server blocking script - sql injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

server blocking script - sql injection

Post by mikeeeeeeey »

Hi guys,

Having a bit of a problem getting this form to work. Its basically an adding page for a CMS, but depending on what sort of text you enter into one of the fields, it generates an SQL injection and this is blocked by the server, so I can't get the form to submit.

I've escaped just about everything, but I'm running out of ideas. It would be great if someone could point me in the direction of where I'm going wrong.

Here's my code:

Code: Select all

switch ($_POST['which'])
{
	case 'user':
		$sub_section = mysql_real_escape_string($_POST['newSubSection']);
	break;
	case 'preset':
		$sub_section = mysql_real_escape_string($_POST['search']);
	break;
}
$title   = mysql_real_escape_string($_POST['title']);
$summary = mysql_real_escape_string(nl2br($_POST['summary']));
$article = mysql_real_escape_string(nl2br($_POST['article']));
$cleanI  = mysql_real_escape_string($_FILES['image']['name']);
$image   = mysql_real_escape_string($_POST['s'] . "-" . $sub_section . "-" . $_FILES['image']['name']);
$orient  = mysql_real_escape_string($_POST['whichway']);
$date    = mysql_real_escape_string($_POST['date_year'] . $_POST['date_month'] . $_POST['date_day']);

$newCover = 0;
if ($_POST['submit'] == "add" && $title != NULL && $sub_section != NULL)
{

	$isCov = "SELECT * FROM " . mysql_real_escape_string($_POST['s']) . " WHERE cover = 1";
	$findCov = mysql_query($isCov);
	if (mysql_num_rows($findCov) == 1 && mysql_real_escape_string($_POST['isChecked']) == 1)
	{
		$blnkCov = "UPDATE " . mysql_real_escape_string($_POST['s']) . " SET cover=0 WHERE cover =1";
		$wipe = mysql_query($blnkCov);
		$newCover = 1;
	}
	else
	{
		$newCover = 0;	
	}
	

	if($_POST['s'] == "news"){
		$sql = "INSERT INTO " . mysql_real_escape_string($_POST['s']) . " (sub_section,title,date,summary,article,image,cover,oreintation) VALUES ('" . $sub_section . "','" . $title . "','" . $date . "','" . $summary . "','" . $article . "','";
		if($cleanI != NULL){
		  $sql .= $image;
		}
		$sql .= "','" . $cover . "','" . $orient . "')";
	}else{
		$sql = "INSERT INTO " . mysql_real_escape_string($_POST['s']) . " (sub_section,title,summary,article,image,cover,oreintation) VALUES ('" . $sub_section . "','" . $title . "','" . $summary . "','" . $article . "','";
		if($cleanI != NULL){
		  $sql .= $image;
		}
		$sql .= "','" . $cover . "','" . $orient . "')";
	}
	
	$query = mysql_query($sql);
	
	if ($cleanI != NULL)
	{
			move_uploaded_file($_FILES['image']['tmp_name'], "bg_images/" . $_POST['s'] . "/" . $image)
			or die("Could not copy " . $image . "<br/>");
	}
	
	if(mysql_affected_rows() == 1)
	{
		$link = "admin.php";
		echo "Success.<br/>The New Page entitled <strong>" . $title . "</strong> has been added to the section <strong>" . ucwords(str_replace("_"," ",$_POST['s'])) . "</strong>.";
		if ($newCover == 1)
		{
			echo "<br/>This item is also the new <strong>cover page</strong>.";
		}
		echo "<br/><br/><br/><a class=\"box\" href=\"admin.php?s=" . $_POST['s'] . "\"><img src=\"images/submit.jpg\" alt=\"proceed\" border=\"0\" /></a>";
	}
	else
	{
		echo "The database has not been updated.";
	}
}
Thanks in advance guys.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'm going to guess it hates $_POST['s']?
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

yupppp got it in one chief.

you think if I just make vars out of the SGA's (POST, GET etc.) it will like me better? :D
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Not in the slightest. Why are you accepting user submitted information to choose the table, directly?
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

Its not user submitted information, it's a var that comes from the URL telling the page which table to update.
Obviously this var has such a limited scope in order to use it once the form has been submitted I need to store it somewhere (in hidden fields).

I'm starting to notice that this probably isn't the best way to do this?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Considering it is $_POST['s'], that denotes that it came from a form submission. This form submission is entirely user controlled, and therefore a user can choose to insert data into any table they wish that the user you are logging into the database can insert records into. .. Be very careful.
User avatar
mikeeeeeeey
Forum Contributor
Posts: 130
Joined: Mon Jul 03, 2006 4:17 am
Location: Huddersfield, UK

Post by mikeeeeeeey »

ahhhhh right.
that is rather silly, I should probably fix this.

the only problem is...where do I store this? in a session? hmm....
I shall try the session.

unless you have any other suggestions, thanks feyd. you're like my fairy code-mother :D
Post Reply