Hacking Prevention on Forms!!!!!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

Hacking Prevention on Forms!!!!!

Post by FireElement »

I just found by thinking to much as I do a very easy way to hack forms! Now am telling you not so you can go round hacking although funny for you <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> up peoples sites to show there crap coding... maybe? But why bother!!

Anyways this is simple way to do it just so you can prevent this in future!

Code: Select all

<html>
<head>
</head>
<body>

<form name="tipsForm" action="http://www.domain.com" method="POST" />
<input name="selectbox-name" type="text">
<input type="submit" name="submit" value="submit" onclick="submit()">
</form>
</body>
</html>
Basically if some one has not checked the value in the select box. For example you check using php is something like:

Code: Select all

if (nameofselectbox != "null" && nameofselectbox != "" ) {
   error message code
}
Say the site relies heaverly on these values been correct else it could make the site start behaving strangley or even screw it up then you should always check anything even if you think it cant be changed on user side is correct in select box case you just check the value = one that is in the select box or if its say something like date select off a div and you made the box read only but they sent i stupid date and your validation dont check because you think the user cant edit it well they can do that!!!

So I just though I would point out always make sure everything is validated where an select field is used or a readonly box! Just a note!

Security is everything ;)

I am not in anyway saying hack a site using this and anything you do after this point with this information is not liable to me! Just incase! :twisted:
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

I've tried re-reading your post a few times and do not see anything involving hacking at all, just bad coding.

Secure code never *ever* trusts user input (even from administrative users). You always validate the data. You always make sure all form values you require are filled out, you make sure all values given are values that you allow, and you make sure that data is usable before using it.

By the way, NULL data is not the same as the string "null," and there's already a function for checking for empty, NULL, or unset data at the same time

Code: Select all

if (empty($_POST['foo']))
FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

??

Post by FireElement »

It was just an example.

Its NULL in php not null and the point was bad validating code can lead to mistakes in a site!

So validate all information passed from a form is redistributed to the same form or to a new form or to an sql database. Where the form has select boxes. Was just a note make sure you check all fields that are select boxes properly. null is a string NULL is empty.

http://uk3.php.net/manual/en/function.unset.php

Anyways it was just a note.
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Re: ??

Post by Josh1billion »

I think we all do appreciate what you're trying to teach us here, but most of us do already know about what you're saying. ;) Beginners to PHP will definitely benefit from what you're teaching though. I'll help you out by giving a couple of pointers/corrections in regards to the code you posted.
FireElement wrote:null is a string NULL is empty.
To make a small correction so you know in the future: "null" (with quotes) is a string, and null (without quotes) is empty. The quotation marks are what dictates whether it's a string or not, so if you want to make sure something isn't null (empty), you would want to do...

Code: Select all

if ($something != null)
I'm not 100% sure, but I don't think capitalization matters. If I'm wrong and it does, make sure you have NULL instead of null in my example.

And to give you a little heads-up regarding your first post, when dealing with select boxes, you should check the value against specific values rather than just against null. Because the users can actually create their own form if they're clever (it's easy to do) and put in their own box selections... to put this in practical terms, if you only want your user to select from Apple, Orange, and Banana in your listbox, you better make sure your PHP code is checking to see that the user didn't somehow select Grape or Pear!

The way that a clever user/hacker would choose Grape or Pear in that case would be by writing his own HTML form, and then having that form submit to your PHP script. It's a very simple process, as you can see.

So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
That way, if the user chose something that didn't really exist in your form, like "Grape" or "Pear" (by using their own form), it would stay as the default "Apple". This is much safer than just going "$fruit = $_GET['fruit'];"
FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

I read in tutotorial

Post by FireElement »

I read somewhere that javascript was null and php was NULL.... I never though of testing it I just assumed they was sure.

Thanks for coding tip. I would have to do while loop there and check it against my sql list of categories and then post it if it matched. Not to hard accept If I wanted to check it was one from nested select box. Then I would have to check that the select box value was under the right category and so on. That way they cant post the wrong category to a different one.

Like you said accept chucking in a call from sql database.

Also I was trying to work out away in which to check the selection of a select box on the user side with out using javascript...

I just thought of maybe putting everything in one select box but this is one not the most user friendly approch and two the reason I have chained select boxes is so the user has to make all the selections hmmm maybe I will do this in a noscript...

I just desided... To make my current site just for javascript users. As mostly I am using it as base to learning. I will make sure my future site is 100% working with out javascript, but at the moment my corrent site will not publish a form if javascript is not working or should I say not enabled.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: ??

Post by feyd »

Josh1billion wrote:So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
A switch would be more effective, efficient and straight forward.
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

Post by ianhull »

I tend to check

Code: Select all

$_SERVER['HTTP_HOST'];
against

Code: Select all

$_SERVER['HTTP_REFERER'];
to ensure the form came from my own site.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: ??

Post by jmut »

feyd wrote:
Josh1billion wrote:So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
A switch would be more effective, efficient and straight forward.
I would do

Code: Select all

$fruit = isset($_GET['fruit']) ? $_GET['fruit'] : '';
$allowedFruites = array ('Apple','Orange','Banana');
if (!in_array($fruit,$allowedFruites)) {
    $fruit  = 'Apple';
}
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Re: ??

Post by Josh1billion »

feyd wrote:
Josh1billion wrote:So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
A switch would be more effective, efficient and straight forward.
Same thing, really. I come from the world of C++ where switch'ing your strings will get you 5 to 10 years.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Yes, if you know the values you're expecting..

Code: Select all

if (in_array($_GET['value'], array('value1', 'value2', 'value2', 'etc..')))
{
    //go ahead
} else
{
    die('oopsie, you tried to forge my form');
}
Saves a lot of lines.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

Post by FireElement »

ianhull wrote:I tend to check

Code: Select all

$_SERVER['HTTP_HOST'];
against

Code: Select all

$_SERVER['HTTP_REFERER'];
to ensure the form came from my own site.
wooo thanks will look in to that!
FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

Post by FireElement »

scottayy wrote:Yes, if you know the values you're expecting..

Code: Select all

if (in_array($_GET['value'], array('value1', 'value2', 'value2', 'etc..')))
{
    //go ahead
} else
{
    die('oopsie, you tried to forge my form');
}
Saves a lot of lines.
haha u tried to forge more form! haha I would probable gone down lines of please click a link to recieve your virus! Have a nice day!

Much more fun to scare them or better you have now revieved a virus have a nice day!

Obviously they havent but they wont come back just incase or try out! haha...
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

All PHP keywords, classes, functions and methods, are case insensitive. Some valid PHP:

Code: Select all

fOrEach($a as $b) { IF ($a == NuLl) breAK; }
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

FireElement wrote:
ianhull wrote:I tend to check

Code: Select all

$_SERVER['HTTP_HOST'];
against

Code: Select all

$_SERVER['HTTP_REFERER'];
to ensure the form came from my own site.
wooo thanks will look in to that!
Don't make any major decisions if that comparison returns false... HTTP_REFERER is not reliable
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

Post by ianhull »

Thanks for that Aaron,

Didn't know it was unreliable, it has always been fine for me (strike of luck?) :)
Post Reply