form security after injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
thinkingforward
Forum Newbie
Posts: 5
Joined: Fri Oct 09, 2009 5:11 pm

form security after injection

Post by thinkingforward »

Hi,

my sendquote form has recently been used in an injection attack to gain access to my webserver. I had this coded by a 3rd party for me and was after a second opinion on whether it's secure or needs securing.

The code is as follows:

Code: Select all

<?php
 
include('./class.quote.php');
 
$quote = new quote();
 
//POST ITEMS
 
$type = mysql_real_escape_string($_POST['granite']);
 
$shape = $_POST['shape'];
 
if(is_numeric($_POST['1'])){ $size1 = $_POST['1']; }else{ $error[] = 'Size 1 Input must be Numeric';}
 
if(is_numeric($_POST['2'])){ $size2 = $_POST['2']; }else{ $error[] = 'Size 2 Input must be Numeric';}
 
 
 
$size3 = $_POST['3'];
 
$size4 = $_POST['4'];
 
$size5 = $_POST['5'];
 
$size6 = $_POST['6'];
 
 
 
if(is_numeric($_POST['polcut'])){ $polcut = $_POST['polcut']; }else{ $error[]='Polished Cut Out Input must be Numeric';}
 
if(is_numeric($_POST['unpolcut'])){ $unpolcut = $_POST['unpolcut']; }else{ $error[]='UnPolished Cut Out Input must be Numeric';}
 
if(is_numeric($_POST['drainer'])){ $drainer = $_POST['drainer']; }else{ $error[]='Drainer Input must be Numeric';}
 
if(is_numeric($_POST['taphole'])){ $taphole = $_POST['taphole']; }else{ $error[]='Taphole Input must be Numeric';}
 
if(is_numeric($_POST['hobcut'])){ $hobcut = $_POST['hobcut']; }else{ $error[]='Hobcut Input must be Numeric';}
 
if(is_numeric($_POST['radius'])){ $radius = $_POST['radius']; }else{ $error[]='Radius Input must be Numeric';}
 
if(is_numeric($_POST['fullarch'])){ $fullarch = $_POST['fullarch']; }else{ $error[]='Fullarch Input must be Numeric';}
 
 
 
if(is_numeric($_POST['upstands'])){ $upstands = $_POST['upstands']; }else{ $error[]='Upstands Input must be Numeric';}
 
if(is_numeric($_POST['bevel'])){ $bevel = $_POST['bevel']; }else{ $error[]='Bevel Input must be Numeric';}
 
if(is_numeric($_POST['pencil'])){ $pencil = $_POST['pencil']; }else{ $error[]='Pencil Input must be Numeric';}
 
if(is_numeric($_POST['bullnose'])){ $bullnose = $_POST['bullnose']; }else{ $error[]='Bullnose Input must be Numeric';}
 
if(is_numeric($_POST['builtup'])){ $builtup = $_POST['builtup']; }else{ $error[] = 'Builtup Input must be Numeric';}
 
if(is_numeric($_POST['ogee'])){ $ogee = $_POST['ogee']; }else{ $error[] = 'Ogee Input must be Numeric';}
 
if($_POST['installation'] == 'on'){ $install = 1; }
 
 
 
if(!empty($_POST['firstname'])){ $firstname = $_POST['firstname'];}else{ $error[] = 'Name Must be set'; }
 
if(!empty($_POST['lastname'])){ $lastname = $_POST['lastname'];}else{ $error[] = 'Last Name Must be set'; }
 
if(!empty($_POST['email'])){ $email = $_POST['email'];}else{ $error[] = 'Email Must be set'; }
 
if(!empty($_POST['phone'])){ $phone = $_POST['phone'];}else{ $error[] = 'Phone Must be set'; }
 
$address = $_POST['address'];
 
$postcode = $_POST['postcode'];
 
$message = $_POST['message'];
 
 
 
$submit = $_POST['submit'];
 
//END POST ITEMS
 
 
 
if(isset($submit)){
 
        
 
        $quote->SetGranite($type);
 
        $quote->SetSizes($shape, $size1, $size2, $size3, $size4, $size5);
 
        $quote->CalculateM2();
 
        $quote->CalculatePrice();
 
        $quote->AddItem('35', $upstands);
 
        $quote->AddItem('29', $polcut);
 
        $quote->AddItem('31', $unpolcut);
 
        $quote->AddItem('30', $drainer);
 
        $quote->AddItem('32', $taphole);
 
        $quote->AddItem('33', $radius);
 
        $quote->AddItem('30', $drainer);
 
        $quote->AddItem('34', $fullarch);
 
        $quote->AddItem('24', $bevel);
 
        $quote->AddItem('30', $drainer);
 
        $quote->AddItem('25', $pencil);
 
        $quote->AddItem('26', $bullnose);
 
        $quote->AddItem('28', $builtup);
 
        $quote->AddItem('38', $hobcut);
 
        $quote->AddItem('27', $ogee);
 
        $quote->AddItem('39', $install);
 
        
 
        if(empty($error)){
 
        
 
        if($install == 1){ $install = 'yes'; }
 
        $headers  = 'MIME-Version: 1.0' . "\r\n";
 
        $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
 
        
 
        $headers .= 'To: Website Enquiry <emailhere>' . "\r\n";
 
        $headers .= 'From: Website Enquiry <emailhere>' . "\r\n";
 
        
 
        $q = mysql_query("SELECT * FROM pricelist WHERE code = '" . $type . "'");
 
        while($row = mysql_fetch_array($q)){
 
                
 
                $type = $row['description'];
 
                
 
        }
 
        
 
        $msg = 'Selected Granite - ' . $type . '<br/>';
 
        $msg .= 'Selected Shape - ' . $shape . '<br/>';
 
        $msg .= 'Size 1 - ' . $size1 . '<br/>';
 
        $msg .= 'Size 2 - ' . $size2 . '<br/>';
 
        $msg .= 'Size 3 - ' . $size3 . '<br/>';
 
        $msg .= 'Size 4 - ' . $size4 . '<br/>';
 
        $msg .= 'Size 5 - ' . $size5 . '<br/>';
 
        $msg .= 'Size 6 - ' . $size6 . '<br/>';
 
        
 
                
 
        if($shape == 'l'){
 
        $size1 = $size1 / 1000; 
 
        $size2 = $size2 / 1000; 
 
        $size3 = $size3 / 1000; 
 
        $size4 = $size4 / 1000; 
 
                        
 
        $msg .= 'Section A - ' . $size1 * $size2 . 'm2<br/>';   
 
        $msg .= 'Section B - ' . $size3 * $size4 . 'm2<br/>';
 
        }
 
        
 
        if($shape == 'u'){
 
        $size1 = $size1 / 1000; 
 
        $size2 = $size2 / 1000; 
 
        $size3 = $size3 / 1000; 
 
        $size4 = $size4 / 1000; 
 
        $size5 = $size5 / 1000; 
 
        $size6 = $size6 / 1000; 
 
                        
 
        $msg .= 'Section A - ' . $size1 * $size2 . 'm2<br/>';   
 
        $msg .= 'Section B - ' . $size3 * $size4 . 'm2<br/>';
 
        $msg .= 'Section C - ' . $size5 * $size6 . 'm2<br/>';
 
        
 
        }
 
        
 
        //$msg .= 'Total:' . $quote->m2 . 'm2<br/><br/>';
 
        
 
        $msg .= 'Polished Cut Outs - ' . $polcut . '<br/>';
 
        $msg .= 'Unpolished Cut Outs - ' . $unpolcut . '<br/>';
 
        $msg .= 'Drainer - ' . $drainer . '<br/>';
 
        $msg .= 'Tapholes - ' . $taphole . '<br/>';
 
        $msg .= 'Hob Cut Outs - ' . $hobcut . '<br/>';
 
        $msg .= 'Radius Ends - ' . $radius . '<br/>';
 
        $msg .= 'Full Arch - ' . $fullarch . '<br/>';
 
        $msg .= 'Upstands - ' . $upstands . '<br/>';
 
        $msg .= 'Bevel - ' . $bevel . '<br/>';
 
        $msg .= 'Pencil - ' . $pencil . '<br/>';
 
        $msg .= 'Bullnose - ' . $bullnose . '<br/>';
 
        $msg .= 'Builtup - ' . $builtup . '<br/>';
 
        $msg .= 'Ogee - ' . $ogee . '<br/>';
 
        $msg .= 'Installation - ' . $install . '<br/>';
 
        $msg .= 'First Name - ' . $firstname . '<br/>';
 
        $msg .= 'Last Name - ' . $lastname . '<br/>';
 
        $msg .= 'Email - ' . $email . '<br/>';
 
        $msg .= 'Phone - ' . $phone . '<br/>';
 
        $msg .= 'Address - ' . $address . '<br/>';
 
        $msg .= 'Postcode - ' . $postcode . '<br/>';
 
        $msg .= 'Message - ' . $message . '<br/><br/><br/>';
 
        $msg .= 'Estimated Price - &pound;' . number_format($quote->price,2) . '<br/>';
 
        
 
        if(mail(emailhere', 'Quote for Granite Worktop', $msg, $headers)){
 
                
 
                echo 'Success, We have received your enquiry!';
 
 
 
                
 
        };
 
        
 
        }else{
 
        echo '<p>Sorry, you had errors in your form submission, please go back and try again.</p>';
 
                foreach($error as $key=>$value){
 
                        
 
                        echo $value . '<br/>';
 
                        
 
                }
 
                
 
                echo '<p><A HREF="javascript&#058;history.go(-1)">Click Here</A> To Go Back</p>';
 
                
 
        }
 
        }
 
        
 
 
 
?>
Thank you!
User avatar
Robert07
Forum Contributor
Posts: 113
Joined: Tue Jun 17, 2008 1:41 pm

Re: form security after injection

Post by Robert07 »

Wow, I can see several $_POST parameters which are not being escaped before being used in sql (depending on the contents of the included class from quote.php which you did not share), and if there are DB errors they are being shown to the end user! I wouldn't run that code if I were you...
thinkingforward
Forum Newbie
Posts: 5
Joined: Fri Oct 09, 2009 5:11 pm

Re: form security after injection

Post by thinkingforward »

Here is the code from quote.php
<?php

mysql_connect("localhost", "") or die(mysql_error());
mysql_select_db("nrylgbf_granite") or die(mysql_error());

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<link href="stylesheetform.css" rel="stylesheet" type="text/css" /><style type="text/css">
<style type="text/css">
#numbers { margin:0; padding:0; list-style:none; padding:10px; clear:both; }
#numbers li { float:left; width:16%; }
#numbers li input { width:45px; display:inline;}
#sizes { list-style:none; margin:0; padding:0; clear:both; }
#sizes li { float:left; width:33%; text-align:center; }
#sizes li input { margin-lefT:auto; margin-right:auto;}
body { font-size:11px; font-family:Arial; color:#999999; }
input, label { display:block; }
optgroup { font-family:Arial; }
.third { width:30%; margin-left:10px; margin-right:10px; float:left; margin-bottom:5px; border:1px solid #666666; }
input, textarea { border:1px solid #666666; margin-bottom:5px; padding:3px; font-size:10px; }
fieldset { padding:0px 15px 15px 15px; margin-bottom:17px; display:block; background-color:white; }
legend { padding-left:5px; padding-right:5px; margin-bottom:10px; }
#installation { display:inline; border:none; margin-bottom:-2px;}
.half { width:50%; float:left; }
.half input { width:45px; clear:right; float:left; }
.half label { width:170px; float:left; }
.lhalf { width:50%; float:left; }
#pricing p { font-size:22px; text-align:center; margin:0; padding-top:10px;}
#price { color:green; font-weight:bold; width:200px;}
.lhalf input { width:270px; }
#submit { float:right; }
.shape { border:none; }
#image { width:170px; height:170px; border:1px solid #666666; float:right; }
#pricing { width:100%; height:50px; background-image:url(./images/noteback.png); margin-bottom:20px; border:1px solid #666666; }
#container { width:770px; margin-left:auto; margin-right:auto; margin-bottom:20px; }
#sizes input { border:none; }
#form { margin-bottom:200px; width:750px; margin-left:10px; margin-right:auto; color:#999999; font-size:10px;}
a:link {
text-decoration: none;
}
a:visited {
text-decoration: none;
}
a:hover {
text-decoration: none;
}
a:active {
text-decoration: none;
}
</style>
<script src="http://ajax.googleapis.com/ajax/libs/jq ... ery.min.js" type="text/javascript" charset="utf-8"></script>
<title>Granite</title>


<script type="text/javascript">
jQuery(document).ready(function() {

$('#calc').click(function() {

$('#price').fadeOut("fast").empty();

var one = $('#1').val();
var two = $('#2').val();
var three = $('#3').val();
var four = $('#4').val();
var five = $('#5').val();
var six = $('#6').val();
var shape = $("[name='shape']:checked").val();
var granite = $("#granite :selected").val();
var submit = $('#submit').val();
var upstands = $('#upstands').val();
var polcut = $('#polcut').val();
var unpolcut = $('#unpolcut').val();
var drainer = $('#drainer').val();
var taphole = $('#taphole').val();
var hobcut = $('#hobcut').val();
var radius = $('#radius').val();
var fullarch = $('#fullarch').val();
var bevel = $('#bevel').val();
var pencil = $('#pencil').val();
var ogee = $('#ogee').val();
var bullnose = $('#bullnose').val();
var builtup = $('#builtup').val();
var install = $('#installation:checked').val();

$.ajax({
url: 'processor.php',
type: 'POST',
data: 'installation=' + install + '&6=' + six + '&1=' + one + '&2=' + two + '&3=' + three + '&4=' + four + '&5=' + five + '&shape=' + shape + '&granite=' + granite + '&submit=' + submit + '&upstands=' + upstands + '&polcut=' + polcut + '&unpolcut=' + unpolcut + '&drainer=' + drainer + '&taphole=' + taphole + '&hobcut=' + hobcut + '&radius=' + radius + '&fullarch=' + fullarch + '&bevel=' + bevel + '&pencil=' + pencil + '&ogee=' + ogee + '&bullnose=' + bullnose + '&builtup=' + builtup,

success: function(result) {

$('#price').append(result).fadeIn(400);

}

});

return false;
});


$("#granite").change(function(){
var c = $('select#granite:checked').val();

var title = $("#granite :selected").val();
$('#img').attr('src', './images/' + title + '.jpg');
$("#calc").click();
});




$(".pricing").change(function() {
$("#calc").click();
});

});
</script>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /></head>

<body>
<body link="#000000">
<div id="content">
<div id="heading"><img src="header.jpg" width="775" height="250" alt="Granite" /></div>
<div id="home">
<div align="center"><a href="index.html" target="_self">Home</a></div>
</div>
<div id="services">
<div align="center"><a href="services.html" target="_self">Services</a></div>
</div>
<div id="prices">
<div align="center"><a href="prices.html" target="_self">Prices</a></div>
</div>
<div id="Quote">
<div align="center"><a href="quote.html" target="_self">Quote</a></div>
</div>
<div id="repairs">
<div align="center"><a href="http://www.graniterepairs.co.uk" target="_blank">Repairs</a></div>
</div>
<div id="gallery">
<div align="center"><a href="samplepics.html" target="_self">Sample Pics</a></div>
</div>
<div id="contact">
<div align="center"><a href="mailto:info@">Contact us</a></div>
</div>
<div id="quotebody">
<form id="form" action="./sendquote.php" method="POST">

<?php
$query1 = mysql_query("SELECT * FROM pricelist WHERE `group` = 'granite1'");
$query2 = mysql_query("SELECT * FROM pricelist WHERE `group` = 'granite2'");
$query3 = mysql_query("SELECT * FROM pricelist WHERE `group` = 'granite3'");
$query4 = mysql_query("SELECT * FROM pricelist WHERE `group` = 'granite4'");
$query5 = mysql_query("SELECT * FROM pricelist WHERE `group` = 'granite5'");
$query6 = mysql_query("SELECT * FROM pricelist WHERE `group` = 'granite6'");
?>

<fieldset>
<legend>Granite Type</legend>
<select class="third" id="granite" name="granite" class="pricing" ><option title="select" id="select" value="select">Select Worktop</option><optgroup label="Group One"><?php while($row = mysql_fetch_array($query1)){ echo '<option value="' . $row['code'] . '">' . $row['description'] . '</option>';} ?></optgroup>
<optgroup label="Group Two"><?php while($row = mysql_fetch_array($query2)){ echo '<option title="' . $row['code'] . '" value="' . $row['code'] . '">' . $row['description'] . '</option>';} ?></optgroup>
<optgroup label="Group Three"><?php while($row = mysql_fetch_array($query3)){ echo '<option title="' . $row['code'] . '" value="' . $row['code'] . '">' . $row['description'] . '</option>';} ?></optgroup>
<optgroup label="Group Four"><?php while($row = mysql_fetch_array($query4)){ echo '<option title="' . $row['code'] . '" value="' . $row['code'] . '">' . $row['description'] . '</option>';} ?></optgroup>
<optgroup label="Group Five"><?php while($row = mysql_fetch_array($query5)){ echo '<option title="' . $row['code'] . '" value="' . $row['code'] . '">' . $row['description'] . '</option>';} ?></optgroup>
<optgroup label="Group Six"><?php while($row = mysql_fetch_array($query6)){ echo '<option value="' . $row['code'] . '">' . $row['description'] . '</option>';} ?></optgroup>
</select>

<div id="image"><img src="./images/1.jpg" id="img" /></div>
</fieldset>

<fieldset>
<legend>Sizes Required</legend>
<font color="#000000">Please select your desired layout using the buttons below. If you require more than 1 layout, please send each layout as a separate quote. Alternatively, you can email us a drawing by clicking <a href="mailto:info@">here</a></font>.
<ul id="sizes">
<li><img src="./images/smallstraight.png" /></li>
<li><img src="./images/smallu.png" /></li>
<li><img src="./images/smalll.png" /></li>
<li><input class="pricing" type="radio" name="shape" value="straight"></li>
<li><input class="pricing" type="radio" name="shape" value="u" ></li>
<li><input class="pricing" type="radio" name="shape" value="l" ></li>
</ul>

<ul id="numbers">
<li><b>1:</b> <input class="pricing" type="text" id="1" name="1"/> (mm)</li>
<li><b>2:</b> <input class="pricing" type="text" id="2" name="2"/> (mm)</li>
<li><b>3:</b> <input class="pricing" type="text" id="3" name="3"/> (mm)</li>
<li><b>4:</b> <input class="pricing" type="text" id="4" name="4"/> (mm)</li>
<li><b>5:</b> <input class="pricing" type="text" id="5" name="5"/> (mm)</li>
<li><b>6:</b> <input class="pricing" type="text" id="6" name="6"/> (mm)</li>
</ul>
</fieldset>

<fieldset>
<legend>Polished Cutouts Required</legend>
<div class="half">
<label class="inline" for="radius">No of Polished Cut Outs:</label><input class="pricing" type="text" name="polcut" value="0" id="polcut" />
<label class="inline" for="radius">No of Unpolished Cut Outs:</label><input class="pricing" type="text" name="unpolcut" value="0" id="unpolcut" />
<label class="inline" for="radius">Set of 5 Drainer Grooves:</label><input class="pricing" type="text" name="drainer" value="0" id="drainer" />
<label class="inline" for="taphole">No of Tap Holes:</label><input class="pricing" type="text" name="taphole" value="0" id="taphole" />
</div><div class="half">
<label class="inline" for="hobcut">No of Hob Cut Outs:</label><input class="pricing" type="text" name="hobcut" value="0" id="hobcut" />
<label class="inline" for="radius">No of Radius Ends:</label><input class="pricing" type="text" name="radius" value="0" id="radius" />
<label class="inline" for="radius">No of Full Archs:</label><input class="pricing" type="text" name="fullarch" value="0" id="fullarch" />
</div>
</fieldset>

<fieldset>
<legend>Fabrication Work Required (charged per linear metre)</legend>
<div class="half">
<label class="inline" for="upstands">Upstands Required (100mm):</label><input class="pricing" type="text" value="0" name="upstands" id="upstands" />
<label class="inline" for="bevel">Standard (Bevel) Polish</label><input class="pricing" type="text" value="0" name="bevel" id="bevel" />
<label class="inline" for="pencil">Pencil Round Polish</label><input class="pricing" type="text" value="0" name="pencil" id="pencil" />
</div><div class="half">
<label class="inline" for="ogee">Ogee</label><input type="text" class="pricing" name="ogee" value="0" id="ogee" />
<label class="inline" for="bullnose">Bullnose Polish</label><input class="pricing" type="text" value="0" name="bullnose" id="bullnose" />
<label class="inline" for="builtup">Built-up Edge 150mm</label><input class="pricing" type="text" value="0" name="builtup" id="builtup" />
</div>
</fieldset>

<fieldset>
<legend>Installation & Template</legend>

<input type="checkbox" id="installation" class="pricing" name="installation" /> Yes, I would like you to template and install this for me<br/>
</fieldset>
<div id="pricing"><p>Your Estimate for this Worktop is: <span id="price">&#163;</span> Ex VAT<span id="calc">.</span></p></div>
<fieldset>
<legend>About You</legend>
<div class="fields">
<div class="lhalf">
<label for="firstname">First Name:</label><input type="text" name="firstname" id="firstname" />
<label for="lastname">Last Name:</label><input type="text" name="lastname" id="lastname" />
<label for="email">Email Address:</label><input type="text" name="email" id="email" />
<label for="phone">Telephone:</label><input type="text" name="phone" id="phone" />
</div>
<div class="lhalf">
<label for="address">Address:</label><input type="text" name="address" id="address" />
<label for="postcode">Postcode:</label><input type="text" name="postcode" id="postcode" />
<label for="message">Message:</label><textarea rows="3" cols="31" name="message" id="message"></textarea>
</div>
</div>
</fieldset>
<div style="clear:both;"></div>
<input type="submit" name="submit" id="submit" value="Make Enquiry" />
</form><div style="clear:both;"></div>
</div><div style="clear:both;"></div>
</div><div style="clear:both;"></div>


</body>
</html>
thank you!
User avatar
Robert07
Forum Contributor
Posts: 113
Joined: Tue Jun 17, 2008 1:41 pm

Re: form security after injection

Post by Robert07 »

Oops, I meant class.quote.php not quote.php:
include('./class.quote.php');
thinkingforward
Forum Newbie
Posts: 5
Joined: Fri Oct 09, 2009 5:11 pm

Re: form security after injection

Post by thinkingforward »

he has made a couple of amends so i'll post the code of both, thanks!:)

sendquote.php:

Code: Select all

<?php
session_start();
echo $_SESSION['security_code'];
echo $_POST['security_code'];
 
if(is_numeric($_POST['granite'])){ $type = $_POST['granite']; }else{ $error[] = 'Invalid Type Input'; }
 
$shape = array("straight", "u", "l");
if(in_array($_POST['shape'], $shape)){ $shape = $_POST['shape']; }else{ $error[] = 'Invalid Shape Input'; }
 
if(is_numeric($_POST['1'])){ $size1 = $_POST['1']; }else{ $error[] = 'Size 1 Input must be Numeric';}
if(is_numeric($_POST['2'])){ $size2 = $_POST['2']; }else{ $error[] = 'Size 2 Input must be Numeric';}
if(!empty($_POST['3'])){ if(is_numeric($_POST['3'])){ $size3 = $_POST['3']; }else{ $error[] = 'Size 3 Input must be Numeric'; }}
if(!empty($_POST['4'])){ if(is_numeric($_POST['4'])){ $size3 = $_POST['4']; }else{ $error[] = 'Size 4 Input must be Numeric'; }}
if(!empty($_POST['5'])){ if(is_numeric($_POST['5'])){ $size3 = $_POST['5']; }else{ $error[] = 'Size 5 Input must be Numeric'; }}
if(!empty($_POST['6'])){ if(is_numeric($_POST['6'])){ $size3 = $_POST['6']; }else{ $error[] = 'Size 6 Input must be Numeric'; }}
 
if(is_numeric($_POST['polcut'])){ $polcut = $_POST['polcut']; }else{ $error[]='Polished Cut Out Input must be Numeric';}
if(is_numeric($_POST['unpolcut'])){ $unpolcut = $_POST['unpolcut']; }else{ $error[]='UnPolished Cut Out Input must be Numeric';}
if(is_numeric($_POST['drainer'])){ $drainer = $_POST['drainer']; }else{ $error[]='Drainer Input must be Numeric';}
if(is_numeric($_POST['taphole'])){ $taphole = $_POST['taphole']; }else{ $error[]='Taphole Input must be Numeric';}
if(is_numeric($_POST['hobcut'])){ $hobcut = $_POST['hobcut']; }else{ $error[]='Hobcut Input must be Numeric';}
if(is_numeric($_POST['radius'])){ $radius = $_POST['radius']; }else{ $error[]='Radius Input must be Numeric';}
if(is_numeric($_POST['fullarch'])){ $fullarch = $_POST['fullarch']; }else{ $error[]='Fullarch Input must be Numeric';}
if(is_numeric($_POST['upstands'])){ $upstands = $_POST['upstands']; }else{ $error[]='Upstands Input must be Numeric';}
if(is_numeric($_POST['bevel'])){ $bevel = $_POST['bevel']; }else{ $error[]='Bevel Input must be Numeric';}
if(is_numeric($_POST['pencil'])){ $pencil = $_POST['pencil']; }else{ $error[]='Pencil Input must be Numeric';}
if(is_numeric($_POST['bullnose'])){ $bullnose = $_POST['bullnose']; }else{ $error[]='Bullnose Input must be Numeric';}
if(is_numeric($_POST['builtup'])){ $builtup = $_POST['builtup']; }else{ $error[] = 'Builtup Input must be Numeric';}
if(is_numeric($_POST['ogee'])){ $ogee = $_POST['ogee']; }else{ $error[] = 'Ogee Input must be Numeric';}
if($_POST['installation'] == 'on'){ $install = 1; }
 
if(!empty($_POST['firstname'])){ $firstname = $_POST['firstname'];}else{ $error[] = 'Name Must be set'; }
if(!empty($_POST['lastname'])){ $lastname = $_POST['lastname'];}else{ $error[] = 'Last Name Must be set'; }
if(!empty($_POST['email'])){ if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_POST['email'])) {
        $email = $_POST['email'];}else{ $error[] = "invalid email";     }       
}else{ $error[] = 'Email Must be set'; }
 
if(!empty($_POST['phone'])){ if(is_numeric($_POST['phone'])){ $phone = $_POST['phone']; }else{ $error[] = 'Invalid Phone';} }else{ $error[] = 'Phone Must be set'; }
if(ctype_alnum($_POST['address'])){ $address = $_POST['address']; }else{ $error[] = 'Invalid Address'; }
if(strlen($_POST['postcode'] < 8)){ $postcode = $_POST['postcode']; }else{ $error[] = 'Invalid Postcode'; }
$message = preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['message']);
$submit = $_POST['submit'];
 
//END POST ITEMS
 
if(isset($submit)){
 
 
if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code']))) {
unset($_SESSION['security_code']);} else {$error[] = 'Sorry, you have provided an invalid security code';}
 
    if(empty($error)){
    include('./class.quote.php');
    $quote = new quote();
    
    
    $quote->SetGranite($type);
    $quote->SetSizes($shape, $size1, $size2, $size3, $size4, $size5);
    $quote->CalculateM2();
    $quote->CalculatePrice();
    $quote->AddItem('35', $upstands);
    $quote->AddItem('29', $polcut);
    $quote->AddItem('31', $unpolcut);
    $quote->AddItem('30', $drainer);
    $quote->AddItem('32', $taphole);
    $quote->AddItem('33', $radius);
    $quote->AddItem('30', $drainer);
    $quote->AddItem('34', $fullarch);
    $quote->AddItem('24', $bevel);
    $quote->AddItem('30', $drainer);
    $quote->AddItem('25', $pencil);
    $quote->AddItem('26', $bullnose);
    $quote->AddItem('28', $builtup);
    $quote->AddItem('38', $hobcut);
    $quote->AddItem('27', $ogee);
    $quote->AddItem('39', $install);
 
    if($install == 1){ $install = 'yes'; }
    $headers  = 'MIME-Version: 1.0' . "\r\n";
    $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
    $headers .= 'To: Website Enquiry <info@>' . "\r\n";
    $headers .= 'From: Website Enquiry <info@>' . "\r\n";   
 
    $q = mysql_query("SELECT * FROM pricelist WHERE code = '" . $type . "'");
 
    while($row = mysql_fetch_array($q)){$type = $row['description'];}
    
    $msg = 'Selected Granite - ' . $type . '<br/>';
    $msg .= 'Selected Shape - ' . $shape . '<br/>';
    $msg .= 'Size 1 - ' . $size1 . '<br/>';
    $msg .= 'Size 2 - ' . $size2 . '<br/>';
    $msg .= 'Size 3 - ' . $size3 . '<br/>';
    $msg .= 'Size 4 - ' . $size4 . '<br/>';
    $msg .= 'Size 5 - ' . $size5 . '<br/>';
    $msg .= 'Size 6 - ' . $size6 . '<br/>';     
 
    if($shape == 'l'){
    $size1 = $size1 / 1000; 
    $size2 = $size2 / 1000; 
    $size3 = $size3 / 1000; 
    $size4 = $size4 / 1000;             
    $msg .= 'Section A - ' . $size1 * $size2 . 'm2<br/>';
    $msg .= 'Section B - ' . $size3 * $size4 . 'm2<br/>';
    }
 
    if($shape == 'u'){
    $size1 = $size1 / 1000; 
    $size2 = $size2 / 1000; 
    $size3 = $size3 / 1000; 
    $size4 = $size4 / 1000; 
    $size5 = $size5 / 1000; 
    $size6 = $size6 / 1000; 
    $msg .= 'Section A - ' . $size1 * $size2 . 'm2<br/>';
    $msg .= 'Section B - ' . $size3 * $size4 . 'm2<br/>';
    $msg .= 'Section C - ' . $size5 * $size6 . 'm2<br/>';
    }
 
    //$msg .= 'Total:' . $quote->m2 . 'm2<br/><br/>';
 
    $msg .= 'Polished Cut Outs - ' . $polcut . '<br/>';
    $msg .= 'Unpolished Cut Outs - ' . $unpolcut . '<br/>';
    $msg .= 'Drainer - ' . $drainer . '<br/>';
    $msg .= 'Tapholes - ' . $taphole . '<br/>';
    $msg .= 'Hob Cut Outs - ' . $hobcut . '<br/>';
    $msg .= 'Radius Ends - ' . $radius . '<br/>';
    $msg .= 'Full Arch - ' . $fullarch . '<br/>';
    $msg .= 'Upstands - ' . $upstands . '<br/>';
    $msg .= 'Bevel - ' . $bevel . '<br/>';
    $msg .= 'Pencil - ' . $pencil . '<br/>';
    $msg .= 'Bullnose - ' . $bullnose . '<br/>';
    $msg .= 'Builtup - ' . $builtup . '<br/>';
    $msg .= 'Ogee - ' . $ogee . '<br/>';
    $msg .= 'Installation - ' . $install . '<br/>';
    $msg .= 'First Name - ' . $firstname . '<br/>';
    $msg .= 'Last Name - ' . $lastname . '<br/>';
    $msg .= 'Email - ' . $email . '<br/>';
    $msg .= 'Phone - ' . $phone . '<br/>';
    $msg .= 'Address - ' . $address . '<br/>';
    $msg .= 'Postcode - ' . $postcode . '<br/>';
    $msg .= 'Message - ' . $message . '<br/><br/><br/>';
    $msg .= 'Estimated Price - &pound;' . number_format($quote->price,2) . '<br/>'; 
 
    if(mail('mjo1989@gmail.com', 'Quote for Granite Worktop', $msg, $headers)){echo 'Success, We have received your enquiry!';};
    }else{
    echo '<p>Sorry, you had errors in your form submission, please go back and try again.</p>';
        foreach($error as $key=>$value){
                        echo $value . '<br/>';
                }       
        echo '<p><A HREF="javascript&#058;history.go(-1)">Click Here</A> To Go Back</p>';
        
    }
    }
?>
and class.quote.php

Code: Select all

<?php
 
mysql_connect("localhost", "", "") or die(mysql_error());
mysql_select_db("nrylgbf_granite") or die(mysql_error());
 
 
 
 
 
class quote {
 
 
 
var $size1;
 
var $size2;
 
var $size3;
 
var $size4;
 
var $size5;
 
var $size6;
 
var $shape;
 
var $m2;
 
var $price;
 
 
 
function SetGranite($type){
 
    $this->type = $type;    
 
}
 
 
 
function SetSizes($shape, $size1, $size2, $size3 = 0, $size4 = 0, $size5 = 0, $size6 = 0){
 
    
 
    $this->size1 = $size1;
 
    $this->size2 = $size2;
 
    $this->shape = $shape;
 
    $this->size3 = $size3;
 
    $this->size4 = $size4;
 
    $this->size5 = $size5;
 
    $this->size6 = $size6;
 
    
 
}
 
 
 
function CalculateM2(){
 
    
 
    $size1 = $this->size1 / 1000;
 
    $size2 = $this->size2 / 1000;
 
    $size3 = $this->size3 / 1000;
 
    $size4 = $this->size4 / 1000;
 
    $size5 = $this->size5 / 1000;
 
    $size6 = $this->size6 / 1000;
 
    
 
    if($this->shape == 'straight'){ $this->m2 = ($size1 * $size2);}
 
    if($this->shape == 'l'){ $this->m2 = ($size1 * $size2) + ($size3 * $size4); }
 
    if($this->shape == 'u'){ $this->m2 = (($size1 * $size2) + ($size3 * $size4)) + ($size5 * $size6);}
 
        
 
}
 
 
 
function AddItem($code, $n){
 
    
 
    if($n != 0){
 
    $query = mysql_query("SELECT * FROM `pricelist` WHERE code = '" . $code . "'");
 
    while($row = mysql_fetch_array($query)){
 
            $price = $row['price'] * $n;
 
        }
 
 
 
    $price = $this->price + $price;
 
 
 
    $this->price = $price;
 
    }
 
        
 
}
 
 
 
function CalculatePrice(){
 
    if(is_numeric($this->type)){ $type = $this->type; }else{ die(); }
 
    $query = mysql_query("SELECT * FROM `pricelist` WHERE code = '" . $type . "'");
 
    while($row = mysql_fetch_array($query)){
 
            $price = $row['price'] * $this->m2;
 
        }
 
                
 
    $this->price = $this->price + $price;
 
}
 
 
 
}
 
?>
User avatar
Robert07
Forum Contributor
Posts: 113
Joined: Tue Jun 17, 2008 1:41 pm

Re: form security after injection

Post by Robert07 »

Yes the quote class does nothing to escape the data as I suspected, so my initial comments remain. Although it appears that the only variable used in a query is $type which is validated as an integer, there are other variables that are transferred "as is" to the mail function. I haven't heard of a mail function being used by an attacker, but it's possible.
Regards,
Robert
thinkingforward
Forum Newbie
Posts: 5
Joined: Fri Oct 09, 2009 5:11 pm

Re: form security after injection

Post by thinkingforward »

Thanks for your feedback!:)

This is what my developer said "The only post variable interfacing with the database is granite type and that is escaped. It does have some extra validation in the new one to make sure. The rest don't go near the database or email headers as every query + mail header is hard coded to prevent injection. The unescaped items are used in calculation only. Simply put, the inputs don't get anywhere near the database or mail header."

Do you think I need to take any further action on the Form? I have just introduced Captcha to stop any bots.
My developer seems to know what he is talking about.
Post Reply