FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


O'calhoun's reusable stupid php question thread [NEW]





ocalhoun
Problem 2: Is this code good for security, or does it leave obvious security holes?
Every string a user enters will be tested by this script before being used in any way.
Code:

function security_validate($string)
{
//Makes sure a given string does not contain any control charachters which could be used for hacking in any concievable way.
// forbidden charachters: /<>()='",;[]{}.?
$forbidden="OK"; //As of now, no forbidden charachters have been detected
If(strstr($string,"/")!=false)
{
   $forbidden="/";
}
If(strstr($string,"<")!=false)
{
   $forbidden="<";
}
If(strstr($string,">")!=false)
{
   $forbidden=">";
}
If(strstr($string,"(")!=false)
{
   $forbidden="(";
}
If(strstr($string,")")!=false)
{
   $forbidden=")";
}
If(strstr($string,"=")!=false)
{
   $forbidden="=";
}
If(strstr($string,"'")!=false)
{
   $forbidden="'";
}
If(strstr($string,'"')!=false)
{
   $forbidden='"';
}
If(strstr($string,",")!=false)
{
   $forbidden=",";
}
If(strstr($string,";")!=false)
{
   $forbidden=";";
}
If(strstr($string,"[")!=false)
{
   $forbidden="[";
}
If(strstr($string,"]")!=false)
{
   $forbidden="]";
}
If(strstr($string,"{")!=false)
{
   $forbidden="{";
}
If(strstr($string,"}")!=false)
{
   $forbidden="}";
}
If(strstr($string,".")!=false)
{
   $forbidden=".";
}
If(strstr($string,"?")!=false)
{
   $forbidden="?";
}
If($forbidden!="OK") //If any forbidden charachters were detected
{
   mail("___________@hotmail.com","________Hacking Attempt!","There has been a hacking attempt at the archive. A user entered the forbidden charachter, " . $forbidden . " into a text field.");
   DIE("You have used illigal charachters in an entered string. If you have done so with honest intentions, notify the administration of this site immidiately. Otherwise it will be assumed that you are attempting to hack into this site. The forbidden charachter you used is: ---> " . $forbidden . " <--- The Administrator of the site has been notified of this possible hacking attempt by E-mail.");
}
//return "validated";
}

Yes, I know it would have been more efficient to use a switch, but this is the third evolution of this script, and the previous versions used lots of If statements.
I have tested it, and it does stop the execution of the script and display the message when one attempts to use a prohibited character.


Problem 1 Solved by ncwdavid.

There are no additional problems to be solved.

To mods: I'll reuse this thread later when I have another stupid question, and change the title to ...thread [[NEW]], so you needn't bother locking it.

mjunhybgtvfrcde <-- a random sequence of letters I can search for later so as to easily find this thread again.
ncwdavid
ocalhoun wrote:

Code:

...
   //user is legitimate
   $listrow = mysql_query("SELECT * FROM TDL WHERE Diskmaker =" . $_GET["username"] . " AND Done = 0");
   



Try this:
Code:

$username = $_GET['username'];
$listrow = mysql_query("SELECT * FROM TDL WHERE Diskmaker='$username' AND Done='0'");

Plus check is everything spelled right and should there be capital letters and stuff.
ocalhoun
Well, that fixed it. Although there are still other problems, this one is done.
ncwdavid
well post the other problems so we can see and help you solve them.
hexkid
ocalhoun wrote:
Well, that fixed it. Although there are still other problems, this one is done.
Your problem was a quote problem.

The Diskmaker should be enclosed in quotes (which you didn't do), and, apparently, Done wouldn't need to.
The final SQL statement in your code could turn out to be

Code:
SELECT * FROM TDL WHERE Diskmaker = hexkid AND Done = 0
But you need the quotes around hexkid:
Code:
SELECT * FROM TDL WHERE Diskmaker = 'hexkid' AND Done = 0


If you check the return value of mysql_query() calls (and many other calls) and print the MySQL error in case it fails, it helps a lot in cases such as this

Code:
$listrow = mysql_query("select * from tdl where Diskmaker=hexkid and Done=0");
if ($listrow == false) {
  echo 'There was an error in the SQL statement at line ', (__LINE__ - 2), '. The error was: ', mysql_error();
  ### you can now stop the script
  # exit;
  ### or maybe send an email
  # email(ADMIN, 'SQL ERROR', '(no message)');
  ### or even continue, depending on the severity of the error.
}
ocalhoun
ncwdavid wrote:
well post the other problems so we can see and help you solve them.


Er, all my problems are fixed (I was able to figure out the others on my own).

ncwdavid's fix worked just fine.

*renames thread*
ocalhoun
There is a new problem (stated at the top of the thread).
Sorry for the double post, but I needed to bump the thread.
Mods: If you'd rather me make a new thread for every question I have, tell me so.
powers1983
Is it neccessary to stop execution of the script? Maybe if you were to use str_replace instead and that way if a user accidentaly hits the wrong key then they aren't banned and you aren't e-mailed? Depends on the circumstances I suppose.

Also could you not construct a for or while loop?

You store the forbidden characters in a string then do something like:

Code:

$forbidden_chars="/<>()='",;[]{}.?"

for ($i = 1; $i < (strlen($forbidden_chars)+1); $i = $i + 1) {
     

     If(strstr($string,substr($string, $i);)!=false)
    {
       $forbidden=substr($string, $i);
    }

}


Save yourself a bit of disk space and make it easier to update with new forbidden characters.

As far as obvious security holes I can't see any but then I'm not a security veteran. The script should strip out all the characters you want and if you are sure that nothing nasty could then happen then fine. You could pass it through a

Code:
$no_html_string = strip_tags($string);


before you run your script to get rid of all the HTML tags too (even though your script removes the <> anyway) just as an extra precaution but php security experts might advise otherwise.

David.
Related topics
php question
JSP and PHP Question
PHP Question
Link Lottery - free and fun
PHP Question
PHP question
PHP question, $_SESSION[] gets changes to by $_POST var
New Stupid User Question
A quick PHP Question! You know the answer! Answer ASAP .
Making new virtual sim game. Nee'ds load's of things-Inside
If you have created a form on your site you can help...
MySQL and PHP Question
Phrases I hate. Add your own if you want.
PHP question about passing variables (noob)
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.