Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
An example of an injection attack using Javascript

Delegates sometimes ask me what an "injection attack" is, and for examples. I came across a really good example this morning on (oops!) one of our own pages - it's now fixed, but I'm documenting here and showing you what was happening so that you can learn from it.

Please Try LaterVisiting one of the most popular pages on our web site this morning, all the expected content came up, but then this popup came on top of the page. It had me rather worried - the Image upload, store on database, retrieve, send back to browser demonstration is one of the busiest on our web site, and it had suddenly started coming up with this message. I tried it several times, and it was consistent - so it wasn't a genuine "database busy" message.


What had happened? We have a "review this page" facility on may of the pages on our web site - it encourages visitors to add comments. The comments don't get directly posted, but come to me for approval - this means that I can eliminate adverts for Viagra. And I had just approved a series of posts. Several of them were technical - included code - and I had overlooked the need to add in a call to htmlspecialchars. One of the visitor comments included:

die ("<html><script language='JavaScript'>alert('Unable to connect to database! Please try again later.'),history.go(-1)</script></html>");

which - alas - caused the script (which was being sent out to the browser) to run the Javascript ... outputting to the screen, then reverting to the previous page if the database was missing.

Cure? Simply adding an htmlspecialchars on each comment, problem fixed. I'm reluctant to call an "injection attack" as I don't think that the commenter was actually malicious - he was helpful, but he just caught me out. But what a great example of the sort of user input you need to be so careful to protect against!
(written 2010-02-08, updated 2010-02-11)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H113 - Using MySQL Databases in PHP Pages
  [4483] Moving from mysql to mysqli - simple worked example - (2015-05-03)
  [4378] What FGW passengers want to talk about / and PHP programming to find out - (2015-01-01)
  [3455] MySQL, MySQLi, PDO or something else - how best to talk to databases from PHP - (2011-09-24)
  [3035] How to display information from a database within a web page - (2010-11-07)
  [2561] The future of MySQL - (2010-01-03)
  [2447] MySQL stored procedures / their use on the web from PHP - (2009-10-10)
  [2432] Using print_r in PHP to explore mysql database requests - (2009-10-01)
  [2320] Helping new arrivals find out about source code examples - (2009-08-03)
  [2259] Grouping rows for a summary report - MySQL and PHP - (2009-06-27)
  [2071] Setting up a MySQL database from PHP - (2009-03-08)
  [1983] Keeping PHP code in database and running it - (2009-01-09)
  [1561] Uploading to a MySQL database through PHP - examples and common questions - (2008-03-02)
  [1010] Dates, times, clickable diarys in PHP - (2006-12-28)
  [947] What is an SQL injection attack? - (2006-11-27)
  [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22)
  [915] Paging through hundreds of entries - (2006-11-05)
  [723] Viewing images held in a MySQL database via PHP - (2006-05-17)
  [666] Database design - get it right from first principles - (2006-04-02)
  [647] Checking for MySQL errors - (2006-03-15)
  [581] Saving a MySQL query results to your local disc for Excel - (2006-01-29)
  [572] Giving the researcher power over database analysis - (2006-01-22)
  [515] MySQL - an FAQ - (2005-12-03)
  [104] mysql_connect or mysql_pconnect in PHP? - (2004-10-30)

H117 - Security in PHP
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)

W510 - Web and Intranet - Executable Content
  [1814] Javascript/HTML example, dynamic server monitor - (2008-09-28)
  [1813] Ajax - going Asyncronous and what it means - (2008-09-28)
  [1812] Starting Ajax - easy example of browser calling up server data - (2008-09-27)

W602 - Web and Intranet - Client Side Technologies
  [4310] Problem ... I want to print a series of numbered forms - (2014-10-05)
  [4277] Sending a message to the server and changing text on a page when a button is pressed - (2014-05-23)
  [3128] How does your browser find out about itself? - (2011-01-11)
  [2390] Dynamic / changing images on your web page - (2009-09-01)
  [1749] Using server side and client side programming together - (2008-08-11)
  [1681] Adding a button to a web page to print the page - (2008-06-18)
  [1322] Flash - is it available to your web page? - (2007-08-26)
  [522] Javascript events - a good example - (2005-12-09)
  [411] Javascript examples (some PHP and MySQL too) - (2005-08-13)


Back to
Saturdays out from Melksham - to Oxford, to Didcot or to Swindon
Previous and next
or
Horse's mouth home
Forward to
Curly braces within double quoted strings in PHP
Some other Articles
Shipping a test harness with your class in PHP
How to show a large result set page by page in PHP
Static variables and ampersands in PHP
Curly braces within double quoted strings in PHP
An example of an injection attack using Javascript
Saturdays out from Melksham - to Oxford, to Didcot or to Swindon
On Malachite Green
Both feet on the same pavement
Skyline and looking up in London
Object Oriented Ruby - new examples
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: 404 The Spa • Melksham, Wiltshire • United Kingdom • SN12 6QL
PH: 01225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/2628_An- ... cript.html • PAGE BUILT: Sat May 27 16:49:10 2017 • BUILD SYSTEM: WomanWithCat