You may have heard me talk about "injection attacks" and that having register_globals set to on in PHP makes you liable to be caught by them. Well - that's a little bit dramatic as you can write perfectly safe PHP scripts with the setting on if you're careful. Here's an example of a script which is
not secured ...
<?php
$fields = array("name","town","nkids");
$connection = mysql_connect("127.0.0.1","trainee","abc123");
mysql_select_db("graham",$connection);
$rs = mysql_query("select * from people");
$table .= "<table>";
while ($row = mysql_fetch_assoc($rs)) {
$table .= "<tr>";
foreach ($fields as $column) {
$table .= "<td>".$row[$column]."</td>";
}
$table .= "</tr>";
}
$table .= "</table>";
/* ------------------------------------------- */ ?>
<html>
<head><title>Class of '08</title></head>
<body>
<h1>Here they are</h1>
<?= $table ?>
<br>
All together doing MySQL!
</body>
</html>
Now the output SHOULD look like this:
But I can make it look like this ... VERY easily!
Did you spot the extra line of text?. What has happened?
I have used the
$table variable to build up my table, using the "dot equals" operator. Fine - except that I have used it the very first time that the variable is references which means that in
inherits any form values that are input via a box called
table on the form that calls up the script. So all I have to do is to write such a form and I can add whatever I like at that point .. which could just be text ... or it might be Javascript I want echoed out, font changes, code to call up an image ....
The solution is to change the first "dot equals" into just "equals". That's the good programming solution. But turning register_globals off also solves the problem, as the variable would not then be populated from the form. The best solution?
do both!.
(written 2009-02-04 18:04:43)
Associated topics are indexed under
H117 - Security in PHP [2628] An example of an injection attack using Javascript - (2010-02-08)
[1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
[1747] Who is watching you? - (2008-08-10)
[1694] Defensive coding techniques in PHP? - (2008-07-02)
[1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
[1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
[1482] A story about benchmarking PHP - (2007-12-23)
[1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
[1387] Error logging to file not browser in PHP - (2007-10-11)
[1323] Easy handling of errors in PHP - (2007-08-27)
[1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
[1052] Learning to write secure, maintainable PHP - (2007-01-25)
[947] What is an SQL injection attack? - (2006-11-27)
[920] A lion in a cage - PHP - (2006-11-10)
[426] Robust checking of data entered by users - (2005-08-27)
[345] Spotting a denial of service attack - (2005-06-12)
H110 - PHP - HTML Web Page Data Handling [2135] What features does this visitors browser support? (PHP) - (2009-04-22)
[2107] How to tweet automatically from a blog - (2009-03-28)
[2046] Finding variations on a surname - (2009-02-17)
[1831] Text formating for HTML, with PHP - (2008-10-11)
[1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
[1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
[1053] Sorting people by name in PHP - (2007-01-26)
[1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
[896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
[789] Hot answers in PHP - (2006-07-02)
[589] Robust PHP user inputs - (2006-02-03)
[50] Current cost in your local currency - (2004-09-16)
H312 - PHP - Tips and Techniques [2478] How did I do THAT? - (2009-10-26)
[2274] PHP preg functions - examples and comparision - (2009-07-08)
[1983] Keeping PHP code in database and running it - (2009-01-09)
[1958] PHP - Parse error: syntax error, unexpected $end ... - (2008-12-23)
[1684] Two PHP include files to make easy web site indexing and navigation - (2008-06-21)
[1667] Checking server performance for PHP generated pages - (2008-06-06)
[1649] Easy conversion - image formats, currencies and distances - (2008-05-21)
[1270] PHP Standalone - keyboard to screen - (2007-07-18)
[1010] Dates, times, clickable diarys in PHP - (2006-12-28)
[917] Syntax checking in PHP - (2006-11-07)
Some other Articles
Also for the eyes of the catThings people say on the phoneWho sticks by you in the snow?Melksham Climate Friendly GroupInjection Attack if register_globals in on - PHPCarry on Training - in spite of the weathersw_vers - what version of OSX am I running?Pre and post increment - the ++ operatorShort health and safety courseLearning Python - many new example programs