n00b at security, need help securing script

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
adamb10
Forum Commoner
Posts: 91
Joined: Sat Jun 24, 2006 7:44 pm

n00b at security, need help securing script

Post by adamb10 »

Hello. :)

I'm not that good with security first and formost. Typically I let everything submitted go straight to the Database without any triming or any of the fancy security stuff...

Example...

Code: Select all

if(session_is_registered('ub2')){

			mysql_query("UPDATE colors SET `bodybg`='".$bodybknd."', `bodybgimage`='".$bodybgimage."', `fontfamily`='".$bodyfontfamily."', `fontsize`='".$bodyfontsize."', `font`='".$bodyfontcolor."', `link`='".$link."', `visitedlink`='".$visitedlink."', `activelink`='".$activelink."', `hoverlink`='".$hoverlink."', `titlebg`='".$titlebg."', `titlebgimage`='".$titlebgimage."', `titlefont`='".$titlefont."', `titlefontsize`='".$titlefontsize."', `titlefontfamily`='".$titlefontfamily."', `windowbg`='".$windowbg."', `windowbgimage`='".$windowbgimage."', `windowfontfamily`='".$windowfontfamily."', `windowfontsize`='".$windowfontsize."', `windowfont`='".$windowfont."', `window2bg`='".$window2bg."', `window2bgimage`='".$window2bgimage."', `window2fontfamily`='".$window2fontfamily."', `window2fontsize`='".$window2fontsize."', `window2font`='".$window2font."', `border`='".$border."'") or print(mysql_error());

success('Colors saved Successfully!  Click <a href="?action=admin">here</a> to return to the admin area.');
 } else {
	error('You do not have permission to view this page because:<br>
	<b>You are not logged in</b>');
}
Obviously the code is screaming hack me so I want to prevent that. I know about trim(); and Mysql_real_escape_string(though, not sure how to use it), but I want to enploy more security meausres that wont bog the script down like trim and Mysql_real_escape_string can.

Thanks!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

At the very least, encapsulate every one of your variables in the query with..

Code: Select all

mysql_real_escape_string();
adamb10
Forum Commoner
Posts: 91
Joined: Sat Jun 24, 2006 7:44 pm

Post by adamb10 »

Hmmm, so I'd have to input every variable in the function?
Do I do this before the data is written to the DB?</stupid question>

And Yes I have read the manual on this function on php.net.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

<?php
if (session_is_registered('ub2'))
{
    mysql_query("UPDATE colors SET `bodybg`='" . mysql_real_escape_string($bodybknd)
                ."', `bodybgimage`='" . mysql_real_escape_string($bodybgimage)
                ."', `fontfamily`='" . mysql_real_escape_string($bodyfontfamily)
                ."', `fontsize`='" . mysql_real_escape_string($bodyfontsize)
                ."', `font`='" . mysql_real_escape_string($bodyfontcolor)
                ."', `link`='". mysql_real_escape_string($link)
                ."', `visitedlink`='" . mysql_real_escape_string($visitedlink)
                ."', `activelink`='" . mysql_real_escape_string($activelink)
                ."', `hoverlink`='" . mysql_real_escape_string($hoverlink)
                ."', `titlebg`='" . mysql_real_escape_string($titlebg)
                ."', `titlebgimage`='" . mysql_real_escape_string($titlebgimage)
                ."', `titlefont`='" . mysql_real_escape_string($titlefont)
                ."', `titlefontsize`='" . mysql_real_escape_string($titlefontsize)
                ."', `titlefontfamily`='" . mysql_real_escape_string($titlefontfamily)
                ."', `windowbg`='" . mysql_real_escape_string($windowbg)
                ."', `windowbgimage`='" . mysql_real_escape_string($windowbgimage)
                ."', `windowfontfamily`='" . mysql_real_escape_string($windowfontfamily)
                ."', `windowfontsize`='" . mysql_real_escape_string($windowfontsize)
                ."', `windowfont`='" . mysql_real_escape_string($windowfont)
                ."', `window2bg`='" . mysql_real_escape_string($window2bg)
                ."', `window2bgimage`='" . mysql_real_escape_string($window2bgimage)
                ."', `window2fontfamily`='" . mysql_real_escape_string($window2fontfamily)
                ."', `window2fontsize`='" . mysql_real_escape_string($window2fontsize)
                ."', `window2font`='" . mysql_real_escape_string($window2font)
                ."', `border`='" . mysql_real_escape_string($border)
                ."'") or print(mysql_error());
   
    success('Colors saved Successfully!  Click <a href="?action=admin">here</a> to return to the admin area.');
} else {
    error('You do not have permission to view this page because:<br /><b>You are not logged in</b>');
} 
?>
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

you could use a for loop or a foreach if you put stuff in an array or something
adamb10
Forum Commoner
Posts: 91
Joined: Sat Jun 24, 2006 7:44 pm

Post by adamb10 »

Thanks, now that I know thats all I have to do I'll incorperate it into everything. :)
adamb10
Forum Commoner
Posts: 91
Joined: Sat Jun 24, 2006 7:44 pm

Post by adamb10 »

If I wanted to use trim, I'd just do the same thing as above?(eg. trim(mysql_escape_real_string($windowbg)))
biz0r
Forum Newbie
Posts: 13
Joined: Mon Oct 27, 2003 3:21 pm
Location: Houston, TX

Post by biz0r »

adamb10 wrote:If I wanted to use trim, I'd just do the same thing as above?(eg. trim(mysql_escape_real_string($windowbg)))
I typically use trim before escaping the string, and just before I sanitize the data, ex:

Code: Select all

// Example usage of trim() and mysql_real_escape_string()

$temp=trim($_REQUEST[name]);

if($temp!='')
  mysql_query('UPDATE table_name SET name="'.mysql_real_escape_string($temp).'" WHERE id='.$id);
There are more robust ways of handling this for all submitted data, this was just a short example.
Post Reply