Page 1 of 1

is this code safe from injection attack

Posted: Sat Oct 24, 2009 1:41 am
by sirTemplar
i have been using this simple search form script for a long time. no problems.... yet. just want to ask if its secure enough from php/sql injections or any malicious input? any suggestion to make it safer/secure? thanks.

Code: Select all

 
<?
$country = $_POST["country"];
 
 
// if page is not submitted to itself echo the form
if (!isset($_POST['submit'])) {
    
?>
 
<form method="POST" action="<? echo $PHP_SELF; ?>">
    <p><b>SEARCH</b> a City or Country <input type="text" name="country" size="32"><p>
    <p><br>
    <!--[if IE]><input type="text" style="display: none;" disabled="disabled" size="1" /><![endif]-->
    <input type="submit" value="submit" name="submit"><input type="reset" value="Reset" name="B2"></p>
 
</form>
 
<?
    } else {
?>
<? if($_POST['country'] == "")
{
header("location: myscript.php?error=1");
exit;
}
 
 
$db_host  = ''; 
$db_user  = ''; 
$db_pass  = ''; 
$db_name  = '';
$db_table = ''; 
$conn = mysql_connect($db_host,$db_user,$db_pass); 
mysql_select_db($db_name,$conn);  
 
 
 
 
$result = mysql_query ("SELECT * FROM houses 
    INNER JOIN houses2 
    ON houses2.JurisCode = houses.juris_code
    WHERE country_en LIKE '%$country%'
    AND endofhouse = ' '
    OR city LIKE '%$country%'   
    ORDER BY JurisCode ASC, city ASC",$conn);    
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
do {  
// prints the output of the search
 

Re: is this code safe from injection attack

Posted: Sat Oct 24, 2009 5:33 am
by kaisellgren
sirTemplar wrote:

Code: Select all

<form method="POST" action="<? echo $PHP_SELF; ?>">
XSS. The variable is submitted by the client. You don't need to supply the "action" attribute, or at least sanitize it with basename(), or use something like __FILE__ or "#".
sirTemplar wrote:

Code: Select all

$result = mysql_query ("SELECT * FROM houses 
    INNER JOIN houses2 
    ON houses2.JurisCode = houses.juris_code
    WHERE country_en LIKE '%$country%'
    AND endofhouse = ' '
    OR city LIKE '%$country%'   
    ORDER BY JurisCode ASC, city ASC",$conn);    
SQL injection. You need to escape any data that goes to your database. Use mysql_real_escape_string().

Re: is this code safe from injection attack

Posted: Sat Oct 24, 2009 6:42 pm
by leonel.machava

Code: Select all

<form method="POST" action="<? echo $PHP_SELF; ?>">
I am afraid that your register_globals is on. Normaly the $PHP_SELF is auto-created when register_globals is on. If it is on then it is a security risk. You better turn it off and follow kaisellgren suggestions.

Re: is this code safe from injection attack

Posted: Mon Oct 26, 2009 3:47 am
by sirTemplar
what if i put:

Code: Select all

$country = mysql_real_escape_string ($_POST["country"]);

Re: is this code safe from injection attack

Posted: Tue Oct 27, 2009 5:45 am
by kaisellgren
sirTemplar wrote:what if i put:

Code: Select all

$country = mysql_real_escape_string ($_POST["country"]);
That would fix the SQL injection. Note though, if you wish to be able to match the literate _ or %, they will be treated as meta-characters inside the LIKE unless you escape them. Addclashes() can be used to escape them:

Code: Select all

$a = '%_';
echo addcslashes('%_',$a);

Re: is this code safe from injection attack

Posted: Tue Oct 27, 2009 8:51 am
by sirTemplar
i don't think i need this anyway. i just want them to input a country name or city here. so basic a-z letters will do.

i now have

Code: Select all

action="#">
will that solve the xss issue? by the way, the code ONLY will run inside a joomla website, the user will never see the filename.php (the php script) since what they see is a basic joomla web add, something like:
http://mydomain.org/index.php?option=co ... &Itemid=98

will that make it safer? and even if they guess the filename like http://mydomain.org/filename.php (the php script), the user will only see a page with RESTRICTED ACCESS. what do you think?

Re: is this code safe from injection attack

Posted: Tue Oct 27, 2009 9:15 am
by kaisellgren
sirTemplar wrote:i now have

Code: Select all

action="#">
will that solve the xss issue?
Yes, it's XSS free.

Is the "filename.php" included?

Re: is this code safe from injection attack

Posted: Tue Oct 27, 2009 9:33 am
by sirTemplar
it is included via a joomla plugin called Includephp. i just put the filename.php in a folder (even outside my joomla installation, which only myself knows the folder name). in joomla i just create a normal article then inlude my php file like this:

{phpfile}/path/to/php/filename.php{/phpfile}

when the user clicks the link to that page, they will never see the path to it even with page source.