gazalec Posted January 26, 2007 Share Posted January 26, 2007 i was just wondering if a drop down menu is secure against SQL injection attacks? i was wondering because i was thinking about using this method rather than user input Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 Its not really more secure, anything client side isn't secure because people can view your source, rip it and then send what they like back to your script. However drop downs are a good way or helping to validate user input for the general user who for example may type in an address line differently to someone else. Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 Nothing is perfect. Let's take this example:Lets there's a form with a drop-down at www.random-domain-name.com/form.htm[code]<form action="process.php" method="POST"><select name="dropdown"><option value="index.htm">main page</option><option value="forum.php">forum</option></select><input type="submit" value="go!"></form>[/code]This is a regular form, nothing special about it.Let's say process.php looks like this:[code]<?phpinclude($_POST['dropdown']);?>[/code]What can a hacker do?Make a regular html page on [b]his[/b] PC that looks like this:[code]<form action="www.random-domain-name.com/process.php"><input type="text" name="dropdown"><input type="submit"></form>[/code]The hacker now enters the page he made himself, and submits the value of http://www.hackers-domain.com/virus.exeIn this case, the virus the hacker sent to the server will execute and I believe there's no need of further explanations of the consequences.So my suggestion- make heavy validation on everything that comes. You dont want anyone to make any harm to you. Never trust your users.Of course this example was drastic, but it's just for you to understand my point.Orio. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 how do u mean rip it. it'll tell u my situation and see if it makes it clearer. I have customer login and on the login screen there is a drop down menu with all the customers and the customer chooses their name this takes them to the next php page which uses the drop down choice to search the database for the record with that name i.e[code]select * from login where cust_name = "'.$name."'";[/code]this then start a new form with their customer number in a read-only box they then insert their password and that takes them to their section of the website.P.S this isn't for online purchasing, the company i work for wants to hold a customers previous orders, so the customers can look back on them or print them off Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 Read up my example. The hacker can also enter strings that will inject your database and will cause many problems.In this case, the solution is rather simple- use mysql_real_escape_string() on everything that comes into the database. Just don't forget to use stripslashes() if magic_quotes_gpc is set before using this function.Orio. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 ok thnks, so how does someone go about validating input by using the sql_real_escape_string() function or some other one.... sorry i'm quite new to this Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 [quote author=gazalec link=topic=124116.msg513849#msg513849 date=1169812123]how do u mean rip it.[/quote]Well for example just go to your site and in your net browser right click the page and view source, now you have the HTML framework and any client side script. Copy the code to a new document and alter one of the dropdown options with a fake client name. Now use the form in a webserver and now you have "ripped" your work. Orio's example is a good one. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 but i dont use it to insert data like for e.g. say the drop down'n name is 'cust_name' i would use[code]$cust_name=$_POST{'cust_name'];Access database //select * from login where cust_name = '".$cust_name."'";[/code] Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 Ok well I could do this if on your cust_name input I wrote,[code=php:0]"" OR cust_name = "Barney"[/code]I have just sucessfully SQL injected your script by adding an OR statement to your sqlas now your script would be[code=php:0]$cust_name=$_POST{'cust_name'];Access database //select * from login where cust_name = "" OR cust_name = "Barney"'";[/code] Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 So Wot Do I Do To Stop This? Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 I believed I answered your question already...[quote author=Orio link=topic=124116.msg513851#msg513851 date=1169812327]In this case, the solution is rather simple- use mysql_real_escape_string() on everything that comes into the database. Just don't forget to use stripslashes() if magic_quotes_gpc is set before using this function.[/quote]Read here about [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url] & [url=http://www.php.net/manual/en/security.database.sql-injection.php]database security[/url].Orio. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 in fact i just realised this part doesn't matter because all that select * from function does is selects all the data for the row that has the cust_name, whatever the drop down menu select is, this then transfers them to a new page where their cust_no is displayed in a Readonly text box and they must enter their password[code] select * from login where cust_no='".$cust_no."'">/assign each field a variable //then if($pass != $password || $cust_no != $cust){//Send Back To Loginexit:}[/code]the only place vulnrable to injection is the password field and i dont know how to make it more secure Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 And that's where you are wrong...If an attacker enters (in the way I had shown) the following string, you won't be very happy:[code]x'; DROP TABLE login; --[/code]That's why you [b]have to use[/b] mysql_real_escape_string() (more info in my previous post).Orio. Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 You would need to write validation on your inputs and I mean ANY input be it a textbox, dropdown, checkbox, radio button or even Hidden types!Validation is not a one stop shop you have to work on figuring what you want from the user but at the same time prevent them from accidently breaking your script or deliberatly hacking it.For your example above you could do the following simple validations,[code=php:0]$cust_name=$_POST{'cust_name'];// Remove OR from the string to cause a deliberate sql crash so any attack cannot be carried through.$cust_name = str_replace(" OR ", "", $cust_name);// I've spaced this one out as its hard to see the single apostrophe ' mark but names like O'brian cause sql errors$cust_name = str_replace (" ' ", "", $cust_name);//Access databaseselect * from login where cust_name = '".$cust_name."'";[/code]mysql_real_escape_string() will only work on a MySQL database (as far as I am aware) and your example shows an access database. Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 @Cep-You dont need to replace stuff, you just need to escape. Something like this:[code]$cust_name = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslahses($_POST['cust_name'])) : mysql_real_escape_string($_POST['cust_name']);[/code]Or a more clear way:[code]$cust_name = $_POST['cust_name'];if(get_magic_quotes_gpc()) $cust_name = stripslahses($cust_name);$cust_name = mysql_real_escape_string($cust_name);[/code]Orio. Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 Hehe just quick examples really but Orio is right there are ways to prevent damaging inputs you just need as I said earlier figure out what you want and don't want the user to input. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 ok so do i use [code]$cust_name = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslahses($_POST['cust_name'])) : mysql_real_escape_string($_POST['cust_name']);[/code]everytime i use the $cust_name variable or just when assigning it? Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 so do i use[code]$cust_name = $_POST['cust_name'];if(get_magic_quotes_gpc()) $cust_name = stripslahses($cust_name);$cust_name = mysql_real_escape_string($cust_name);[/code]everytime i use the $cust_name variable or just when assigning it? Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 Not when your using the variable just when your assinging $_POST, $_GET, $_REQUEST data to a variable do you need to check its validity. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 ok Thanks Alot guys phew! knowing me though i'll be back on in a few hours asking more questions lol Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 Both pieces of code I provided do the same job. It doesnt matter which one you choose.You need to use it only once, before the query runs.Are you running a MySQL database?Orio. Quote Link to comment Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 He mentioned Access in his example which is why I wasnt sure mysql functions would work. Quote Link to comment Share on other sites More sharing options...
Orio Posted January 26, 2007 Share Posted January 26, 2007 He just wrote "access database" as in "The following line accesses the database".Orio. Quote Link to comment Share on other sites More sharing options...
gazalec Posted January 26, 2007 Author Share Posted January 26, 2007 no i'm using MySQL ??? and i'm just wondering can you use this function with sessions? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.