SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Member
    Join Date
    May 2001
    Location
    BC, Canada
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security in php forms

    I'm setting up a form in some php script that allows a user to add information to a database. It is important to keep the database secure so I was just wondering if it is possible to enter certain text in the form that would allow someone to send sql commands to the database (i.e. enter a php-mysql query to say delete a table) and therefore damage data in the database. Does php allow this or is it secure enough. While I would appreciate any response I would much prefer if someone could point me in the direction of some articles that I could read on this subject... ie php security.

    Thankyou

  2. #2
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's an excellent question, and something I've pondered myself a few times. I think PHP's very handy magic-backslashing of quotes adds a decent layer of security (it prevents users from posting a " to end the SQL variable the PHP is generating and follow it with malicious commands) but I'd love to know if there are any good articles out there.

  3. #3
    SitePoint Member
    Join Date
    May 2001
    Location
    BC, Canada
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I do know that you can add html tags into forms that get stored on the database and then show up when you access the php script to view the data on the database. You can add some stuff that will really mess up the way it is viewed including infinite popups, images, java etc etc. That means parsing for html tags but what I'm wondering is if you can add actual php code so that you modify the database itself. I don't think you can.... thankgoodness

  4. #4
    SitePoint Guru
    Join Date
    Apr 2001
    Location
    BC, Canada
    Posts
    630
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    actualy, there are ways through php, that are used to check for html and things similar to what your are talking about. its called "form validation" what it does, is the screipt is told what to look out for from the input, and modifies anything that could be damaging

  5. #5
    SitePoint Wizard johnn's Avatar
    Join Date
    Mar 2001
    Location
    Southern California, USA
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Be sure to check the size of the form's input field to be the same size as the database field before you insert it. This is important.

    John

  6. #6
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm pretty sure that when using the mysql_query() function, it will allow only one sql query to be executed. That was my experience from some testing I did on the matter. I would be interested to know of a conflicting opinion on that. I know that other *cough* *gASP* *wheeze* languages are not so secure in this way and that the trick there is to make sure that you enclose all your user input in quote marks so that malicious data does not get executed by the sql server.

    Also, of course add_slashes should be used before inserting data into the db and reversed with strip_slashes when retrieving data from the db.

    Also, consider using strip_tags() http://www.php.net/manual/function.strip-tags.php
    to strip html tags out of user input.

    BTW, on a related not, I have written some scripts recently (yet to be deployed) that include a check of the value of $HTTP_REFERER as part of the validation (trying to ensure that the POST data has come from the form in the page from my server - if you know what I mean). Anyway, I've read that this might not work because some proxy servers don't send the HTTP_REFERER header. If this is so, then that is a problem! Does this mean I should abandon this method and use sessions instead?

  7. #7
    One website at a time mmj's Avatar
    Join Date
    Feb 2001
    Location
    Melbourne Australia
    Posts
    6,282
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    freakysid, in reponse to your last paragraph, I was wondering about that recently also. I am concerned about the security of a "tell a friend" script I had developed. I wanted to make sure that all of the form data actually came from the form, and it seems impossible to tell.

    I had an idea though. In the form, you can place an INPUT type="hidden" with a value of the sum of the current time() added to a constant. When validating form input, you'd subtract the constant from this field, and see whether the current time is within a minute or so of this. It would prevent somebody from copying down the number and adding it to their script. Unfortunately, someone with determination would soon realise it was related to current time.

    I haven't implemented that yet though...
    [mmj] My magic jigsaw
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    The Bit Depth Blog Twitter Contact me
    Neon Javascript Framework Jokes Android stuff

  8. #8
    SitePoint Zealot Paul_M's Avatar
    Join Date
    Mar 2001
    Location
    London
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hey mmj / freakysid

    I have a tell a friend script on one of my sites..... but i haven't implemeted either of your methods......

    What sort of thing could a user do if the POST data came from somewhere else????

    before anything is stored on my DB I addslashes()...
    is there still a security risk???

  9. #9
    SitePoint Enthusiast Stallion's Avatar
    Join Date
    Jan 2001
    Location
    Cumberland, RI, US
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP is a very loose language, but this flexability comes at the price of poor security if the proper preventive measures aren't taken. Check out my sig if you think your application needs a security evaluation... ;-)
    /* Chris Lambert - chris@php.net
    WhiteCrown Networks, CTO - Web Application Security
    vBulletin, Security Programmer - Instant Community
    */


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •