Good evening fellow overflowers, I've got a little problem that I'm attempting to solve but just cant and I'm hoping you can help.
I have a script that sends strings via cURL to a website. That behaves exactly as expected, and the webpage responds okay. My problem is that there's a set of defines on the website that I want to tap into (for illustration purposes, example below:). I've already added a reference to the file where the defines are stored and this works like a charm.
define('TABLE_COUNTER', 'counter');
Let's say (all security and mumbo-jumbo aside) my script on the website I'm sending to has a simple:
mysql_query($_POST['aaa']);
Where $_POST['aaa'] would be a valid query. If, on the website in question I were to do the following, the result would execute:
mysql_query("SELECT * FROM " . TABLE_COUNTER);
Which translates into:
mysql_query("SELECT * FROM counter");
However I cannot seem to get the script at the website end to execute any sqlquery with a constant defined. Any help would be greatly appreciated (I'm losing a lot of hair here!).
Thanks!
The way to do this is with eval:
$myquery_string = 'mysql_query('.$_POST['aaa'].');';
eval($myquery_string);
However, I don't really recommend doing this, as it means that the form input can contain almost valid PHP code, and it will be executed by your script. This is worse than the typical SQL or XSS injection.
Also, when filling in the form, the user will have to include all the necessary quotes around the literal parts of the query.
A better solution would be to define a template language for your input, and have the PHP script replace template placeholders with the appropriate constants. But I'm not going to write this for you.
Related
I'm not exactly sure what I need to search for in Google and have been struggling with this for a while.
I wrote my own CMS for a project and am stuck with processing content stored in the database, for example.
This is a link to a related page.
In the above example I'm getting a page url by its ID, this way it doesn't matter if the url changes, it will always be up to date.
The issue is PHP sees it as a string and will not process it.
Im working around the issue by writing the contents to a file, using PHP include on the file, and then deleting the file. I don't see this as an efficient and would like a better solution.
PHP reads that content as a string because it is a string.
To make your string function as PHP, you'll need to use PHP's eval() function.
// The string that is loaded from the DB, or wherever
$string = 'This is a link to a related page.'
// Run the string as PHP code (notice the "echo" command)
eval("echo {$string}");
This can be very dangerous, however! If you're going to do this, be very certain you know what string is being executed! Because the eval() function will run any PHP code that is placed in it! Even site-destroying-dog-kicking PHP code!
More about the eval() function can be found in the PHP Docs for eval()
--
I don't know your exact scenario, but I would generally advise against using eval() wherever possible. There is normally a safer way to doing something than using the eval() function.
I wish to store certain pieces of code in database tables as templates but I am unsure as to whether they are going to create problems or not. I keep reading mixed messages from various different people in different posts and I am just not happy that I am clear on this subject.
I have already worked out that you cannot really echo/ print PHP into a webpage. Obviously you can echo strings of HTML but it becomes awkward when you try to do it with PHP code. The only way I have managed to do this is through eval which is apparently bad in most cases... so I am using another method to implement the templates (i.e. writing a php file to be used as an include file)
The main question I am asking is: is there really a problem with storing the PHP code strings (which include SQL statements) inside text type fields (mediumtext, longtext etc) in tables? Could those SQL statements ever do anything like execute actual actions or would they just remain as text strings?
Just to clarify, the reason I am storing strings of code is because they are templates to be used should the web administrator wish to allocate them to a specific area (div) of the pages.
Use SMARTY or Twig template engine. This will neatly solve your problem and you will not need to store anything in the database. It will also keep your PHP code completely separate from your HTML.
Another option is to use
I can see the need for code in the database for instance if you have multiple sites and want to do a source control between them, and not use any 3rd party software.. I would store in a database and then write the code on to a actual physical page, then run the php from that page...
Do not do this. If your database is ever compromised and someone injects malicious PHP, it may be executed. You should store the templates as files and call them when needed.
And you actually can echo/print PHP. You would do it using eval.
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
So I've looked around to try to find some posts on this and there are many but none that address my specific question (that I could find).
So essentially I need to get some data from my database to my external javascript document.
What I am currently doing is something like this...
<?php for (loop through products): ?>
<script>
var $each_image_information = new Array(
"<?php echo $getVariable; ?>",
"<?php echo $getVariable; ?>");
</script>
<?php endfor ?>
And then my external .js file accesses the variable $each_image_information. I realize this is somewhat messy code since these variables are somewhat global - but I'm not sure I know of a possible (with my skillset) alternative.
My real question is if this lends any security holes for the website I am implementing it on. Since these values are echo'd from the database to the inline javascript file, can those variables be manipulated?
This may be a foolish question but I have had past experience with SQL injection when I had no idea that those were possible, so I am trying to err on the safe side.
Thanks in advance!
Ok, to understand this problem you have to understand that Javascript is client-side. That means anyone can do anything they want on it, so the answer to "can those variables be manipulated?" is a resounding yes! If you want just go download Firebug, and you can start changing them to the latest Google logo if you want :-)
But, none of that matters, because if a user can mess with their own client-side stuff, that's no security hole. What you need to be worried about is user A getting scary code on user B's client. That is only a problem if user A can pick the file names of these images, because then they can name their image insert scary code here and that code could get run on user B's computer.
But as long as you control the image file names (or just escape any JS in them), you should be all good.
This is what you are doing
Sql -> Php -> Javascript
As long as you are not doing this
Sql -> Php -> Javascript -> Php -> Sql, then you should be fine from an SQL injection point of view.
Javascript variables are ALWAYS modifiable, and if you are using them inside a SQL query you should sanitize them first (mysql_escape_string() or something similar).
So long as you don't provide a path back into your database, you should be fine.
Keep in mind that if you don't have a path back into your database, but may have one in the future, that you might want to do some obscuration of primary keys on your data; that's always a good idea just to make sure that your internal database representation isn't exposed.
The issue I am having is as follows: I have a MySQL table that contains details for page content I wish to display on my site. The content for one of my pages however I wanted to contain some actual PHP code to be executed, not just printed as a string. For example:
require_once("Class.php");
Class::Function("Some Text For a Parameter");
I want this code to execute somehow when the sql query is returned but as it stands, it just prints that text out. Is there a way to achieve what I want?
Thankyou in advance for your time,
Regards,
Stephen.
You can do it with eval(), but you shouldn't.
they are several ways to achieve the storage of dynamic elements :
eval(str) : you can evaluate as php code any string coming from you database. This is not very wise if what is stored in the database comes directly from a user input field. You never know what is going to be inserted and it could potentially be harmful code (harmful to the security of your server)
save / include : you could save what comes from your database in a temporary file and include() that file in-place in your php code. This does not seem to be secure either if anyone can store anything in your database
use a templating engine that has a reasonnable command footprint like smarty or mustache. you can store the templates in your database and execute them. If you trust the implementation of the templating language (and disable native php calls inside smarty for example) the template will need to have a correct syntax before execution can begin
As a general rule of thumb, it is very hard to protect such dynamic php code inclusion, so it should be considered as bad practice.
You should consider a DSL (domain specific language) for which you will trust the parser/compiler and execution engine.
If security is not a concern (because your application will not be public for example) then it can be perfectly valid and effective to store php fragments in the database.
I hope this will help you
Jerome Wagner
I do a variation of this in my personal CMS by doing a bbcode of sorts. I enclose php to evaluate inside of [code][/code] tags, then when displaying I have a function that uses regular expressions to grab the contents of code inside the [code] tags to run. It in turn builds the code such that it closes the text echo, runs the script, then starts the text echo again. Perhaps the explanation is a bit simplistic, but you get the idea.
I would definitely avoid eval!
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.