Jump to content

Security Holes

groundwar

By groundwar
in Beta Test Your Stuff!

 Share

Recommended Posts

groundwar Newbie

groundwar

Posted
Posted

Okay, so I want to automate form creation, which on the surface is probably got a lot of holes. This is my script which essentially creates a token for security, creates an operation such as inserting into a table, as well as some random functions for JS oncomplete. I'm worried that by specifying the operation in the form field I'm opening myself up, which I am, however I'm sure there's a way I can lock this down? Thoughts?

 

 

INSERT("MYTABLE","dosomething");

 

//-------------------------------------------------------------------------------//

//

//  23. CREATES INSERT FIELDS FOR FORMS

//

//-------------------------------------------------------------------------------//

function INSERT( $criteria,$handler=NULL,$on_success=NULL,$on_failure=NULL ){

 

  // Create our form tokens for security if they havn't been created

  if( !isset($_SESSION[TOKEN]) ){

      $token = md5(uniqid(rand(), TRUE));

      $_SESSION[TOKEN] = $token;

  }

 

  //Create this once

  if( !isset($GLOBALS["FORMCREATED"]) ){

 

      $GLOBALS["FORMCREATED"] = true;

 

      // Create our token field

      echo "<input type=\"hidden\" name=\"" . TOKEN . "\" value=\"" . $_SESSION[TOKEN]. "\">\r\n";

 

      // Create our handler

      if( isset($handler) && $handler != ""){

        echo "<input type=\"hidden\" name=\"" . HANDLER . "\" value=\"" . $handler . "\">\r\n";

      }

 

      echo "<input type=\"hidden\" name=\"ajax_log\" id=\"ajax_log\" value=\"\" />\r\n";

 

  }

 

  //Output the form field

    echo "<input type=\"hidden\" name=\"" . OPERATION . "[]\" value=\"INSERT." . $criteria . "\">\r\n";

 

  //Check if we're writing the on success redirect page

  if( isset($on_success) ){

      echo "<input type=\"hidden\" name=\"on_success\" id=\"redirect_on_success\" value=\"" . $on_success . "\" />\r\n";

  }

 

  //Check if we're writing the on success redirect page

  if( isset($on_failure) ){

      echo "<input type=\"hidden\" name=\"on_failure\" id=\"redirect_on_failure\" value=\"" . $on_failure . "\" />\r\n";

  }

 

// function

}

 

//-------------------------------------------------------------------------------//

//

//  22. PARSES POST DATA AND PASSES IT TO THE _table_update()/_table_insert/_table_delete() for processing RUNS EVERYTIME

//

//-------------------------------------------------------------------------------//

function SUBMIT(){

 

  //Start the session if need be

  if( session_id() == "" ){

      session_start();

  }

 

  // Get the global variables

  global $db_connection;

 

  // Check if we came from the same domain

  if( isset($_SERVER["HTTP_REFERER"]) ){

      $ref_array = explode("/",$_SERVER["HTTP_REFERER"]);

      } else { $ref_array = array(NULL,NULL,NULL); }

 

  // Let's check our referer and the token generated

  if( ($ref_array[2]==$_SERVER["SERVER_NAME"]) && ( isset($_POST[TOKEN]) && isset($_SESSION[TOKEN]) && ($_POST[TOKEN] == $_SESSION[TOKEN]) ) ){

 

      // --------------------------------------------------------------------------------------

      // Open the database connection if it's not already opened

      if( !isset($db_connection) ){_db_connection();}

      // --------------------------------------------------------------------------------------

     

        //Parse through to check what operations the form is fulfilling

        foreach($_POST[OPERATION] as $operation => $value) {

       

            //Split into a Table and an operation.

            $to = explode(".",$value);

           

            $operation = $to[0];

            $table = $to[1];

           

            // We don't need criteria for insert statements

            if(  isset($to[2]) ){

              $criteria = $to[1] . "." . $to[2];

              }

           

            $field_list = _field_list( $table );

           

            //Loop though the forms

            foreach( $_POST as $field => $value ){

           

              // Check if this is a table field

              if( strstr($field, "|") ){

                  $tmp_table = explode("|", $field);

              }

           

              if( (isset($tmp_table)) && (is_array($tmp_table)) && ($tmp_table[0] == $table) && (in_array( $tmp_table[1],$field_list )) ){

                  $tmp_array[ str_replace($table . "|","",$field) ] = $value;

                  }

                 

              // Unset the array for security

              unset($tmp_table);

           

            }

 

            // Check if we're doing and insert query

            if( strtoupper($operation)=="SELECT" ){

           

              //Send information to the insert function which inserts into table

              $response = _table_selection( $table,$tmp_array );

       

            }

 

            // Check if we're doing and insert query

            if( strtoupper($operation)=="INSERT" ){

           

              //Send information to the insert function which inserts into table

              $response = _table_insert( $table,$tmp_array );

       

            }

       

            // Check if we're doing an update query

            if( strtoupper($operation)=="UPDATE" ){

                 

              //Send information to the insert table

              $response = _table_update( $table,$tmp_array,$criteria );

             

            }

           

            // Check if we're removing a record

            if( strtoupper($operation)=="DELETE"){

             

              //Send information to the delete function which removes from the table

              $response = _table_delete( $table,$criteria );

       

            }

           

            // Let's check to see what our handler is

            if( isset($_POST[HANDLER]) ){

           

              // Remove brackets if need be

              $tmp_handler = str_replace( "(","",$_POST[HANDLER] );

              $tmp_handler = str_replace( ")","",$tmp_handler );

              $tmp_handler = str_replace( ";","",$tmp_handler );

             

              // Check if the function exists

              if( function_exists($tmp_handler) ){

             

                  // Now run the handler

                  call_user_func_array($tmp_handler, array( $response,$_POST ) );

                 

              }

           

            // if

            }

       

        // Unset the array for security

        unset($tmp_array);

       

        //foreach

        }

       

 

  //if

  }

 

//function 

} if( isset($_POST) && is_array($_POST) && count($_POST>0) ){ SUBMIT(); }

//-------------------------------------------------------------------------------//

 

 

//-------------------------------------------------------------------------------//

//

//    19. INSERTS A RECORD INTO A TABLE WITH A CRITERIA STRING CONTAINING THE FIELDS, VALUE, AND CRITERIA

//

//-------------------------------------------------------------------------------// 

function _table_insert( $table,$values ){

 

        //Create SQL Statement

        $sql = "INSERT INTO " . $table . " ";

        $sql_fields = ""; $sql_values = "";

       

        //Run through the fields and values

        foreach($values as $field => $value) {

 

              // Check if we're encrypting a password

              if(DB_ENCRYPT_PWD){

                  if( stristr($field, "password") ){

                    $value = _encrypt_password( $value );

                  }

              }

             

              $sql_fields .= $field . ", ";

              $sql_values .= _format_field_value( $value ) . ", ";

             

        }

       

        //Remove trailing , from $sql

        $sql_fields = substr_replace($sql_fields,"",-2);

        $sql_values = substr_replace($sql_values,"",-2);

     

        $sql .= "(" . $sql_fields . ") VALUES (" . $sql_values . ");";

 

      // Output SQL statements if $test_mode_output_sql

      if(TEST_MODE_O_SQL){

        echo "<h5>Executed SQL Statement</h5>";

        echo $sql . "

";

        }

 

      // Query the database and update records

      $query = mysql_query( $sql )or die(mysql_error());

      $tmp_last_id = mysql_insert_id();

     

      // Return if it was successful

      if($query) {

     

            //return successful

            echo "true"; // This is for AJAX response

           

            return $tmp_last_id;

       

      } else {

     

            //return successful

            echo "false"; // This is for AJAX response

           

            return false;

     

      }

 

// function

}

//-------------------------------------------------------------------------------//

 

dosomething( $db,$form );

  print_r($db);

  print_r($form);

}

Link to comment
https://forums.phpfreaks.com/topic/63903-security-holes/
Share on other sites
  • 2 weeks later...
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.