FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


escapeshellcmd seems to blank my user input





boinsterman
I have a page at http://worldthinker.frihost.org/codeexamples/datestest3.php in which user input seems to get blanked by escapeshellcmd. (I am not calling any shell functions. I just wanted to add another layer of security so Frihost would not get compromised as easily. I do not know if it is even necessary.)

Code:

<?php
    $data_stack = array();
    foreach ($_GET as $key => $value)
       {
           $key = escapeshellcmd($key);
           $value = escapeshellcmd($value);
           array_push($data_stack, $key, $value);
       }

    $xslDoc = new DOMDocument();
    $xslDoc->load("dates_test3.xsl");

    $xmlDoc = new DOMDocument();
    $xmlDoc->load("datetest3.xml");

    $proc = new XSLTProcessor();
    $proc->registerPHPFunctions();
    $proc->importStylesheet($xslDoc);

    foreach ($data_stack as $key2 => $val2)
    {
        $proc->setParameter('', $key2, $val2);
    };

    echo $proc->transformToXML($xmlDoc);

    unset($xslDoc);
    unset($xmlDoc);
    unset($proc);
?>
Fire Boar
You're using array_push wrong. Your code pushes two values into the array: $key and $value. Instead, you should use the following syntax:

Code:
$data_stack[$key] = $value


However, escapeshellcmd should ONLY be used on shell input, because shells can have some really odd syntax. Using escaping that you don't need will at best make your code run slower, and at worst (indeed, highly probable in this case) introduce vulnerabilities.

As a rule, you should apply the one form of escaping that you need, and only it. If you need multiple escapings, like for example if data is stored in the database in order to later be output as plain text on a web page, you should make sure that the one that is required at any given time is the one that is applied LAST. In the database/plaintext example, you first need to escape the text so that it appears as-is in HTML (replacing < with &lt; and so on), then escape for database storage (mysqli_real_escape_string). Actually, for database storage, it's better just to use prepared statements because then there's no need to worry about escaping.
Marcuzzo
Fire boar is right.
The way you write the code, your array will not hold the values that you are expecting.


W3schools wrote:

the syntax of array push is:
Code:
array_push(array,value1,value2...)

Code:
<?php
$a=array("Dog","Cat");
array_push($a,"Horse","Bird");
print_r($a);
?>


The output of the code above will be:
Code:
Array ( [0] => Dog [1] => Cat [2] => Horse [3] => Bird )


So you would be adding your index as a regular value instead of an index

Your array will look like this
Code:
$arr[0] = 0;
$arr[1] = "some";
$arr[2] = 1;
$arr[3] = "input";
$arr[4] = 2;
$arr[5] = "blablabla";
$arr[6] = 3;
$arr[7] = "last item";


instead of

Code:
$arr[0] = "some";
$arr[1] = "input";
$arr[2] = "blablabla";
$arr[3] = "last item";



This is rather basic stuff.
I would advise to play around with basic PHP before diving into a sea of trouble with more advanced code.
Wink
boinsterman
The following code works as expected at http://worldthinker.frihost.org/codeexamples/echotest.php.

Code:

<?php
    foreach ($_GET as $key => $value)
       {
        echo "<tr><td>".$key."</td><td>".$value."</td></tr>";
       };
?>


I'm very concerned about hackers. It has already been independently confirmed that a hacker has remotely accessed this computer I am using. My question is: Is there anything I need to do to prevent a hacker from using a normal input form (from which the data will be printed to a webpage and/or an XML file or other text file)? For example, do any particular characters need to be escaped? Is there any way a hacker can execute shell commands via a normal input form?
Marcuzzo
boinsterman wrote:

The following code works as expected at http://worldthinker.frihost.org/codeexamples/echotest.php.
Code:
<?php
    foreach ($_GET as $key => $value)
       {
        echo "<tr><td>".$key."</td><td>".$value."</td></tr>";
       };
?>


ofcourse it does, the $_GET array is perfectly formatted.

we were talking about the array $data_stack
while you loop through the $_GET array you are pushing items in that array
Code:
array_push($data_stack, $key, $value);


And it would look like

Code:
$data_stack[0] = 0;
$data_stack[1] = "some";
$data_stack[2] = 1;
$data_stack[3] = "input";
$data_stack[4] = 2;
$data_stack[5] = "blablabla";
$data_stack[6] = 3;
$data_stack[7] = "last item";


instead of
Code:
$data_stack[0] = "some";
$data_stack[1] = "input";
$data_stack[2] = "blablabla";
$data_stack[3] = "last item";



boinsterman wrote:
Is there any way a hacker can execute shell commands via a normal input form?


you don't want to use $_GET if you are worried about security.

code could be injected simply by adding text to the url
http://worldthinker.frihost.org/codeexamples/echotest.php?text1=this+text&text2=more+text&text3=Inject1&text4=Inject2&HAHAHA=LOL


one can even add a link
Code:
http://worldthinker.frihost.org/codeexamples/echotest.php?text1=this+text&text2=more+text&text3=Inject1&text4=Inject2&HAHAHA=LOL&link=<a href=http://google.com>Link</a>


1. Look into $_POST

2. Escape of convert characters to the html equivalent eg & to &amp;

3. check these links
http://en.wikipedia.org/wiki/SQL_injection
http://rochakchauhan.com/blog/2008/07/13/top-ten-security-vulnerabilities-in-php-code/
http://en.wikipedia.org/wiki/Code_injection
Fire Boar
What Marcuzzo describes is not an injection attack. Anything can go into $_GET or $_POST - using one is no more secure than using the other. However, simply putting in random stuff isn't going to do anything - there is no magical $_GET string that suddenly breaks your website.

The important thing is what you do with the data. Escape for that purpose. The only other thing is that you should never use eval on user input. There are other avenues for attack, for instance, if you allow users to upload files you should make sure that if they upload a PHP file, that file can not be run (or just restrict uploads to certain safe file types).
Marcuzzo
He isn't using a database for that script so there wouldn't be a lot of injecting, what I was trying to point out is that you can do harm if the input isn't filtered and verified and simply executed.
in this case he wrote 2 input boxes of which the values would be copied to the array.
if you clicked the button it would overwrite the previous array so you could asume that the array is only supposed to hold 2 items.
by simply adding stuff to the url I could 'inject' other items.
my apologies for not being more complete.
Fire Boar
Marcuzzo wrote:
He isn't using a database for that script so there wouldn't be a lot of injecting, what I was trying to point out is that you can do harm if the input isn't filtered and verified and simply executed.
in this case he wrote 2 input boxes of which the values would be copied to the array.
if you clicked the button it would overwrite the previous array so you could asume that the array is only supposed to hold 2 items.
by simply adding stuff to the url I could 'inject' other items.
my apologies for not being more complete.


This is true, but if you then only query the keys that you expect to find, there's no problem. In the end it all depends on how you use the input data. Oh, and using the POST method instead of GET is no guarantee that unwanted data will not arrive too - both POST and GET are simply lists of key/value pairs sent by the browser, and it's quite trivial to add a key/value pair to either list. As a general rule: never assume that the keys you get are what you expect, and never assume that the user input has the expected format. Always check these things.
Related topics
Interview: Derek Liu, Gaia Online Anime Community
How do I enable user input?
html and css code from form inputs
Protect Your Site, Or suffer the consiquences
Please add: Razor2 & DCC3
Java tutorials
Getting Hebrew User Input...
please please beta test it (PHP coders)
Prevent mysql error showing when code needs user input
Help with javascript
Python question
A picture of your face + the Internet = Full Disclosure
How to have an input in c++
Trying to learn Java
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.