Page 1 of 1

PHP Security Help (New to PHP)

Posted: Wed Apr 21, 2010 2:32 pm
by Fosco999
I was reading the security section of my php where it talks about security and my book doesn't explain how malicious users exploit code they talk about, so I have some questions. On my site I have code like what they talk about here:

<form action="process.php" method="POST">
Color:
<select name="color">
<option value="red">red</option>
</select>
<input type="submit" />

It says that if I don't filter this input that it is vulnerable to attack (under certain circumstances I'm guessing). How can this be exploited?

Fosco

(The book I am using is the o'Reilly Programming PHP 2nd Ed.)

Re: PHP Security Help (New to PHP)

Posted: Wed Apr 21, 2010 3:40 pm
by Christopher
The problem depends on what you do with the value for color. If you use it in SQL or display it in a HTML page then SQL or XSS injection can happen. You should 1) filter input variables so they are the type and contain only the characters you allow, and 2) properly escape them when using them. Databases have their own database specific escaping functions.

Re: PHP Security Help (New to PHP)

Posted: Wed Apr 21, 2010 5:10 pm
by mecha_godzilla
You should also read up on XSRF (cross-site request forgery) as this is related to XSS exploits and is potentially(?) more dangerous.

Going back to XSS, the following site gives a good example of how a form can be abused if you don't validate your input properly:

http://www.acunetix.com/websitesecurity/xss.htm

You could also try Googling 'xss examples' for more code - most of the examples I've heard about exploit the image tag in web forums (loading JavaScript where the image file reference should be as a way to steal cookies or 'read' the page) though this might now be well-known enough to be of historic interest only. As a general rule, you should always assume that the user (or their browser, or whoever's hijacked their account) cannot be trusted under any circumstances and therefore that your server scripts are all that stands between them and a site compromise. If you haven't already done so, look at how PHP functions like preg_replace, strip_tags and addslashes can help validate user input then post some code up on this forum to get feedback from other users - exploit that natural desire that everybody has to tell you what you've done wrong to your own advantage!

HTH,

Mecha Godzilla

Re: PHP Security Help (New to PHP)

Posted: Thu Apr 22, 2010 10:01 am
by kaisellgren
Listen to Christopher, the type of problems occurring from your code depend on what you do afterward with your "color". Passing the color value into an SQL query without escaping leads to an SQL -injection. Outputting it directly to a user makes you vulnerable to XSS attacks. Placing it within email headers makes you vulnerable to header injections. Using the color as part of some shell command makes you vulnerable to command injections.
mecha_godzilla wrote:You should also read up on XSRF (cross-site request forgery) as this is related to XSS exploits
XSRF or CSRF, is almost the opposite of XSS. Rather than exploiting the site's trust in the client software, the attacker (and possibly his malicious page) exploits the trust a user has for a particular site.