Page 1 of 1
What is protecting my code against injection?
Posted: Wed Oct 21, 2009 3:09 pm
by hoffhoff
Hello,
I am a newbie on PHP, but I know the concepts of SQL Injection, Header Injection and many of those injection stuff.
Well, I wrote this simple script:
Code: Select all
<body>
<?php
$nome = $_GET['nome'];
print $nome;
?>
</body>
Then when I called the URL:
http://myserver/index.php?nome=test'test
The result was:
test\'test
I didn´t apply any filter, but something was putting that "\" before the quotation mark.
It also cut off the <script> tag when I tried to insert it.
What is applying this protection? PHP? Apache?
I am running WAMP 1.7.4, with PHP version 5.2.3 and Apache 2.2.4.
Thanks!
Re: What is protecting my code against injection?
Posted: Wed Oct 21, 2009 3:27 pm
by John Cartwright
It's called
magic quotes. They are evil and deprecated.
Re: What is protecting my code against injection?
Posted: Wed Oct 21, 2009 3:42 pm
by hoffhoff
Oh, so this is the infamous magic quotes.
Once I´ve heard an article from Chris Shiflett of how to hack it for injection.
So it is better to turn it off then.
Is addslashes secure?
I´ve heard this article:
http://shiflett.org/blog/2006/jan/addsl ... ape-string
I was able to inject sql in an example on the web using addslashes, but I tried it in my server and it didn´t work.
Did they fix the addslashes problem in the newer versions of PHP? (actually my version is not "new", but anyways... )
Re: What is protecting my code against injection?
Posted: Wed Oct 21, 2009 3:48 pm
by John Cartwright
As far as preventing SQL injections, you simply need to use
mysql_real_escape_string(), as quotes are not the only thing you have to worry about (which is explained in the manual).
So no, as far as preventing SQL injection addslashes() is not ideal.
Re: What is protecting my code against injection?
Posted: Wed Oct 21, 2009 4:17 pm
by hoffhoff
Ok, thank you very much John!
Re: What is protecting my code against injection?
Posted: Wed Oct 21, 2009 5:20 pm
by Eric!
hoffhoff wrote:I am a newbie on PHP, but I know the concepts of SQL Injection, Header Injection and many of those injection stuff.
Your script is wide open for cross site scripting hacks. Google XSS and php, especially if you plan on echoing or printing user input directly to the browser. Header injection is done to send emails directly from your server but unless your script passes user data to the mail() function then header injection isn't an issue.
Re: What is protecting my code against injection?
Posted: Wed Oct 21, 2009 6:17 pm
by Christopher
Use htmlspecialchars() to escape output going to the browser.
Re: What is protecting my code against injection?
Posted: Thu Oct 22, 2009 5:47 am
by hoffhoff
Yeah, I tried some XSS. the <script tag is blocked, but it is easly bypassed by substituting the "s" by the hex value ¬¬
The script I am testing the security is very simple. It run inside my company´s network, and it was made to control in what each worker is working on. So it just record the name and the description of the work inside the database. The problem is that this page can be accessed in the internet, and I was affraid that someone from outside could find a way to go inside our network.
All the fields saved in the database are strings, so I couldn´t really find a way to bypass the quotation mark to make a SQL Injection. Anyway, I will apply the htmlspecialchars(), mysql_real_escape_string() and disable the PHP magic quotes for to avoid problems in the future.
Thanks to everyone for the informations.