SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    231
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Preventing blank searches

    I have a mysql/php search engine.

    I can prevent blank searches when users don't enter any content just fine.
    I just found a security bug that when users enter several spaces before searching, the query returns the entire contents of the database. This is a major security flaw that I need help blocking.

    The top of the script looks like this.

    PHP Code:
    $perpage 10;
    $html "";
    $startat $_REQUEST[page] * $perpage;
    $limlim "%".mysql_real_escape_string(trim($_REQUEST[look4]))."%";
    $theneedle trim(str_replace("+"," ",$_REQUEST[look4])); 
    I check for the existence of the request here.

    PHP Code:
    if (($theneedle=="") || empty($theneedle){
            
     
    $error '<span class="error">Please enter a search criteria.</span>';
     exit;

    }

    elseif ((!(empty(
    $theneedle))) && (!($theneedle == '')) && (strlen($theneedle) > '3')){// the request is set.

    #my sql querry


    I've discovered if I entere the space bar several times without hitting enter, the querry is processed and returns the entire database resultset!
    I guess this because the urls are encoded and spaces are turned into the "+".
    I've tried several methods to avoid this including using str_replace to remove the plus signs but to no avail.
    How do I prevent this vulnerability?

  2. #2
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    urldecode then check?

    I would also assume your users would be searching using text, you could check for the existence of alphanumerics if it's only spaces you're worried about.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  3. #3
    SitePoint Zealot
    Join Date
    Apr 2009
    Location
    South Florida
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try something like this

    Code PHP:
    $theneedle = trim(urldecode($_REQUEST[look4]));

  4. #4
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Always trim user input before validation. If its text only input you should be able to validate against simple regex.

  5. #5
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    231
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lphy View Post
    Try something like this

    Code PHP:
    $theneedle = trim(urldecode($_REQUEST[look4]));
    According to PHP.net, decode is not needed with _REQUEST or GET. I tried it anyway to no avail.

  6. #6
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    231
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SilverBulletUK View Post
    urldecode then check?

    I would also assume your users would be searching using text, you could check for the existence of alphanumerics if it's only spaces you're worried about.
    No, some of the items they are searching against include spaces.

  7. #7
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Yes, but with letters too I'd assume...

    PHP Code:
    <?php
    if(preg_match_all('~[a-z0-9]~i''search string'$aMatches) > 3)
    {
        
    #search string has a minimum of 3 alphanumerics in it, process.
    }
    else
    {
        
    #refuse
    }
    ?>
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  8. #8
    SitePoint Evangelist
    Join Date
    Oct 2005
    Location
    Michigan, USA
    Posts
    434
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The problem is that you're SQL is using LIKE.

    LIKE takes a regular expression (regex). In a regex, certain characters have special meaning. That makes it a challenge to have user input in a query - even with mysql_real_escape_string(). Could be dangerous.

    But the issue here is that a blank value results in "...LIKE '&#37;%'..." which matches everything. Process your input (trim, etc. but not escaping yet) then validate (it isn't blank, check for min number of characters, whatever) and then do the query (escaping).
    - Robert

  9. #9
    SitePoint Guru
    Join Date
    Dec 2005
    Posts
    982
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    LIKE doesn't use regex, RLIKE does though.
    MySQL v5.1.58
    PHP v5.3.6

  10. #10
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    295
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why doesn't trim() work? If you use trim it wont take all spaces out. Only the leading and following spaces that should not have anyway any kind of influence to the needle. You will just have to do the trim before assigning the user inputted value to the $theneedle variable if using your originally posted code.

    edit: oOps... also use it before the str_replace then should be fine.

  11. #11
    SitePoint Evangelist
    Join Date
    Oct 2005
    Location
    Michigan, USA
    Posts
    434
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BrandonK View Post
    LIKE doesn't use regex, RLIKE does though.
    Thanks for that correction. LIKE has a few special characters ( % and _ ) but not regex.

    But the real problem was having "%$var%" when $var is empty.
    - Robert


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •