Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
Injection Attack if register_globals in on - PHP

You may have heard me talk about "injection attacks" and that having register_globals set to on in PHP makes you liable to be caught by them. Well - that's a little bit dramatic as you can write perfectly safe PHP scripts with the setting on if you're careful. Here's an example of a script which is not secured ...

<?php
$fields = array("name","town","nkids");
$connection = mysql_connect("127.0.0.1","trainee","abc123");
mysql_select_db("graham",$connection);
$rs = mysql_query("select * from people");
$table .= "<table>";
while ($row = mysql_fetch_assoc($rs)) {
  $table .= "<tr>";
  foreach ($fields as $column) {
    $table .= "<td>".$row[$column]."</td>";
  }
  $table .= "</tr>";
}
$table .= "</table>";
/* ------------------------------------------- */ ?>
<html>
<head><title>Class of '08</title></head>
<body>
<h1>Here they are</h1>
<?= $table ?>
<br>
All together doing MySQL!
</body>
</html>


Now the output SHOULD look like this:

Without an injection attack

But I can make it look like this ... VERY easily!

Injection Attack

Did you spot the extra line of text?. What has happened?

I have used the $table variable to build up my table, using the "dot equals" operator. Fine - except that I have used it the very first time that the variable is references which means that in inherits any form values that are input via a box called table on the form that calls up the script. So all I have to do is to write such a form and I can add whatever I like at that point .. which could just be text ... or it might be Javascript I want echoed out, font changes, code to call up an image ....

The solution is to change the first "dot equals" into just "equals". That's the good programming solution. But turning register_globals off also solves the problem, as the variable would not then be populated from the form. The best solution? do both!.
(written 2009-02-04)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H110 - PHP - HTML Web Page Data Handling
  [3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)
  [3036] Sending out an email containing HTML from within a PHP page - (2010-11-07)
  [2135] What features does this visitors browser support? (PHP) - (2009-04-22)
  [2107] How to tweet automatically from a blog - (2009-03-28)
  [2046] Finding variations on a surname - (2009-02-17)
  [1831] Text formating for HTML, with PHP - (2008-10-11)
  [1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
  [1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
  [1053] Sorting people by name in PHP - (2007-01-26)
  [1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
  [896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
  [789] Hot answers in PHP - (2006-07-02)
  [589] Robust PHP user inputs - (2006-02-03)
  [50] Current cost in your local currency - (2004-09-16)

H117 - Security in PHP
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)

H312 - PHP - Tips and Techniques
  [4621] The power of scripting - (2016-01-12)
  [4426] FileMaker Day to Unix Time conversion - (2015-02-15)
  [4319] PHP - some quick fixes if scripts have issues, and how to use our support - (2014-11-19)
  [4310] Problem ... I want to print a series of numbered forms - (2014-10-05)
  [4074] A comment on comments in PHP - (2013-04-28)
  [2981] How to set up short and meaningfull alternative URLs - (2010-10-02)
  [2478] How did I do THAT? - (2009-10-26)
  [2274] PHP preg functions - examples and comparision - (2009-07-08)
  [1983] Keeping PHP code in database and running it - (2009-01-09)
  [1958] PHP - Parse error: syntax error, unexpected $end ... - (2008-12-23)
  [1684] Two PHP include files to make easy web site indexing and navigation - (2008-06-21)
  [1667] Checking server performance for PHP generated pages - (2008-06-06)
  [1649] Easy conversion - image formats, currencies and distances - (2008-05-21)
  [1270] PHP Standalone - keyboard to screen - (2007-07-18)
  [1010] Dates, times, clickable diarys in PHP - (2006-12-28)
  [917] Syntax checking in PHP - (2006-11-07)


Back to
Carry on Training - in spite of the weather
Previous and next
or
Horse's mouth home
Forward to
Melksham Climate Friendly Group
Some other Articles
Also for the eyes of the cat
Things people say on the phone
Who sticks by you in the snow?
Melksham Climate Friendly Group
Injection Attack if register_globals in on - PHP
Carry on Training - in spite of the weather
sw_vers - what version of OSX am I running?
Pre and post increment - the ++ operator
Short health and safety course
Learning Python - many new example programs
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: 404 The Spa • Melksham, Wiltshire • United Kingdom • SN12 6QL
PH: 01225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/2025_Inj ... n-PHP.html • PAGE BUILT: Sat May 27 16:49:10 2017 • BUILD SYSTEM: WomanWithCat