PHP forms and MySQL databases

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
JWFTrigger
Forum Newbie
Posts: 2
Joined: Thu Jun 08, 2006 4:16 pm

PHP forms and MySQL databases

Post by JWFTrigger »

Hello,
A while back, I had created various site-management scripts that at their simplest let an administrator post and edit news, and at their most complicated let users, all with individual usernames and passwords, edit their profiles and send messages. Well, soon enough, I noticed that in all the sites I had like this, PHPMyAdmin would fill up with random databases. None of them had any tables, but it was disturbing nonetheless. Eventually, one of the sites running a script was contacted by our host, who said that spammers were exploiting the scripts on the site. I assume that all this was due to security flaws exposed through my ignorance in coding, but I'd love to figure out exactly what I was doing wrong so that I can go on coding.
Thanks for your help!
Last edited by JWFTrigger on Fri Jun 09, 2006 11:28 am, edited 1 time in total.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

mysql_real_escape_string()

I don't want to be rude, but RTFM, man.
JWFTrigger
Forum Newbie
Posts: 2
Joined: Thu Jun 08, 2006 4:16 pm

Post by JWFTrigger »

Like I said, I'm ignorant (I had to look up RTFM on Google :D )

Anyway, thanks for your help... I'm still a little confused on where to use that particular function. Do I need to use it for every variable being submitted/editted? Would it be possible to show me an example using the script I posted?
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Escape all variables where the data can come from the user.

Example: http://www.php.net/mysql_real_escape_string
User avatar
MrPotatoes
Forum Regular
Posts: 617
Joined: Wed May 24, 2006 6:42 am

Post by MrPotatoes »

oh <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> i'm in someone's signature. sweet

*nevermind me*
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

smurfs, and that quote, are smurftastic.
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

JWFTrigger wrote:Like I said, I'm ignorant (I had to look up RTFM on Google :D )
Holy S**t that's funny. Not that I think you're ignorant nor am I laughing at you, that's just the most perfect thing I've read in awhile.

Anyway, thanks for your help... I'm still a little confused on where to use that particular function. Do I need to use it for every variable being submitted/editted? Would it be possible to show me an example using the script I posted?
As other's have mentioned, the examples can be found in the PHP manual. I literally read the PHP manual on a daily basis, looking up functions or PHP internal info, and I've been coding PHP for 5 years give or take. RTFM indeed. ;)
Post Reply