What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » Who knows something about SQL and PHP

Pages: (2): « First « 1 [ 2 ] Last »
Who knows something about SQL and PHP
Author: Message:
surfichris
Former Admin
*****

Avatar

Posts: 2365
Reputation: 81
Joined: Mar 2002
RE: Who knows something about SQL and PHP
Not on the flash side of things, but I wanted to point out a major vulnerability your script has: SQL Injection.

You don't sanitize any quotes or anything before you insert raw data in to the database.

Add the following before your insert query..
code:
$name = mysql_real_escape_string($_POST['name']);
$shout = mysql_real_escape_string($_POST['shout']);
01-05-2008 10:07 PM
Profile PM Find Quote Report
Exca
Senior Member
****

Avatar
Not illiteral, just ignoring you

Posts: 509
Reputation: 12
36 / Male / –
Joined: Mar 2004
Status: Away
O.P. RE: Who knows something about SQL and PHP
I don't quite understand... the shoutbox works now?
But that is my opinion!

[Image: djexcaround.gif]
01-05-2008 10:33 PM
Profile E-Mail PM Web Find Quote Report
Tochjo
forum super mod
******

Avatar

Posts: 4205
Reputation: 78
37 / Male / Flag
Joined: Sep 2003
Status: Online
RE: Who knows something about SQL and PHP
You can read Wikipedia: SQL injection to find out what Chris is talking about. Translations of it are available, if you find that easier :)

This post was edited on 01-05-2008 at 10:35 PM by Tochjo.
01-05-2008 10:35 PM
Profile PM Find Quote Report
Exca
Senior Member
****

Avatar
Not illiteral, just ignoring you

Posts: 509
Reputation: 12
36 / Male / –
Joined: Mar 2004
Status: Away
O.P. RE: Who knows something about SQL and PHP
Oh, so it's a security matter.

In that case... where should I paste it? Probably on the shoutbutton, but I'm just a regular guy trying to make some website :)
But that is my opinion!

[Image: djexcaround.gif]
01-05-2008 10:42 PM
Profile E-Mail PM Web Find Quote Report
surfichris
Former Admin
*****

Avatar

Posts: 2365
Reputation: 81
Joined: Mar 2002
RE: Who knows something about SQL and PHP
It would go on the lines right before mysql_query("INSERT INTO...");

Yes, you're just a regular guy, but it is those regular guys whose websites get hacked because they don't know things like this.

Essentially any information you save to a database from user input needs to be sanitized to prevent special characters performing unwanted things (SQL injection etc)

So essentially any incoming data you run mysql_real_escape_string on before you insert or run a query using it. If you're inserting an integer from user input, typecast it to an integer first.

For example:
String: My test' string

Result unescaped: INSERT INTO test ('abc') VALUES ('My test' string');
After mysql real escape string: INSERT INTO test ('abc') VALUES('My test\' string');

Notice how in the unescaped version there is an extra quote in there? We don't want that, it is bad and cause malicious things.

Second example of typecasting:

Incoming Integer (number): abc

Notice how it isn't a number?

Query: "SELECT * FROM test WHERE test=".$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=abc.

Now we have a problem. Because we want to be querying using an integer and a malicious user has entered a text string and we aren't quoting and escaping the value (you don't have to for integers) then whatever they enter can be executed as an additional query.

Solution?

Query: "SELECT * FROM test WHERE test=".(int)$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=0

Because we've casted the data to an integer and abc is not an integer (and doesn't contain any), 0 is returned, thus in this example we're protected.

This is only a subset of what you need to look out for but it covers the basics.

Chris
01-06-2008 11:35 AM
Profile PM Find Quote Report
Exca
Senior Member
****

Avatar
Not illiteral, just ignoring you

Posts: 509
Reputation: 12
36 / Male / –
Joined: Mar 2004
Status: Away
O.P. RE: Who knows something about SQL and PHP
Ok thank you for the information. Ive implemented it, so it should be okay now.
You can check the shout.php that the shoutbox uses at http://www.exca.be/website/shout.php

While i'm here, I also have another thing to solve, I started on the contactpage. www.exca.be => contact

I followed this tutorial: http://foamers.net/blogger/archives/45.

The actionscript I have on the submit-button is:
code:
on (release) {
    _parent.getURL("http://www.exca.be/website/contact.php","_blank","GET");
    _parent.message="Your message has been sent. Thanks for contacting!";
}

These are the variable names of the textfields:
code:
lastname
firstname
email
message


And this is the contact.php script:
code:
<?php
    $your_lastname = $_GET[‘lastname’];
    $your_firstname = $_GET[‘firstname’];
    $your_email = $_GET[‘email’];
    $your_message = $_GET[‘message’];

    $recipient_email = "info@exca.be"

    $subject = "From " . $your_email;
    $headers = "From: " . $your_name . " <" . $your_email . ">\n";
    $headers .= ‘Content-type: text/html; charset=iso-8859-1';

    $content = "<html><head><title>Contact letter</title></head><body><br />";
    $content .= "Last Name: <b>" . $your_lastname . "</b><br />";
    $content .= "First Name: <b>" . $your_firstname . "</b><br />";
    $content .= "E-mail: <b>" . $your_email . "</b><br /><hr /><br />";
    $content .= $your_message;
    $content .= "<br /></body>";

    mail($recipient_email,$subject,$content,$headers);
?>

<html>
<body bgcolor="#282E2C">
<div align="center" style="margin-top:60px;color:#FFFFFF;font-size:11px;
font-family:Tahoma;font-weight:bold">
            Your message was sent. Thank you.
        </div>
    </body>
</html>
<script>resizeTo(300, 300)</script>



Check yourself what the problem is... it's just giving a blank page :)
I actually don't want the red part too... I don't want any page to pop up, just the message that says "Your message has been sent. Thanks for contacting!"...

This post was edited on 01-06-2008 at 12:46 PM by Exca.
But that is my opinion!

[Image: djexcaround.gif]
01-06-2008 12:43 PM
Profile E-Mail PM Web Find Quote Report
Volv
Skinning Contest Winner
*****

Avatar

Posts: 1233
Reputation: 31
35 / Male / Flag
Joined: Oct 2004
RE: Who knows something about SQL and PHP
quote:
Originally posted by Chris Boulton
Not on the flash side of things, but I wanted to point out a major vulnerability your script has: SQL Injection.

You don't sanitize any quotes or anything before you insert raw data in to the database.
[Image: exploits_of_a_mom.png]
01-09-2008 11:36 AM
Profile PM Find Quote Report
Pages: (2): « First « 1 [ 2 ] Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On