Hello,
I am writing this post as I recently had a security hole in one of my scripts, which, fortunately, nothing bad happened. There are basic things you must always add to your PHP code when handling forms. I will tell you some very essentials that can’t be ignored to avoid SQL Injection attacks.
- When passing forms that contain passwords or secure info, always make sure you use the $_POST instead of the $_GET array for passing the form to PHP.
- After you’ve passed the info to PHP, don’t submit it directly to the DB. Always use mysql_real_escape_string() to prevent SQL injections. The function’s main function (sounds kind of weird..) is to escape certain characters to make it secure to go over a mysql_query().
An example of exploit: You got a User & Pass form. And after you submit the info it is received by the PHP script this way:
if(isset($_POST[‘submit’])) { //If submit button’s been pressed
$user = $row[‘username’]; //Friendlier to handle
$pass = $row[‘password’]; //Friendlier to handle
mysql_query(“SELECT * FROM users WHERE password=’$pass‘ AND username=’$user‘”); //Query
//Something else
}
What would happen if somebody inserts in the form, as username, the following: User: “ ‘ OR 1’“. Writing OR 1, will always output true, so all the rows in the table users are going to be selected.
The correct form:
if(isset($_POST[‘submit’])) { //If submit button’s been pressed
//Adding the mysql_real_escape_string() to escape string
$user = mysql_real_escape_string($row[‘username’]);
$pass = mysql_real_escape_string($row[‘password’]);
mysql_query(“SELECT * FROM users WHERE password=’$pass‘ AND username=’$user‘“); //Query
//Something else
}
- I recommend developing with full error reporting. This is can be enabled by adding: error_reporting(E_ALL); at the top of your script. By adding this, you’ll see a notice when you try to call a variable that has not been previously defined. You might wonder what can happen if there’s a variable not declared before.. Well, simple, somebody can go to your website and do something like yourscript.php?variable=http://mywebsite.com/scripttohackyou.php.
Well that was pretty much everything that came up to my mind right now =), if I remember something or find out something, I’ll add it to the list. I hope this helps somebody out there, because it took me forever to color the code =P.
Any comment, suggestion, or question, please post it here. Or if you think I am missing something, please tell me, so I can add it.
Best Regards,
Richi
I completely agree. I would add that for big projects using an ORM like Doctrine or some PEAR modules like DB_DataObject is a must. They are going to give you most of this security by default.
Regards, Guillem.
Hello,
Yes you’re right. This is like basic security you must have like by default in almost any script that handles forms or data.
Regards,
Richi