What is protecting my code against injection?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
hoffhoff
Forum Newbie
Posts: 4
Joined: Wed Oct 21, 2009 2:43 pm

What is protecting my code against injection?

Post by hoffhoff »

Hello,
I am a newbie on PHP, but I know the concepts of SQL Injection, Header Injection and many of those injection stuff.

Well, I wrote this simple script:

Code: Select all

 
<body>
<?php
$nome = $_GET['nome'];
print $nome;
?>
</body>
 
Then when I called the URL:

http://myserver/index.php?nome=test'test

The result was:

test\'test

I didn´t apply any filter, but something was putting that "\" before the quotation mark.
It also cut off the <script> tag when I tried to insert it.
What is applying this protection? PHP? Apache?

I am running WAMP 1.7.4, with PHP version 5.2.3 and Apache 2.2.4.

Thanks!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: What is protecting my code against injection?

Post by John Cartwright »

It's called magic quotes. They are evil and deprecated.
hoffhoff
Forum Newbie
Posts: 4
Joined: Wed Oct 21, 2009 2:43 pm

Re: What is protecting my code against injection?

Post by hoffhoff »

Oh, so this is the infamous magic quotes.
Once I´ve heard an article from Chris Shiflett of how to hack it for injection.

So it is better to turn it off then.

Is addslashes secure?

I´ve heard this article:
http://shiflett.org/blog/2006/jan/addsl ... ape-string

I was able to inject sql in an example on the web using addslashes, but I tried it in my server and it didn´t work.

Did they fix the addslashes problem in the newer versions of PHP? (actually my version is not "new", but anyways... )
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: What is protecting my code against injection?

Post by John Cartwright »

As far as preventing SQL injections, you simply need to use mysql_real_escape_string(), as quotes are not the only thing you have to worry about (which is explained in the manual).

So no, as far as preventing SQL injection addslashes() is not ideal.
hoffhoff
Forum Newbie
Posts: 4
Joined: Wed Oct 21, 2009 2:43 pm

Re: What is protecting my code against injection?

Post by hoffhoff »

Ok, thank you very much John!
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: What is protecting my code against injection?

Post by Eric! »

hoffhoff wrote:I am a newbie on PHP, but I know the concepts of SQL Injection, Header Injection and many of those injection stuff.
Your script is wide open for cross site scripting hacks. Google XSS and php, especially if you plan on echoing or printing user input directly to the browser. Header injection is done to send emails directly from your server but unless your script passes user data to the mail() function then header injection isn't an issue.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: What is protecting my code against injection?

Post by Christopher »

Use htmlspecialchars() to escape output going to the browser.
(#10850)
hoffhoff
Forum Newbie
Posts: 4
Joined: Wed Oct 21, 2009 2:43 pm

Re: What is protecting my code against injection?

Post by hoffhoff »

Yeah, I tried some XSS. the <script tag is blocked, but it is easly bypassed by substituting the "s" by the hex value ¬¬

The script I am testing the security is very simple. It run inside my company´s network, and it was made to control in what each worker is working on. So it just record the name and the description of the work inside the database. The problem is that this page can be accessed in the internet, and I was affraid that someone from outside could find a way to go inside our network.
All the fields saved in the database are strings, so I couldn´t really find a way to bypass the quotation mark to make a SQL Injection. Anyway, I will apply the htmlspecialchars(), mysql_real_escape_string() and disable the PHP magic quotes for to avoid problems in the future.

Thanks to everyone for the informations.
Post Reply