Injection Attack if register_globals in on

You may have heard me talk about "injection attacks" and that having register_globals set to on in PHP makes you liable to be caught by them. Well - that's a little bit dramatic as you can write perfectly safe PHP scripts with the setting on if you're careful. Here's an example of a script which is not secured ...

<?php

$fields = array("name","town","nkids");

$connection = mysql_connect("127.0.0.1","trainee","abc123");

mysql_select_db("graham",$connection);

$rs = mysql_query("select * from people");

$table .= "<table>";

while ($row = mysql_fetch_assoc($rs)) {

  $table .= "<tr>";

  foreach ($fields as $column) {

    $table .= "<td>".$row[$column]."</td>";

  }

  $table .= "</tr>";

}

$table .= "</table>";

/* ------------------------------------------- */ ?>

<html>

<head><title>Class of '08</title></head>

<body>

<h1>Here they are</h1>

<?= $table ?>

<br>

All together doing MySQL!

</body>

</html>

Now the output SHOULD look like this:

Without an injection attack

But I can make it look like this ... VERY easily!

Injection Attack

Did you spot the extra line of text?. What has happened?

I have used the $table variable to build up my table, using the "dot equals" operator. Fine - except that I have used it the very first time that the variable is references which means that in inherits any form values that are input via a box called table on the form that calls up the script. So all I have to do is to write such a form and I can add whatever I like at that point .. which could just be text ... or it might be Javascript I want echoed out, font changes, code to call up an image ....

The solution is to change the first "dot equals" into just "equals". That's the good programming solution. But turning register_globals off also solves the problem, as the variable would not then be populated from the form. The best solution? do both!.
(written 2009-02-04)

Associated topics are indexed under

3082 H117 - Security in PHP
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)

H110 - PHP - HTML Web Page Data Handling
  [3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)
  [3036] Sending out an email containing HTML from within a PHP page - (2010-11-07)
  [2135] What features does this visitors browser support? (PHP) - (2009-04-22)
  [2107] How to tweet automatically from a blog - (2009-03-28)
  [2046] Finding variations on a surname - (2009-02-17)
  [1831] Text formating for HTML, with PHP - (2008-10-11)
  [1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
  [1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
  [1053] Sorting people by name in PHP - (2007-01-26)
  [1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
  [896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
  [789] Hot answers in PHP - (2006-07-02)
  [589] Robust PHP user inputs - (2006-02-03)
  [50] Current cost in your local currency - (2004-09-16)

H312 - PHP - Tips and Techniques
  [4074] A comment on comments in PHP - (2013-04-28)
  [2981] How to set up short and meaningfull alternative URLs - (2010-10-02)
  [2478] How did I do THAT? - (2009-10-26)
  [2274] PHP preg functions - examples and comparision - (2009-07-08)
  [1983] Keeping PHP code in database and running it - (2009-01-09)
  [1958] PHP - Parse error: syntax error, unexpected $end ... - (2008-12-23)
  [1684] Two PHP include files to make easy web site indexing and navigation - (2008-06-21)
  [1667] Checking server performance for PHP generated pages - (2008-06-06)
  [1649] Easy conversion - image formats, currencies and distances - (2008-05-21)
  [1270] PHP Standalone - keyboard to screen - (2007-07-18)
  [1010] Dates, times, clickable diarys in PHP - (2006-12-28)
  [917] Syntax checking in PHP - (2006-11-07)

Back to
Carry on Training - in spite of the weather

Previous and next
or
Horse's mouth home

Forward to
Melksham Climate Friendly Group

Some other Articles

Also for the eyes of the cat
Things people say on the phone
Who sticks by you in the snow?
Melksham Climate Friendly Group
Injection Attack if register_globals in on - PHP
Carry on Training - in spite of the weather
sw_vers - what version of OSX am I running?
Pre and post increment - the ++ operator
Short health and safety course
Learning Python - many new example programs

4090 posts, page by page

Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82 at 50 posts per page

4153
This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

Public Training Courses

Running regularly at our UK training Centre.
[Schedule] - [About] - [Book]

Like this? ??