_escape_string($_POST['cust_name']);[/code]

Or a more clear way:
[code]$cust_name = $_POST['cust_name'];
if(get_magic_quotes_gpc())
$cust_name = stripslahses($cust_name);
$cust_name = mysql_real_escape_string($cust_name);[/code]

Orio.
ok so do i use

[code]
$cust_name = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslahses($_POST['cust_name'])) : mysql_real_escape_string($_POST['cust_name']);
[/code]

everytime i use the $cust_name variable or just when assigning it?
so do i use

[code]
$cust_name = $_POST['cust_name'];
if(get_magic_quotes_gpc())
$cust_name = stripslahses($cust_name);
$cust_name = mysql_real_escape_string($cust_name);
[/code]
everytime i use the $cust_name variable or just when assigning it?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.