Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
For 2023 - we are now fully retired from IT training.
We have made many, many friends over 25 years of teaching about Python, Tcl, Perl, PHP, Lua, Java, C and C++ - and MySQL, Linux and Solaris/SunOS too. Our training notes are now very much out of date, but due to upward compatability most of our examples remain operational and even relevant ad you are welcome to make us if them "as seen" and at your own risk.

Lisa and I (Graham) now live in what was our training centre in Melksham - happy to meet with former delegates here - but do check ahead before coming round. We are far from inactive - rather, enjoying the times that we are retired but still healthy enough in mind and body to be active!

I am also active in many other area and still look after a lot of web sites - you can find an index ((here))
Injection attacks - safeguard your PHP scripts

An injection attack is where information supplied within a table entry box or upload file is used for malicious purposes - for example, if a user enters his name as fred'; drop database test; etc ... and finds that the script he has contacted inserts the text entered into a database query. Possible injection attacks include:

* HTML, where an abuser fills in tags into a data entry box. Leads to poorly displayed information when the tags are echoed back to his (or other users) pages. Solution - htmlspecialchars

* Variable seeding, where an abuser adds an extra box to the HTML source and initialises one of your variables that you have failed to initialise in your code. Scripts which are easily accessible in source form are prone to this form of attack if poorly written, but only if you're running PHP4.0 or earlier, or if you've set register globals

* JavaScript, where Javascript is filled in to a box and echoed back. The problem then is that the Javascript may be seen as having been supplied by the server so can access the server without the usual security restrictions.

* SQL, where SQL is entered into a box - my example in the into paragraph shows an SQL attack example although I haven't given you the complete code. Once again, these attacks are much more likely to succeed on scripts where the source code is commonly available.

Both the Javascript and SQL attacks can be prevented by default if the "magic quotes" setting is on - which by defaut it IS on recent versions of PHP. If, however, you stripslashes an input so that you can echo back O'Brien and not have it come up as O\'Brien, then you'll need to ad slashed back in for storing in a database, and check scripts that echo back input to ensure they're not sending Javascript

* File name, where the user's input is taken as being a file name or the basis of one. If I enter my name as "../graham", for example. I you must take the user's input to form a file name, filter it carefully!

* Email header, where a subject line or recipient can be specificed that's used as extra parameters to the mail() function. Subject lines that include a new line character can be used to add a "cc" to "bcc" header unless you check it, and if your email script does not email you each time it's used, then you can be unaware that your site is being used to send out unsolicited material for years!

Although all of the coding traps that allow you to leave you site open to attack were easily present on earlier versions of PHP, it's hugely improved now. Variable seeding, Javascript and SQL attacks are turned off via default server configuration options "register globals" and "magic quotes" that you will find in the server's php.ini file.
(written 2007-02-20)

Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H117 - Security in PHP
  [345] Spotting a denial of service attack - (2005-06-12)
  [426] Robust checking of data entered by users - (2005-08-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [947] What is an SQL injection attack? - (2006-11-27)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1747] Who is watching you? - (2008-08-10)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)

Back to
Lawrence Webb's Melksham Taxi service
Previous and next
Horse's mouth home
Forward to
Telling a story in different ways
Some other Articles
Too many instructions, too much detail
Playing old games
Why use BBC code not HTML?
Telling a story in different ways
Injection attacks - safeguard your PHP scripts
Lawrence Webb's Melksham Taxi service
Writing terms and conditions for conferences and other events
Behind the scenes
Straight from the .jar
Customer takes over class, and I am delighted
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page

This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2023: 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/1086_Inj ... ripts.html • PAGE BUILT: Sun Oct 11 16:07:41 2020 • BUILD SYSTEM: JelliaJamb