handling my url Help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Van
Forum Newbie
Posts: 9
Joined: Thu Nov 23, 2006 6:35 am

handling my url Help

Post by Van »

Hi there , I have a problem and i don't know if it affects site security or not

I Have an url address to my php page like this

http://localhost/learning/view_lessons.php?sub_id=1

the page works very well anyway but when i add / or %5c or backslashes
like this http://localhost/learning/view_lessons.php?sub_id=1\
I get errors

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\php1-7\www\learning\view_lessons.php on line 7

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\easyphp1-7\www\learning\view_lessons.php on line 175

also when adding %5C to my url like this
http://localhost/learning%5cview_lessons.php?sub_id=1

I will get no images in my page and no styles as well. everything will be a mess

so If a visitor to my page site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. or getting information from errors that will appear , . . . anyone has a solution to this ? Thx in advance
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

if you show the code of your script we can help some more. It's probably a query without proper escaping.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

mysql_real_escape_string() anything before putting it in the querystring!
Van
Forum Newbie
Posts: 9
Joined: Thu Nov 23, 2006 6:35 am

Post by Van »

okay here's the code

Code: Select all

if (isset($_GET['sub_id'])){
$ss_id=$_GET['sub_id'];
$select=mysql_query("select * from subjects where id='$ss_id'");
$chapternumber=mysql_num_rows($select);
if ($chapternumber != 0)
	{
while($field=mysql_fetch_array($select)){
$n = $field ['sub_name'];
}

}else {

$n= "Subject not found";
}
it tells me that there's an error on the mysql_num_rows because the value of sub_id hasn't been posted due to invalid url characters , but when i remove the characters that i added to the url it works pretty , my problem is in when the visitors add the characters I mentioned above
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Right. $ss_id needs to be escaped.

Code: Select all

$ss_id = mysql_real_escape_string($_GET['sub_id']);
I would recommend that you look into using a DB class. You'll find it a lot easier to work with.
Van
Forum Newbie
Posts: 9
Joined: Thu Nov 23, 2006 6:35 am

Post by Van »

Thx very much man , it works now . but i still have something also related to url , it's when adding this %5C instead / slash in the url

http://localhost/learning[b]%5C[/b]view_lessons.php?sub_id=1
the result is

no error reports , it's ok now .
no images appear , no styles


Thx
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

That's because you're using relative directory names like img.gif and ../img.gif. If you make them absolute, it'll work.
Van
Forum Newbie
Posts: 9
Joined: Thu Nov 23, 2006 6:35 am

Post by Van »

please show me a simple example for absolute directory paths
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

It has a slash at the beginning: /this/is/absolute.php
Van
Forum Newbie
Posts: 9
Joined: Thu Nov 23, 2006 6:35 am

Post by Van »

thx , I made it absolute and everything is ok . but still having problems in filtering URL address as i told , I need something to filter or escape specific URL characters and prevent the mess caused by added characters to my url such as

I can escape these character if only it added to GET variables at the last of URL string using the function u gave to me (mysql_real_escape_string)

but , when added in this form

http://localhost/learning%5cview_lesson ... esson_id=2

(%5C represents backslash in URL encode table)
I will get no images and no styles , in addtion to this
when clicking any link in the page after adding these characters the URL will be

http://localhost/view_lessons.php?lesson_id=2 (Learning directory has gone from URL)

and I will get finally
This page cannot be displayed
HTTP 404 - File not found


I WANT A SOLUTION to get rid of these characters. :cry:
%2e%5c%2e%2e%5c%2e%2e%5c%2e

Character URL Encoded

Space %20

" %22

# %23

% %25

& %26

( %28

) %29

+ %2B

, %2C

/ %2F

: %3A

; %3B

< %3C

= %3D

> %3E

? %3F

@ %40

\ %5C

| %7C

THx in advance
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Post by William »

Also, another fix for your original question, you could use the following:

Code: Select all

if (isset($_GET['sub_id'])){
$ss_id=(int)$_GET['sub_id'];
$select=mysql_query("select * from subjects where id='$ss_id'");
$chapternumber=mysql_num_rows($select);
if ($chapternumber != 0)
        {
while($field=mysql_fetch_array($select)){
$n = $field ['sub_name'];
}

}else {

$n= "Subject not found";
}
For future reference, unless someone disagrees with the above way of handling the issue. You also might find the following code snipping taken from the function mysql_real_escape_string() in the manual for escaping data before an SQL query.

Code: Select all

function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}
Once again, if anyone disagrees with the above snippet, please let me know! :)
Van
Forum Newbie
Posts: 9
Joined: Thu Nov 23, 2006 6:35 am

Post by Van »

Thx for the help , really good work , All problems solved except one .
stripslashes(); or addslashes(); works but i need functions to replace or fix characters like that %5C , %26 all those characters corrupt the page and may used to bypass passwords . This issue also is very famous in ASP.net and has been sloved there , i need a solution in php :!:
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Look at my post above.
Post Reply