[Security Question] XSRF possible in this page?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

[Security Question] XSRF possible in this page?

Post by Aristona »

Hi,

Let me tell you the page first.
http://www.celik-ticaret.net/?page=projects (A trash website I use to test my codes)

As you can see, it contains a form with an option like:

Code: Select all

<select name="year">                       
                            <option value="1">Any year</option>
                            <option value="2000">2000</option>
                            <option value="2001">2001</option>
                            ...
</select>

<select name="city">                       
                            <option value="any">Any city</option>
                            <option value="cityA">City A</option>
                            <option value="cityB">City B</option>
                            ...
</select>[
Basicly, users are generating a SQL query here. Such as:

Code: Select all

function clrInput () 
{ 
 //SQL Injection preventation
}

$city = clrInput($_POST['city']);
$year = intval(clrInput($_POST['year']);

/* NO OTHER CONTROLS HERE --- THAT'S WHAT I AM ASKING */

//Prepare our query -- Looks very vulnerable!
query(SELECT * FROM TABLE_NAME 
WHERE City = $city AND
           Year = $year);
Okay. All is good so far and it's working properly, but what about if I edit my form like:

Code: Select all

<select name="city">                       
                            <option value="UNION DROP TABLE TABLE_NAME">Any year</option>
</select>
Then the query will be like:

Code: Select all

SELECT * FROM TABLE_NAME
WHERE City = NULL
UNION
DROP TABLE TABLE_NAME
and table will be dropped. (SQL query may be wrong, but you got the idea.)

What kind of protections should I do on such pages? Doublecheck every option input in an array and die if it doesn't match?

Open for ideas.
incubi
Forum Contributor
Posts: 119
Joined: Mon Dec 07, 2009 1:47 pm

Re: [Security Question] XSRF possible in this page?

Post by incubi »

Hi Aristona,

SQL Injection isn't my strong suit but I do know you need to validate the data so in your example make sure "city" is truly the name of a city.

http://www.learnphponline.com/security/ ... -mysql-php


Lee
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: [Security Question] XSRF possible in this page?

Post by Aristona »

incubi wrote:Hi Aristona,

SQL Injection isn't my strong suit but I do know you need to validate the data so in your example make sure "city" is truly the name of a city.

http://www.learnphponline.com/security/ ... -mysql-php


Lee
Hi,

Thanks for your reply.

I am not sure if it's SQL Injection. I usually manage to get SQL Injection issue solved with php functions, but this one doesn't contain any special characters like ' or ;.
It looks like a different way for me. I am not sure what was it called as. (Referred to XSRF since we abuse a different form. Could be entirely something different.)

Yes, double checking is something I mentioned. Something like:

Code: Select all

$allowedCities = array ('City1, 'City2', 'City3');
if $_POST['city'] doesn't exist in $allowedCities array, die, else, continue
would solve the issue. Then again, it would require me to make my form.tpl dynamic, which means it should get option values from PHP file dynamically.
It would lower website performance I believe. I am trying to minimise PHP parsing for maximum efficiency.

Any other ideas about solving the issue?
incubi
Forum Contributor
Posts: 119
Joined: Mon Dec 07, 2009 1:47 pm

Re: [Security Question] XSRF possible in this page?

Post by incubi »

If you "edited your page" :) with the drop query perhaps it just injection but as for cross site issues the only thing I know is to test where the request came from maybe with $_SESSION['HTTP_REFERER']).

Also you should use post as much as you can and be sure to do session timeouts.

That's about all I know on it. :)


Lee
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: [Security Question] XSRF possible in this page?

Post by Aristona »

Thanks Lee. :)

I am also looking for more information about this issue, if possible.
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: [Security Question] XSRF possible in this page?

Post by Aristona »

Bumpidy bump.
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: [Security Question] XSRF possible in this page?

Post by tr0gd0rr »

A rule of thumb is to always use prepared queries or call mysql_real_escape_string() on every string that gets put into a query (if you are using MySQL). Using that function diligently will prevent SQL injection.
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: [Security Question] XSRF possible in this page?

Post by Aristona »

I am already sanitizing all inputs to prevent SQL Injection, but this one sounds a little different to me.

The thing I ask is something different. If they change the values on the form (e.g New York -> UNION DROP TABLE TABLE_NAME) (Notice no magical characters being used.) it will get passed by sanitize function.
Also, ' and SPACE should be allowed. There is no much use of mysql_real_escape_string() here.
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: [Security Question] XSRF possible in this page?

Post by tr0gd0rr »

It won't get passed the sanitize function if the value is enclosed by quotes:

SELECT * FROM TABLE_NAME WHERE City = 'NULL UNION DROP TABLE TABLE_NAME'

You must use quotes.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: [Security Question] XSRF possible in this page?

Post by flying_circus »

tr0gd0rr wrote:You must use quotes.
Quoting this for emphasis!


My question to the OP would be, what if you were using your database to store code examples (like this website does)? NULL UNION DROP TABLE TABLE_NAME would be perfectly valid data.

Do as Tr0gd0rr says, use quotes and escape your data. Prepared statements will also work well.
Post Reply