php security question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
lazy_yogi
Forum Contributor
Posts: 243
Joined: Fri Jan 24, 2003 3:27 am

php security question

Post by lazy_yogi »

I had a job application for a php programmer and one of the questions was as follows :
Why is this section of PHP script insecure? How would you "fix" it?

<?
mysql_query("SELECT headline, body FROM article WHERE articleid=$_POST[articleid]");
?>
I assumed that it should check against valid articleid's, but just wondering what exactly the problem was and how to actually fix it
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

maybe because the user can alter it in the location bar???

.php?articleid=2

meh?!
User avatar
lazy_yogi
Forum Contributor
Posts: 243
Joined: Fri Jan 24, 2003 3:27 am

Post by lazy_yogi »

no thats not it ... it's $_POST not $_GET
But you can easily modifiy it anyway by writing a simple script with the action going to that page with field articleid set as they want

cheers anyway



Anyone else know for sure what the security prob is ?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

The $_POST variable hasn't been validated before you plug it straight into the query - you have no idea what the user is trying to use in the query.

Mac
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

only e.g. (not a hacker tutorial so I chose something quite harmless)
make $_POST[articleid] 0 OR 1=1 and the query contains

Code: Select all

SELECT headline, body FROM article WHERE articleid=0 OR 1=1
that's true for all records.
Since the value is not quoted one can assume articleid is a numerical field. If there are no other constraints (e.g. user privileges) I'd implicitly cast the id like

Code: Select all

mysql_query('SELECT headline, body FROM article WHERE articleid='.(int)$_POST['articleid']);
CONFIQ
Forum Commoner
Posts: 32
Joined: Fri Oct 18, 2002 3:39 pm
Location: Israel - Raanana

Post by CONFIQ »

If magic_quotes_gpc is off then it's dangerous

Hacked can localy modify:
<input type=hidden name=articleid value"1';new mysql_query HERE" />
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

I would do something like this, assuming the var will never be zero (asuming magic_quotes_gpc is on

Code: Select all

<?php
  if (!$clean_int = (int) stripslashes($_POST['intvar'])) { /* do some error message */ }
  mysql_query('SELECT col1,col2 FROM tabl WHERE tabl_id ='''.$clean_int.'''');

  # or if it is a string and it may be fairly complex

  mysql_query('SELECT col1,col2 FROM tabl WHERE colstr ='''.mysql_escape_string(stripslashes($_POST['strvar'])).'''');
?>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

hm. even with magic_quotes_gpc off and <input type=hidden name=articleid value"1';new mysql_query HERE" /> (int)$_POST['articleid'] will be 1, or did I forget something?
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

yeah if the submitted value is 1, but if the submitted value is 'beer' the result can be different probably 0, e.g. many SQL engines don't allow use of quotes when testing or setting data, so the var use results in 0 or a nullstring when something odd is inputed you may want to filter that before giving it to a query.
Post Reply