PHP Security Help (New to PHP)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Fosco999
Forum Newbie
Posts: 1
Joined: Wed Apr 21, 2010 2:19 pm

PHP Security Help (New to PHP)

Post by Fosco999 »

I was reading the security section of my php where it talks about security and my book doesn't explain how malicious users exploit code they talk about, so I have some questions. On my site I have code like what they talk about here:

<form action="process.php" method="POST">
Color:
<select name="color">
<option value="red">red</option>
</select>
<input type="submit" />

It says that if I don't filter this input that it is vulnerable to attack (under certain circumstances I'm guessing). How can this be exploited?

Fosco

(The book I am using is the o'Reilly Programming PHP 2nd Ed.)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Security Help (New to PHP)

Post by Christopher »

The problem depends on what you do with the value for color. If you use it in SQL or display it in a HTML page then SQL or XSS injection can happen. You should 1) filter input variables so they are the type and contain only the characters you allow, and 2) properly escape them when using them. Databases have their own database specific escaping functions.
(#10850)
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: PHP Security Help (New to PHP)

Post by mecha_godzilla »

You should also read up on XSRF (cross-site request forgery) as this is related to XSS exploits and is potentially(?) more dangerous.

Going back to XSS, the following site gives a good example of how a form can be abused if you don't validate your input properly:

http://www.acunetix.com/websitesecurity/xss.htm

You could also try Googling 'xss examples' for more code - most of the examples I've heard about exploit the image tag in web forums (loading JavaScript where the image file reference should be as a way to steal cookies or 'read' the page) though this might now be well-known enough to be of historic interest only. As a general rule, you should always assume that the user (or their browser, or whoever's hijacked their account) cannot be trusted under any circumstances and therefore that your server scripts are all that stands between them and a site compromise. If you haven't already done so, look at how PHP functions like preg_replace, strip_tags and addslashes can help validate user input then post some code up on this forum to get feedback from other users - exploit that natural desire that everybody has to tell you what you've done wrong to your own advantage!

HTH,

Mecha Godzilla
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Security Help (New to PHP)

Post by kaisellgren »

Listen to Christopher, the type of problems occurring from your code depend on what you do afterward with your "color". Passing the color value into an SQL query without escaping leads to an SQL -injection. Outputting it directly to a user makes you vulnerable to XSS attacks. Placing it within email headers makes you vulnerable to header injections. Using the color as part of some shell command makes you vulnerable to command injections.
mecha_godzilla wrote:You should also read up on XSRF (cross-site request forgery) as this is related to XSS exploits
XSRF or CSRF, is almost the opposite of XSS. Rather than exploiting the site's trust in the client software, the attacker (and possibly his malicious page) exploits the trust a user has for a particular site.
Post Reply