Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.
Related
Good evening fellow overflowers, I've got a little problem that I'm attempting to solve but just cant and I'm hoping you can help.
I have a script that sends strings via cURL to a website. That behaves exactly as expected, and the webpage responds okay. My problem is that there's a set of defines on the website that I want to tap into (for illustration purposes, example below:). I've already added a reference to the file where the defines are stored and this works like a charm.
define('TABLE_COUNTER', 'counter');
Let's say (all security and mumbo-jumbo aside) my script on the website I'm sending to has a simple:
mysql_query($_POST['aaa']);
Where $_POST['aaa'] would be a valid query. If, on the website in question I were to do the following, the result would execute:
mysql_query("SELECT * FROM " . TABLE_COUNTER);
Which translates into:
mysql_query("SELECT * FROM counter");
However I cannot seem to get the script at the website end to execute any sqlquery with a constant defined. Any help would be greatly appreciated (I'm losing a lot of hair here!).
Thanks!
The way to do this is with eval:
$myquery_string = 'mysql_query('.$_POST['aaa'].');';
eval($myquery_string);
However, I don't really recommend doing this, as it means that the form input can contain almost valid PHP code, and it will be executed by your script. This is worse than the typical SQL or XSS injection.
Also, when filling in the form, the user will have to include all the necessary quotes around the literal parts of the query.
A better solution would be to define a template language for your input, and have the PHP script replace template placeholders with the appropriate constants. But I'm not going to write this for you.
Hello I have a question about PHP $_POST and $_GET.
Let's say I have a web page that is expecting $_GET variables.
Are the variable names anonymous?
Let's say index.php has the script of
if( isset( $_GET['somevariale'] ) )
{
rest of the code
}
Is it possible for anyone to find out the name of the $_GET variable the page is waiting for? Or would they have to play the guessing game?
They'd have to play a guessing game if you didn't publish it or it couldn't be inferred from existing links on your site.
Of course, don't put it in robots.txt either.
You cannot see the PHP code without parsing it. So no you cant get it. But maybe save it somwhere else, i. E. a database?
They can't see your index.php PHP code (let alone the variables) anyways unless they're opening the file directly. They'll only see the HTML.
That's simply impossible.
The only way they can find is if you server is not processing PHP properly and outputting it as is.
You can however protect your script in many ways like introducing passwords on scripts etc. but your source will have to know that password to use that script. Read more on HTTP auth, realms etc.
In you case however they will need to play a guessing game.
I am working on a project that involves modifying some existing code and there is a behavior going on that makes absolutely no sense to me. I am hoping somebody has seen something similar and thus can provide some insight as to where the problem is originating from.
The best short example I can give is the following:
A user enters "This & that" into a textarea on an input form and when saved
once it becomes: "This & that", when it is saved again it becomes:
"This & that", save it again and you get:
"This & that".
Obviously the problem continues to get worse with each save. The data actually stored in the DB (MySQL) is the text displayed above, there are no filters on the front-end to convert characters/entities. Obviously if they were being stored properly it would be very easy to slap a call to htmlspecialchars_decode() but that isn't an option yet...
Are there some front-end checks I can be doing to see where the symbols are being mangled? I am looking at the controller that processes the data and it's using a rest event to do so but no where do I see anything that would even try to convert the HTML entities, let alone something that would incorrectly convert them.
As I said in the intro, I hope somebody may have seen this before and can help pinpoint where it might be happening. This is built using PHP (Protean, MVC framework), Propel, patforms/smarty are in play, MySQL (via PDO) on the backend, jQuery for most JS-related stuff.
Your data is being htmlentities() too many times. This is a common, noobish mistake that usually involves urlencoding your data before sending to the database, and encoding it again upon retrieval. Once (on output) is enough. You should never encode it going in.
I hate to answer my own question here but it was in fact a bi-product of a set method buried in the framework that was causing the double encoding. I changed the data flow a bit and now everything is being stored properly and I can now just throw a htmlspecialchars_decode() around the output and life is good.
Thanks for the suggestions everyone!
-- N
So I've looked around to try to find some posts on this and there are many but none that address my specific question (that I could find).
So essentially I need to get some data from my database to my external javascript document.
What I am currently doing is something like this...
<?php for (loop through products): ?>
<script>
var $each_image_information = new Array(
"<?php echo $getVariable; ?>",
"<?php echo $getVariable; ?>");
</script>
<?php endfor ?>
And then my external .js file accesses the variable $each_image_information. I realize this is somewhat messy code since these variables are somewhat global - but I'm not sure I know of a possible (with my skillset) alternative.
My real question is if this lends any security holes for the website I am implementing it on. Since these values are echo'd from the database to the inline javascript file, can those variables be manipulated?
This may be a foolish question but I have had past experience with SQL injection when I had no idea that those were possible, so I am trying to err on the safe side.
Thanks in advance!
Ok, to understand this problem you have to understand that Javascript is client-side. That means anyone can do anything they want on it, so the answer to "can those variables be manipulated?" is a resounding yes! If you want just go download Firebug, and you can start changing them to the latest Google logo if you want :-)
But, none of that matters, because if a user can mess with their own client-side stuff, that's no security hole. What you need to be worried about is user A getting scary code on user B's client. That is only a problem if user A can pick the file names of these images, because then they can name their image insert scary code here and that code could get run on user B's computer.
But as long as you control the image file names (or just escape any JS in them), you should be all good.
This is what you are doing
Sql -> Php -> Javascript
As long as you are not doing this
Sql -> Php -> Javascript -> Php -> Sql, then you should be fine from an SQL injection point of view.
Javascript variables are ALWAYS modifiable, and if you are using them inside a SQL query you should sanitize them first (mysql_escape_string() or something similar).
So long as you don't provide a path back into your database, you should be fine.
Keep in mind that if you don't have a path back into your database, but may have one in the future, that you might want to do some obscuration of primary keys on your data; that's always a good idea just to make sure that your internal database representation isn't exposed.
I have seen that some web sites have a PHP script to redirect the user to another web page if they try to access JavaScript files directly. How is that done?
Unfortunately, as the previous answers have stated, you can't prevent one from seeing the contents of a JS file; if you could do that, how is the browser supposed to parse it?
The next best thing to do is to "Obfuscate" it using something like http://www.javascriptobfuscator.com/default.aspx
This will convert your human-readable code into a bunch of character codes and obscure function names. The Obfuscator I linked to generates a unique ID and bases its encryption on that ID, making it harder to decrypt.
However, this isn't fool-proof, and someone who really wants to get at your JS, for whatever reason, will do it. Anything you really don't want users to have access too should be done server-side. ;)
No, that's not possible.
There are plenty of ways how to get JS files. Nothing helps in protection.
Javascript is meant to be client side. That means it always gets executed on the browser which is local and thus can not be hidden.