Delegates sometimes ask me what an "injection attack" is, and for examples. I came across a really good example this morning on (oops!) one of our own pages - it's now fixed, but I'm documenting here and showing you what was happening so that you can learn from it.

Visiting one of the most popular pages on our web site this morning, all the expected content came up, but then this popup came on top of the page. It had me rather worried - the Image upload, store on database, retrieve, send back to browser demonstration is one of the busiest on our web site, and it had suddenly started coming up with this message. I tried it several times, and it was consistent - so it wasn't a genuine "database busy" message.


What had happened? We have a "review this page" facility on may of the pages on our web site - it encourages visitors to add comments. The comments don't get directly posted, but come to me for approval - this means that I can eliminate adverts for Viagra. And I had just approved a series of posts. Several of them were technical - included code - and I had overlooked the need to add in a call to htmlspecialchars. One of the visitor comments included:

die ("<html><script language='JavaScript'>alert('Unable to connect to database! Please try again later.'),history.go(-1)</script></html>");

which - alas - caused the script (which was being sent out to the browser) to run the Javascript ... outputting to the screen, then reverting to the previous page if the database was missing.

Cure? Simply adding an htmlspecialchars on each comment, problem fixed. I'm reluctant to call an "injection attack" as I don't think that the commenter was actually malicious - he was helpful, but he just caught me out. But what a great example of the sort of user input you need to be so careful to protect against!
(written 2010-02-08 17:24:53)

 H117 - Security in PHP
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)

W510 - Web and Intranet - Executable Content
  [1814] Javascript/HTML example, dynamic server monitor - (2008-09-28)
  [1813] Ajax - going Asyncronous and what it means - (2008-09-28)
  [1812] Starting Ajax - easy example of browser calling up server data - (2008-09-27)

W602 - Web and Intranet - Client Side Technologies
  [2390] Dynamic / changing images on your web page - (2009-09-01)
  [1749] Using server side and client side programming together - (2008-08-11)
  [1681] Adding a button to a web page to print the page - (2008-06-18)
  [1322] Flash - is it available to your web page? - (2007-08-26)
  [522] Javascript events - a good example - (2005-12-09)
  [411] Javascript examples (some PHP and MySQL too) - (2005-08-13)

H113 - Using MySQL Databases in PHP Pages
  [2561] The future of MySQL - (2010-01-03)
  [2447] MySQL stored procedures / their use on the web from PHP - (2009-10-10)
  [2432] Using print_r in PHP to explore mysql database requests - (2009-10-01)
  [2320] Helping new arrivals find out about source code examples - (2009-08-03)
  [2259] Grouping rows for a summary report - MySQL and PHP - (2009-06-27)
  [2071] Setting up a MySQL database from PHP - (2009-03-08)
  [1983] Keeping PHP code in database and running it - (2009-01-09)
  [1561] Uploading to a MySQL database through PHP - examples and common questions - (2008-03-02)
  [1010] Dates, times, clickable diarys in PHP - (2006-12-28)
  [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22)
  [915] Paging through hundreds of entries - (2006-11-05)
  [723] Viewing images held in a MySQL database via PHP - (2006-05-17)
  [666] Database design - get it right from first principles - (2006-04-02)
  [647] Checking for MySQL errors - (2006-03-15)
  [581] Saving a MySQL query results to your local disc for Excel - (2006-01-29)
  [572] Giving the researcher power over database analysis - (2006-01-22)
  [515] MySQL - an FAQ - (2005-12-03)
  [104] mysql_connect or mysql_pconnect in PHP? - (2004-10-30)

Back to Saturdays out from Melksham - to Oxford, to Didcot or to Swindon

Previous and next or Horse's mouth home

Forward to Curly braces within double quoted strings in PHP

Shipping a test harness with your class in PHP
How to show a large result set page by page in PHP
Static variables and ampersands in PHP
Curly braces within double quoted strings in PHP
An example of an injection attack using Javascript
Saturdays out from Melksham - to Oxford, to Didcot or to Swindon
On Malachite Green
Both feet on the same pavement
Skyline and looking up in London
Object Oriented Ruby - new examples