Page 1 of 2

Hacking Prevention on Forms!!!!!

Posted: Sun Nov 25, 2007 6:57 pm
by FireElement
I just found by thinking to much as I do a very easy way to hack forms! Now am telling you not so you can go round hacking although funny for you <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> up peoples sites to show there crap coding... maybe? But why bother!!

Anyways this is simple way to do it just so you can prevent this in future!

Code: Select all

<html>
<head>
</head>
<body>

<form name="tipsForm" action="http://www.domain.com" method="POST" />
<input name="selectbox-name" type="text">
<input type="submit" name="submit" value="submit" onclick="submit()">
</form>
</body>
</html>
Basically if some one has not checked the value in the select box. For example you check using php is something like:

Code: Select all

if (nameofselectbox != "null" && nameofselectbox != "" ) {
   error message code
}
Say the site relies heaverly on these values been correct else it could make the site start behaving strangley or even screw it up then you should always check anything even if you think it cant be changed on user side is correct in select box case you just check the value = one that is in the select box or if its say something like date select off a div and you made the box read only but they sent i stupid date and your validation dont check because you think the user cant edit it well they can do that!!!

So I just though I would point out always make sure everything is validated where an select field is used or a readonly box! Just a note!

Security is everything ;)

I am not in anyway saying hack a site using this and anything you do after this point with this information is not liable to me! Just incase! :twisted:

Posted: Sun Nov 25, 2007 7:19 pm
by superdezign
I've tried re-reading your post a few times and do not see anything involving hacking at all, just bad coding.

Secure code never *ever* trusts user input (even from administrative users). You always validate the data. You always make sure all form values you require are filled out, you make sure all values given are values that you allow, and you make sure that data is usable before using it.

By the way, NULL data is not the same as the string "null," and there's already a function for checking for empty, NULL, or unset data at the same time

Code: Select all

if (empty($_POST['foo']))

??

Posted: Sun Nov 25, 2007 7:39 pm
by FireElement
It was just an example.

Its NULL in php not null and the point was bad validating code can lead to mistakes in a site!

So validate all information passed from a form is redistributed to the same form or to a new form or to an sql database. Where the form has select boxes. Was just a note make sure you check all fields that are select boxes properly. null is a string NULL is empty.

http://uk3.php.net/manual/en/function.unset.php

Anyways it was just a note.

Re: ??

Posted: Sun Nov 25, 2007 11:00 pm
by Josh1billion
I think we all do appreciate what you're trying to teach us here, but most of us do already know about what you're saying. ;) Beginners to PHP will definitely benefit from what you're teaching though. I'll help you out by giving a couple of pointers/corrections in regards to the code you posted.
FireElement wrote:null is a string NULL is empty.
To make a small correction so you know in the future: "null" (with quotes) is a string, and null (without quotes) is empty. The quotation marks are what dictates whether it's a string or not, so if you want to make sure something isn't null (empty), you would want to do...

Code: Select all

if ($something != null)
I'm not 100% sure, but I don't think capitalization matters. If I'm wrong and it does, make sure you have NULL instead of null in my example.

And to give you a little heads-up regarding your first post, when dealing with select boxes, you should check the value against specific values rather than just against null. Because the users can actually create their own form if they're clever (it's easy to do) and put in their own box selections... to put this in practical terms, if you only want your user to select from Apple, Orange, and Banana in your listbox, you better make sure your PHP code is checking to see that the user didn't somehow select Grape or Pear!

The way that a clever user/hacker would choose Grape or Pear in that case would be by writing his own HTML form, and then having that form submit to your PHP script. It's a very simple process, as you can see.

So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
That way, if the user chose something that didn't really exist in your form, like "Grape" or "Pear" (by using their own form), it would stay as the default "Apple". This is much safer than just going "$fruit = $_GET['fruit'];"

I read in tutotorial

Posted: Mon Nov 26, 2007 8:08 am
by FireElement
I read somewhere that javascript was null and php was NULL.... I never though of testing it I just assumed they was sure.

Thanks for coding tip. I would have to do while loop there and check it against my sql list of categories and then post it if it matched. Not to hard accept If I wanted to check it was one from nested select box. Then I would have to check that the select box value was under the right category and so on. That way they cant post the wrong category to a different one.

Like you said accept chucking in a call from sql database.

Also I was trying to work out away in which to check the selection of a select box on the user side with out using javascript...

I just thought of maybe putting everything in one select box but this is one not the most user friendly approch and two the reason I have chained select boxes is so the user has to make all the selections hmmm maybe I will do this in a noscript...

I just desided... To make my current site just for javascript users. As mostly I am using it as base to learning. I will make sure my future site is 100% working with out javascript, but at the moment my corrent site will not publish a form if javascript is not working or should I say not enabled.

Re: ??

Posted: Mon Nov 26, 2007 9:43 am
by feyd
Josh1billion wrote:So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
A switch would be more effective, efficient and straight forward.

Posted: Mon Nov 26, 2007 12:44 pm
by ianhull
I tend to check

Code: Select all

$_SERVER['HTTP_HOST'];
against

Code: Select all

$_SERVER['HTTP_REFERER'];
to ensure the form came from my own site.

Re: ??

Posted: Mon Nov 26, 2007 3:01 pm
by jmut
feyd wrote:
Josh1billion wrote:So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
A switch would be more effective, efficient and straight forward.
I would do

Code: Select all

$fruit = isset($_GET['fruit']) ? $_GET['fruit'] : '';
$allowedFruites = array ('Apple','Orange','Banana');
if (!in_array($fruit,$allowedFruites)) {
    $fruit  = 'Apple';
}

Re: ??

Posted: Mon Nov 26, 2007 5:47 pm
by Josh1billion
feyd wrote:
Josh1billion wrote:So when I have selection boxes in a form (be it radio buttons, checkboxes, listboxes, etc.), I usually do something like this:

Code: Select all

$fruit = "Apple"; // set a default value first-- if no real option is picked, the variable will remain at this "Apple" default value

if ($_GET['fruit'] == "Apple")
  $fruit = "Apple"; // a little redundant since it's already at Apple, but I put this in here as an example

if ($_GET['fruit'] == "Orange")
  $fruit = "Orange";

if ($_GET['fruit'] == "Banana")
  $fruit = "Banana";

echo "You chose $fruit";
A switch would be more effective, efficient and straight forward.
Same thing, really. I come from the world of C++ where switch'ing your strings will get you 5 to 10 years.

Posted: Mon Nov 26, 2007 5:50 pm
by s.dot
Yes, if you know the values you're expecting..

Code: Select all

if (in_array($_GET['value'], array('value1', 'value2', 'value2', 'etc..')))
{
    //go ahead
} else
{
    die('oopsie, you tried to forge my form');
}
Saves a lot of lines.

Posted: Mon Nov 26, 2007 6:27 pm
by FireElement
ianhull wrote:I tend to check

Code: Select all

$_SERVER['HTTP_HOST'];
against

Code: Select all

$_SERVER['HTTP_REFERER'];
to ensure the form came from my own site.
wooo thanks will look in to that!

Posted: Mon Nov 26, 2007 6:31 pm
by FireElement
scottayy wrote:Yes, if you know the values you're expecting..

Code: Select all

if (in_array($_GET['value'], array('value1', 'value2', 'value2', 'etc..')))
{
    //go ahead
} else
{
    die('oopsie, you tried to forge my form');
}
Saves a lot of lines.
haha u tried to forge more form! haha I would probable gone down lines of please click a link to recieve your virus! Have a nice day!

Much more fun to scare them or better you have now revieved a virus have a nice day!

Obviously they havent but they wont come back just incase or try out! haha...

Posted: Mon Nov 26, 2007 8:57 pm
by Ollie Saunders
All PHP keywords, classes, functions and methods, are case insensitive. Some valid PHP:

Code: Select all

fOrEach($a as $b) { IF ($a == NuLl) breAK; }

Posted: Tue Nov 27, 2007 7:27 am
by aaronhall
FireElement wrote:
ianhull wrote:I tend to check

Code: Select all

$_SERVER['HTTP_HOST'];
against

Code: Select all

$_SERVER['HTTP_REFERER'];
to ensure the form came from my own site.
wooo thanks will look in to that!
Don't make any major decisions if that comparison returns false... HTTP_REFERER is not reliable

Posted: Tue Nov 27, 2007 8:02 am
by ianhull
Thanks for that Aaron,

Didn't know it was unreliable, it has always been fine for me (strike of luck?) :)