www.webdeveloper.com
Results 1 to 7 of 7

Thread: PHP Site Security

  1. #1
    Join Date
    Apr 2009
    Posts
    346

    PHP Site Security

    I have a single username and password field on my site which leads into a simple customer admin section. I only give this username and password to a couple people I know. But for some reason my site DB keeps getting hacked. Below is the code I use to filter the username and password:

    PHP Code:
    function cleanQuery($string){
               if(
    get_magic_quotes_gpc())  // prevents duplicate backslashes
               
    {
               
    $string stripslashes($string);
               }
               
    $badWords = array("/delete/i""/update/i","/union/i","/insert/i","/drop/i","/http/i","/--/i");
               
    $string preg_replace($badWords""$string);

               if (
    phpversion() >= '4.3.0')
               {
               
    $string mysql_real_escape_string($string);
               }
               else
               {
              
    $string mysql_escape_string($string);
               }
              return 
    $string;
               } 
    Can someone tell me what is wrong with the above code and why it's still allowing hackers in?

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,322
    Well, the first question to address might be whether they are getting in through that script, or if there is some other hole you have not yet considered. Have you checked the web server logs for "interesting" things in the URL query string?
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Apr 2009
    Posts
    346
    Quote Originally Posted by NogDog View Post
    Well, the first question to address might be whether they are getting in through that script, or if there is some other hole you have not yet considered. Have you checked the web server logs for "interesting" things in the URL query string?
    No I haven't. I didn't realize that the URL could be used for malicious purposes...How would you guard against that??

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,322
    It could if you use some $_GET value within a database query and do not properly sanitize that value. (The same is true with any external values, such as form data in $_POST or a $_COOKIE value.)
    Code:
    http://www.example.com/some_page.php?id=1%3B+DELETE+FROM+USERS+WHERE+1%3D1
    Which if $_GET['id'] were used in a query such as this...
    PHP Code:
    mysql_query("SELECT * FROM tablename WHERE id=".$_GET['id']); 
    ...would actually try to execute:
    Code:
    SELECT * FROM tablename WHERE id=1; DELETE FROM USERS WHERE 1=1
    In this particular case, it could be avoided simply by casting $_GET['id'] to an integer.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Apr 2009
    Posts
    346
    Ahhhhhh....Ok thanks I never thought of that. What if the id is a mixture of integers and letters? Could I use the same type of sanitizing code for the $_GET variables as I do for the $_POST data?

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,322
    Yep. If it's a string, making sure it is escaped via mysql_real_escape_string() and then properly quoted will prevent SQL injection. Probably more robust would be to make use of the MySQLi extension and use prepared statements with place-holders and bound parameters. That is no more secure in and of itself, but it can help avoid coding mistakes that might leave a hole.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Mar 2007
    Posts
    946
    Check out http://phpsec.org/projects/guide/

    It is a good starting point.
    "Hippies.They're everywhere. They wanna save the earth, but all they do is smoke pot and smell bad."-Cartman

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles