When I first started using php, I would manually create a variable from $_POST like so.

PHP Code:

$name = $_POST['name'];
$email = $_POST['email']; 


My lack of knowledge of php at the time cost me lots of time creating these variables. Sure, you could simply turn on register_globals, but that's a security thing.

Here is a way that you can simply create variable from post and also a simple function to sanitize them a bit.

PHP Code:

function sanitize($v) {
 return htmlentities(stripslashes(strip_tags($v)));
}

foreach ($_POST as $n=$v) {
 ${$n} = sanitize($v);
} 


Now you'll have sanitized variables created.

Do not make them into variables you may end up with injection which is a bad thing ; figure out a way to read the format and if it is in the wrong format make it say this is not an email ETC.

do you know of a way to improve my sanitize function to avoid injection?

If you're trying to create variables from the indexes of the $_POST array, the solution you posted will work fine. I'm guessing your reason for wanting to do this is simply so you don't have to type out $_POST['']

I have a function similar to your sanitize() function but I call mine sql_insert(). I like your verbage better

goheadtry suggested that someone could inject into my code. Am I missing anything in my sanitize() function that could pose a security risk? If so, could I see some samples of how to inject into my code.

Your sanitize() looks safe to me. I'm not sure what goheadtry was referring to. Then again, I am not xss/sql injection expert.

Maybe try to test your own forms with some of the xss/injection methods listed here:

http://ha.ckers.org/xss.html

Looks completely fine. A nice way to neutralise use input. Ignore goheadtrys comment, I think he got confused between injection threats and validation.

Jamie

i would like to learn more about how injecting works.. anyone got any good sites to look at which have examples etc?

Dan

Dan: Injecting is the process of inserting code into an sql statement to do something unintended, this could be anything from making the database spew its contents to gaining admin privs.

It is amazing how many sites still don't employ the simple defenses, all they need to do is strip use input of slashes and other special characters.

The most simple injection in 'OR 1=1, this is used in admin login forms to gain permissions. If you imaging the sql statement would evaluate to 2, if no checking is done of passwords after wards then the site would give the user the privs.

Jamie

check out the link I just posted

i did and in the first few lines it said this isnt for people who dont know about it.. i looked but couldnt see injections for dummies link

wikipedia is god: http://en.wikipedia.org/wiki/SQL_injection

dont you find ti funny how the best sites as in the most useful with info dont have ads or have minimal small text ads..

Christopher has some good posts on the subject of SQL injections and XSS attacks.

http://www.webmaster-talk.com/php-fo...injection.html

http://www.webmaster-talk.com/php-fo...s-attacks.html

another good way to avoid sql injections is to use prepared statements. PDO and Pear both offer a good solution to this for PHP.

ill have a look see at thoese threads.


Is this kidn of thing something that should be a issue when making scripts?
like whats the chnaces of it happening?

Quote:

Originally Posted by JamieLewis

Dan: Injecting is the process of inserting code into an sql statement to do something unintended, this could be anything from making the database spew its contents to gaining admin privs.

It is amazing how many sites still don't employ the simple defenses, all they need to do is strip use input of slashes and other special characters.

The most simple injection in 'OR 1=1, this is used in admin login forms to gain permissions. If you imaging the sql statement would evaluate to 2, if no checking is done of passwords after wards then the site would give the user the privs.

Jamie

Yes or giving it a command that will fail and another command that will take it's place which then is used as the command instead what are variables think about place holders if you are giving a place holder a value that can be inputed like this do=update for example and it does sql commands they could change update to delete do you see what I mean? or file=ham.php instead file=../password.txt because you made it go one directory behind the main site etc or forgotpassword='OR 1=1 things like that

Ok i think i kind get the idea,

Im using

PHP Code:

$user             =(isset($_POST['user']))      ? mysql_real_escape_string($_POST['user'],$link_db)      : ''; 


so am i right that this is "protecting" me from this kind of thing?

where as if i was using just

PHP Code:

$user = $_POST['user']; 


they could do SQL injection?
Thanks,
Dan

hey, coz i want to see how this works, i removed the mysql_real_escape thing on the post info

but when i try to login

at http://calm.dansgalaxy.co.uk/admincp.php

with admin as user

and with password " blah' OR 1='1 " it still rejects it saying wrong user pass?

whats causeing this?
heres my login.php

PHP Code:

<?php 
# ******************************************************************
# SCRIPT MADE BY GABE SOLOMON ..... 8 MAY 2007
# ******************************************************************
$message_login = '';
include_once ('config.php');
session_start();
// Set Sessions
$_SESSION['user'] == $user;
$_SESSION['rank'] == $rank;
 # ******************************************************************
 #                        LIST OF FUNCTIONS 
 # ******************************************************************
function Redirect($url) {
       if(headers_sent()) {
               echo "<script type='text/javascript'>location.href='$url';</script>";
       } else {
               header("Location: $url");
       }
}
 # *******************************************************************
 #                        end of functions
 # *******************************************************************
//$action=(isset($_GET['action'])) ? $_GET['action'] : 'login';
$redirect=(isset($_GET['redirect'])) ? urlencode($_GET['redirect']) : urlencode('/index.php');
$message_login .='You need to login ...';
$page=$_SERVER['REQUEST_URI'];
$check_page=strpos($page,'login.php');
$check_user=isset($_SESSION['user']);
if ($check_user===true && $check_page===false) {}
/*elseif ($check_user===true && $check_page!==false) Redirect('/index.php');*/
elseif ($check_user===false && $check_page===false) Redirect('/login.php?action=login&redirect='.$_SERVER['REQUEST_URI'].'');
else {
require ('includes/db_connect_calm_main.php'); //connects to MySQL AND makes calm_main the current..
$user             =$_POST['user'];
$password         =$_POST['password'];
$last_login_ip    = $_SERVER['REMOTE_ADDR'];
$last_login_date  = date('r');
############# BRUTE FORCE #############
# if brute force enabled
if ($brute_force_status == 1) 
{
##
$ip = $_SERVER['REMOTE_ADDR'];
# creates blank entry in table on page load. 
mysql_query("INSERT INTO online_sessions  (login_attempts, ban_time, ip) VALUES ('0', '0', '$ip')", $link_db); 
## Get all info for current user from online_sessions Table
$online_sessions_results = mysql_query("SELECT * FROM `online_sessions` WHERE ip='$ip'") or dir ('Error:'. mysql_error());             
$row=mysql_fetch_array($online_sessions_results);
$login_attempts = $row['login_attempts'];
$ban_time      = $row['ban_time'];
$session_ip    = $row['ip'];      // gets the ip from the db, this should be the same as $ip
$banned        = '0';             // sets users as not banned to begin with.
$cur_time      = date('U');       // sets $cur_time to unix time.
if ($ban_time < $cur_time && $login_attempts >= $allowed_login_attempts) // deletes entry if ban has expired and resets login attempts.
{
mysql_query("DELETE FROM online_sessions WHERE ban_time='$ban_time' ") or die ('Error:'. mysql_error());
}
// if ban_time still more than cur_time and login attempts more than 5 show banned msg
if ($ban_time > $cur_time && $login_attempts >= $allowed_login_attempts) 
{
$banned_time_min = $banned_time/60;
$banned =  '1';
$message_login .= '<h1>Brute Force Protection</h1>
This IP address is currently BANNED from loggin into the CALM website because a 
<a href="http://en.wikipedia.org/wiki/Brute_force_attack">brute force attempt</a> was detected.  
<br />
You will be required to wait '.$banned_time_min.' minutes before you can try again. 
 Attempting to login again will only increase this delay.   
If you frequently experience this problem, we recommend having your username 
changed to something less generic.
Try again in '.($ban_time - $cur_time)/60 .' minutes';
}
} #end id brute force enabled
############# BRUTE FORCE #############
if (isset($_POST['submit'])){  
                   if (empty($user))      
       {
       $message_login .='You must fill the user field';
       $failed_login = '1';
       }
                   elseif (empty($password)) 
       {
       $message_login .='You must fill the password field';
       $failed_login = '1';
       }
                   else {
#$result = mysql_query("SELECT * FROM `users` WHERE user='{$user}' AND password='".sha1($password)."' ", $link_db) or die ('Error! Contact Super-Admin');
$result = mysql_query("SELECT * FROM `users` WHERE user='$user' AND password='$password' ") or die ('Error! Contact Super-Admin');
$num_rows = mysql_num_rows($result);
                    
                    if ($num_rows!=1) {
################ BRUTE FORCE ####################
# If brute force enabled
if ($brute_force_status == 1)
{
##
$login_attempts = $login_attempts + 1;
###      # If login attempts more than 5 increase ban time
if ($login_attempts >= $allowed_login_attempts)           
{
$ban_time = ($cur_time + $banned_time);
}
###      # 
mysql_query("UPDATE online_sessions  SET ban_time='$ban_time', login_attempts='$login_attempts' WHERE '$session_ip == $ip'");
# updates fields if login_attempts more than five updates ban time, if not still updates login_attempts
} # end of if brute force enabled.
                        $message_login .='User and/or password mismatch.';
                        } // END OF  if ($num_rows!=1)
     
     else { // Else for if ($num_rows!=1)
     
                     $row=mysql_fetch_assoc($result);
                             $_SESSION['user']=array('id' => $row['id'],
                                'user' => $row['user'],
                                                     'email' => $row['$email'],
                                                     );
                             Redirect(urldecode($redirect));
                    } // end else for if ($num_rows!=1)
########## BRUTE FORCE ##########
if ($brute_force_status == 1)
{
#
     
$logins = $row['logins'];   // this is for the users table
$cur_logins = $logins + 1; // this works with the users table.
// $ip = $_SERVER['REMOTE_ADDR']; this done with the Brute force bits.
$date = date('r');
        
//This should update the users table with the users ip address
$result = mysql_query("UPDATE users SET last_login_ip='$ip', last_login_date='$date', logins='$cur_logins',user_status='online'  
WHERE user='{$_SESSION['user']['user']}'");
} # end of brute force enabled
                   };
                   
}
# if banned dont show login form.
$content = '<div style=" text-align: center;">
<div style="border: dashed 1px #000; width: 50%; margin-left: 33%; margin-right: 15%; height: 225px; position:relative;">';
if ($banned == '1')
{
$content .= 'You are banned"';
$content .= $message_login;
}
else {
$content .= '
<span style="color:#ff0000; background: #ccc;">'.$message_login.'</span><br />
<p>
If you don\'t have am account you can register by clicking 
<a href="register.php">here</a>
</p>
<p style="float: left; padding-bottom: 10px; margin-left: 25px;"><img src="images/login_icon2.png" style="width: 150px; height: 150px" alt="login"/></p>
<div style="padding-top: 10px;">
<form action="login.php?redirect='.$redirect.'" method="post" >                                                 
<p>Username: <input type="text" name="user" value="'.$user.'" tabindex="1" /><br />
Password: <input type="password" name="password" tabindex="2" /><br />
<input type="submit" name="submit" value="LogIn" /></p>
</form></div>';
} //if banned...
      
$content .= '</div></div>';
include ('style/'.$style.'/template.inc.php');
} // end for else from check session
?>

i have the mysql_real_escape_string thing i had and other bits which i thought would stop the sql injections

but i still cant login with admin/blah' OR 1='1

so what else is protecting it?

Thanks,
Dan

try it by taking out the single quotes in this query. $result = mysql_query("SELECT * FROM `users` WHERE user=$user AND password=$password ")

I think you could also play around with leaving the single quotes in there and then playing with how you're passing the attack.

Example:
OR 1=1 /*