Php vulnerabilities

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • bernouli
    New Member
    • Oct 2012
    • 26
    #1

    Php vulnerabilities

    i have application that retrieves data from database using id.

    when you click on search, it displays in the browser the id used in the database table creation

    example
    Code:
    http://localhost/guess2/Search.php?id=1

    In my database, i have a user with id = 1,2,3 etc.
    if i entered 2 from browser, it will fetch the row 2 and so on

    Now with the id exposure, i guess the code is vulnerable to attack.

    i have enforced SQL Injection and XSS attack protection using function mysql_real_esca pe_String and htmlentities()

    my question is how do i protect this code against web attack of any kind eg CSRF attack,Content Spoofing and many more attacks

    Code:
    <?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="testaa"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");






$sql="SELECT * FROM $tbl_name";
$result=mysql_query($sql);
?>

<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr>
<td>
<table width="400" border="1" cellspacing="0" cellpadding="3">
<tr>
<td colspan="4"><strong>List data from mysql </strong> </td>
</tr>

<tr>
<td align="center"><strong>Name</strong></td>
<td align="center"><strong>Lastname</strong></td>
<td align="center"><strong>Email</strong></td>
<td align="center"><strong>Update</strong></td>
</tr>

<?php

while($rows=mysql_fetch_array($result)){
?>




<tr>
<td><? echo htmlentities($rows['name']); ?></td>
<td><? echo htmlentities($rows['lastname']); ?></td>
<td><? echo htmlentities($rows['email']); ?></td>

// link to  search value of id
<td align="center"><a href="up2.php?id=<? echo htmlentities($rows['id']); ?>">search</a></td>
</tr>

<?php
}

?>

</table>
</td>
</tr>
</table>

<?php
mysql_close();
?>
    Tags: None
    • Luuk
      Recognized Expert Top Contributor
      • Mar 2012
      • 1043
      #2
      "you hear the clock read but do not know where the clapper hangs"

      Above is a translation of a Dutch saying. It was created by translate.googl e.com....

      This show how much Google know about translating stuff.

      It is as as much as YOU understand about web-security!

      If the user which accesses the database (in your example "root") has no write access to the database, than you are pretty safe for any injection stuff....

      But normally "root" has way more access to your database..... ;)

      The php functions mysql_real_esca pe_String and htmlentities()
      do not protect you from programming errors!

      Everyone who can GUESS an 'id' from another user, can query the page, he simply has to go to i.e.:
      http://localhost/guess2/Search.php?id=123


      This can only be protected by adding logon to your page, and checking (server-side) if the user has the right to query id=123.....

        Comment

        • bernouli
          New Member
          • Oct 2012
          • 26
          #3
          i have developed login form but the record can still be queried via the browser http://localhost/guess2/Search.php?id=123
          can you help me on how to protect this

            Comment

            • bernouli
              New Member
              • Oct 2012
              • 26
              #4
              i have developed login form but the record can still be queried via the browser http://localhost/guess2/Search.php?id=123
              can you help me on how to protect this

                Comment

                • r035198x
                  MVP
                  • Sep 2006
                  • 13225
                  #5
                  Typical solutions are using another unique field in your url other than the id so the url is cleaner, search engine friendly and makes it more difficult for people to guess what the next or previous value is. If you don't have one you can create an SHA2 hash of the id and use that. You should also use mod_rewrite (http://httpd.apache.org/docs/current...d_rewrite.html) to make your urls cleaner.

                    Comment

                    • Dormilich
                      Recognized Expert Expert
                      • Aug 2008
                      • 8694
                      #6
                      i have developed login form but the record can still be queried via the browser
                      I want to raise a point here. does it really matter, if someone just tries to guess your user IDs? eventually, the purpose of the script is to return user data based on the given user ID. (that you have to protect yourself against XSS, CSRF or SQL Injection is a totally different matter, which has to do with compromised data, not with data itself)

                      if you don’t want to let an outsider near your script, you need a login and a secure connection for the logged in users (though that still would expose the user ID you need for the login).

                      PS. an easy way to validate numeric data is casting them to INT/FLOAT or using filter functions (which can be tuned better).

                        Comment

                        Previous template Next
                        Working...