Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
i have been using this simple search form script for a long time. no problems.... yet. just want to ask if its secure enough from php/sql injections or any malicious input? any suggestion to make it safer/secure? thanks.
<?
$country = $_POST["country"];
// if page is not submitted to itself echo the form
if (!isset($_POST['submit'])) {
?>
<form method="POST" action="<? echo $PHP_SELF; ?>">
<p><b>SEARCH</b> a City or Country <input type="text" name="country" size="32"><p>
<p><br>
<!--[if IE]><input type="text" style="display: none;" disabled="disabled" size="1" /><![endif]-->
<input type="submit" value="submit" name="submit"><input type="reset" value="Reset" name="B2"></p>
</form>
<?
} else {
?>
<? if($_POST['country'] == "")
{
header("location: myscript.php?error=1");
exit;
}
$db_host = '';
$db_user = '';
$db_pass = '';
$db_name = '';
$db_table = '';
$conn = mysql_connect($db_host,$db_user,$db_pass);
mysql_select_db($db_name,$conn);
$result = mysql_query ("SELECT * FROM houses
INNER JOIN houses2
ON houses2.JurisCode = houses.juris_code
WHERE country_en LIKE '%$country%'
AND endofhouse = ' '
OR city LIKE '%$country%'
ORDER BY JurisCode ASC, city ASC",$conn);
$totalrows = mysql_num_rows($result);
if ($row = mysql_fetch_array($result)) {
do {
// prints the output of the search
XSS. The variable is submitted by the client. You don't need to supply the "action" attribute, or at least sanitize it with basename(), or use something like __FILE__ or "#".
$result = mysql_query ("SELECT * FROM houses
INNER JOIN houses2
ON houses2.JurisCode = houses.juris_code
WHERE country_en LIKE '%$country%'
AND endofhouse = ' '
OR city LIKE '%$country%'
ORDER BY JurisCode ASC, city ASC",$conn);
SQL injection. You need to escape any data that goes to your database. Use mysql_real_escape_string().
I am afraid that your register_globals is on. Normaly the $PHP_SELF is auto-created when register_globals is on. If it is on then it is a security risk. You better turn it off and follow kaisellgren suggestions.
That would fix the SQL injection. Note though, if you wish to be able to match the literate _ or %, they will be treated as meta-characters inside the LIKE unless you escape them. Addclashes() can be used to escape them:
will that solve the xss issue? by the way, the code ONLY will run inside a joomla website, the user will never see the filename.php (the php script) since what they see is a basic joomla web add, something like: http://mydomain.org/index.php?option=co ... &Itemid=98
will that make it safer? and even if they guess the filename like http://mydomain.org/filename.php (the php script), the user will only see a page with RESTRICTED ACCESS. what do you think?
it is included via a joomla plugin called Includephp. i just put the filename.php in a folder (even outside my joomla installation, which only myself knows the folder name). in joomla i just create a normal article then inlude my php file like this:
{phpfile}/path/to/php/filename.php{/phpfile}
when the user clicks the link to that page, they will never see the path to it even with page source.