Jump to content

Can someone help secure this?

groundwar

By groundwar
in PHP Coding Help

Recommended Posts

groundwar Newbie

groundwar

Posted
Posted

Okay, so I want to automate form creation, which on the surface is probably got a lot of holes. This is my script which essentially creates a token for security, creates an operation such as inserting into a table, as well as some random functions for JS oncomplete. I'm worried that by specifying the operation in the form field I'm opening myself up, which I am, however I'm sure there's a way I can lock this down? Thoughts?

 

 

INSERT("MYTABLE","dosomething");

 

//-------------------------------------------------------------------------------//

//

// 23. CREATES INSERT FIELDS FOR FORMS

//

//-------------------------------------------------------------------------------//

function INSERT( $criteria,$handler=NULL,$on_success=NULL,$on_failure=NULL ){

 

// Create our form tokens for security if they havn't been created

if( !isset($_SESSION[TOKEN]) ){

$token = md5(uniqid(rand(), TRUE));

$_SESSION[TOKEN] = $token;

}

 

//Create this once

if( !isset($GLOBALS["FORMCREATED"]) ){

 

$GLOBALS["FORMCREATED"] = true;

 

// Create our token field

echo "<input type=\"hidden\" name=\"" . TOKEN . "\" value=\"" . $_SESSION[TOKEN]. "\">\r\n";

 

// Create our handler

if( isset($handler) && $handler != ""){

echo "<input type=\"hidden\" name=\"" . HANDLER . "\" value=\"" . $handler . "\">\r\n";

}

 

echo "<input type=\"hidden\" name=\"ajax_log\" id=\"ajax_log\" value=\"\" />\r\n";

 

}

 

//Output the form field

  echo "<input type=\"hidden\" name=\"" . OPERATION . "[]\" value=\"INSERT." . $criteria . "\">\r\n";

 

//Check if we're writing the on success redirect page

if( isset($on_success) ){

echo "<input type=\"hidden\" name=\"on_success\" id=\"redirect_on_success\" value=\"" . $on_success . "\" />\r\n";

}

 

//Check if we're writing the on success redirect page

if( isset($on_failure) ){

echo "<input type=\"hidden\" name=\"on_failure\" id=\"redirect_on_failure\" value=\"" . $on_failure . "\" />\r\n";

}

 

// function

}

 

//-------------------------------------------------------------------------------//

//

// 22. PARSES POST DATA AND PASSES IT TO THE _table_update()/_table_insert/_table_delete() for processing RUNS EVERYTIME

//

//-------------------------------------------------------------------------------//

function SUBMIT(){

 

//Start the session if need be

if( session_id() == "" ){

session_start();

}

 

// Get the global variables

global $db_connection;

 

// Check if we came from the same domain

if( isset($_SERVER["HTTP_REFERER"]) ){

$ref_array = explode("/",$_SERVER["HTTP_REFERER"]);

} else { $ref_array = array(NULL,NULL,NULL); }

 

// Let's check our referer and the token generated

if( ($ref_array[2]==$_SERVER["SERVER_NAME"]) && ( isset($_POST[TOKEN]) && isset($_SESSION[TOKEN]) && ($_POST[TOKEN] == $_SESSION[TOKEN]) ) ){

 

// --------------------------------------------------------------------------------------

// Open the database connection if it's not already opened

if( !isset($db_connection) ){_db_connection();}

// --------------------------------------------------------------------------------------

 

//Parse through to check what operations the form is fulfilling

foreach($_POST[OPERATION] as $operation => $value) {

 

//Split into a Table and an operation.

$to = explode(".",$value);

 

$operation = $to[0];

$table = $to[1];

 

// We don't need criteria for insert statements

if( isset($to[2]) ){

$criteria = $to[1] . "." . $to[2];

}

 

$field_list = _field_list( $table );

 

//Loop though the forms

foreach( $_POST as $field => $value ){

 

// Check if this is a table field

if( strstr($field, "|") ){

$tmp_table = explode("|", $field);

}

 

if( (isset($tmp_table)) && (is_array($tmp_table)) && ($tmp_table[0] == $table) && (in_array( $tmp_table[1],$field_list )) ){

$tmp_array[ str_replace($table . "|","",$field) ] = $value;

}

 

// Unset the array for security

unset($tmp_table);

 

}

 

// Check if we're doing and insert query

if( strtoupper($operation)=="SELECT" ){

 

//Send information to the insert function which inserts into table

$response = _table_selection( $table,$tmp_array );

 

}

 

// Check if we're doing and insert query

if( strtoupper($operation)=="INSERT" ){

 

//Send information to the insert function which inserts into table

$response = _table_insert( $table,$tmp_array );

 

}

 

// Check if we're doing an update query

if( strtoupper($operation)=="UPDATE" ){

 

//Send information to the insert table

$response = _table_update( $table,$tmp_array,$criteria );

 

}

 

// Check if we're removing a record

if( strtoupper($operation)=="DELETE"){

 

//Send information to the delete function which removes from the table

$response = _table_delete( $table,$criteria );

 

}

 

// Let's check to see what our handler is

if( isset($_POST[HANDLER]) ){

 

// Remove brackets if need be

$tmp_handler = str_replace( "(","",$_POST[HANDLER] );

$tmp_handler = str_replace( ")","",$tmp_handler );

$tmp_handler = str_replace( ";","",$tmp_handler );

 

// Check if the function exists

if( function_exists($tmp_handler) ){

 

// Now run the handler

call_user_func_array($tmp_handler, array( $response,$_POST ) );

 

}

 

// if

}

 

// Unset the array for security

unset($tmp_array);

 

//foreach

}

 

 

//if

}

 

//function

} if( isset($_POST) && is_array($_POST) && count($_POST>0) ){ SUBMIT(); }

//-------------------------------------------------------------------------------//

 

 

//-------------------------------------------------------------------------------//

//

//    19. INSERTS A RECORD INTO A TABLE WITH A CRITERIA STRING CONTAINING THE FIELDS, VALUE, AND CRITERIA

//

//-------------------------------------------------------------------------------//

function _table_insert( $table,$values ){

 

//Create SQL Statement

$sql = "INSERT INTO " . $table . " ";

$sql_fields = ""; $sql_values = "";

 

//Run through the fields and values

foreach($values as $field => $value) {

 

// Check if we're encrypting a password

if(DB_ENCRYPT_PWD){

if( stristr($field, "password") ){

$value = _encrypt_password( $value );

}

}

 

$sql_fields .= $field . ", ";

$sql_values .= _format_field_value( $value ) . ", ";

 

}

 

//Remove trailing , from $sql

$sql_fields = substr_replace($sql_fields,"",-2);

$sql_values = substr_replace($sql_values,"",-2);

 

$sql .= "(" . $sql_fields . ") VALUES (" . $sql_values . ");";

 

// Output SQL statements if $test_mode_output_sql

if(TEST_MODE_O_SQL){

echo "<h5>Executed SQL Statement</h5>";

echo $sql . "<br>";

}

 

// Query the database and update records

$query = mysql_query( $sql )or die(mysql_error());

$tmp_last_id = mysql_insert_id();

 

// Return if it was successful

if($query) {

 

//return successful

echo "true"; // This is for AJAX response

 

return $tmp_last_id;

 

} else {

 

//return successful

echo "false"; // This is for AJAX response

 

return false;

 

}

 

// function

}

//-------------------------------------------------------------------------------//

 

dosomething( $db,$form );

  print_r($db);

  print_r($form);

}

Link to comment
https://forums.phpfreaks.com/topic/63245-can-someone-help-secure-this/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.