So what protects PHP from "PHP injection attacks"?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Glowing Face Man
Forum Newbie
Posts: 7
Joined: Fri Oct 16, 2009 3:56 pm

So what protects PHP from "PHP injection attacks"?

Post by Glowing Face Man »

Hi everyone, new to the boards.

I was just wondering, why isn't php injection a danger like SQL injection is?

We all know, if you put in a line like

Code: Select all

$query=mysql_query("SELECT * FROM list WHERE name='".$_GET["name"]."'");
then people can screw you up by sending, say,
'; DELETE FROM list
as the "name" :|

But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php

Why wouldn't that also screw you up?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: So what protects PHP from "PHP injection attacks"?

Post by John Cartwright »

mysql_query() only can run one query at a time, this is a design feature. However, you always want to pass your input through mysql_real_escape_string() or cast to an integer.
But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php
It will not evaluate PHP, it is only sending an SQL string to mysql.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: So what protects PHP from "PHP injection attacks"?

Post by Eric! »

It is vunerable like SQL. But it's called cross site scripting (XSS).

Here's a quick example

Say you have an echo like this on your page
echo $_SERVER['PHP_SELF]; // no filtering of the user data

And someone goes to your page with
http://example.com/testpage.php?%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E

They get to run their stuff on your server. (In this example a harmless <script>alert('xss')</script> ) But they can steal session data or do other nasty things.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: So what protects PHP from "PHP injection attacks"?

Post by Christopher »

First, you should at minimum do:

Code: Select all

$query=mysql_query("SELECT * FROM list WHERE name='".mysql_real_escape_string($_GET["name"])."'");
No variable should go into SQL without being escaped. That gets rid of people trying to close a quote and inject SQL.
Glowing Face Man wrote:But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php

Why wouldn't that also screw you up?
That would not be a valid variable name. HTTP and PHP would change it. The other big injection problem is user submitted values that contain HTML -- especially Javascript.
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: So what protects PHP from "PHP injection attacks"?

Post by kaisellgren »

By "PHP Injection Attacks", you are probably referring to RCE (i.e., Remote Code Execution). That can't happen in the code you have shown us. Try yourself if you don't believe me. However, something like this would be obviously vulnerable to RCE attacks:

Code: Select all

<?php
 
exec($_GET['e']);
Usually situations are not this simple when RCE vulnerabilities are found. Search Google for "php remote code execution vulnerability" if you like to see where these problems often occur.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: So what protects PHP from "PHP injection attacks"?

Post by Mordred »

A small "visualization" aid in the matter:
(Unescaped) user input in a function that executes SQL queries --> SQL injection
(Unescaped) user input in a function that outputs html --> XSS
(Unescaped) user input in a function that executes PHP code --> Code execution
(etc)
TheOnly92
Forum Newbie
Posts: 19
Joined: Thu Jan 15, 2009 6:05 am

Re: So what protects PHP from "PHP injection attacks"?

Post by TheOnly92 »

Well, basically you don't take user's input and execute it as PHP codes, so you won't have to worry about "PHP injections". Unless you do something like eval($_POST['blabla']) and now that could be dangerous.
Post Reply