Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them

A delegate for tomorrow's PHP Techniques Course arrived early, and I've spent this afternoon taking a look at the fundamentals of what an "injection attack" is, and how to render attempts to attack your server using such methods harmless.

When you have a web application running, you'll be providing forms for your users to complete. And you have very little absolute control of what they can enter / submit - especially if you have geeky users who can work around any HTML limits and JavaScript checks you may have applied.

So ... what can they submit that's potentially nasty?

Let's say I entered <h1> as my name on a web form. The response page is very likely to echo my name - dear <h1> ... only it won't appear like that if it's simply echoed, as the browser will interpret the <h1> as a request to treat the following text - the rest of the response page - as a headline. That's an example of an HTML injection

Many pages these days include Javascript - programatic elements that are included by the server in the stream of data sent out as HTML to the browser, instructing the browser to run code in certain circumstances. Your browser will typically trust Javascript received from the server, as it's known code that designed to work within the particular page. If you include some Javascript that the server really shouldn't be telling the browser to run - perhaps code that compromises the server's security, you can have a very real issue. For if you have a trusted server / client exchange going on and something nasty gets into the mix, it can cause problems at both ends. That's an example of a Javascript injection

I'm afraid there's more. If there's a box on my form who's contents get passed on to a database, and some user adds in a piece of SQL that would be valid in the context in which it's used, I can get into all sorts of trouble. There's the urban myth about the parents who christened their child "Drop Tables" and had terrible trouble signing him up to the local school because their computer system kept blanking out ... and That's an example of an SQL injection

Only a few characters in the input stream - less that, ampersand and various quotes - cause the problems I have described, and you can very easily innoculate yur code against attacks by ensuring they're dealt with for all inputs; in PHP, the htmlspecialchars function deals with HTML output, and the mysql_real_escape_string or mysqli_real_escape_string deal with SQL injections. Javascript injections are really just a special form of HTML injections.

The example from this afternoon, showing code examples of the attacks and how to counter them, is [here]. Note that I have chosen to publish only the cleaned code; if you want to try it our for real, you'll need to comment out lines as indicated.

A further form attack - though not an injection attack - is a cross site request forgery (csrf). See [here] to read more about these (and for links to PHP programs that demonstrate how you can deal with the issue).
(written 2012-07-22, updated 2012-08-11)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H115 - Designing PHP-Based Solutions: Best Practice
  [4118] We not only teach PHP and Python - we teach good PHP and Python Practice! - (2013-06-18)
  [4069] Even early on, separate out your program from your HTML! - (2013-04-25)
  [3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)
  [3820] PHP sessions - a best practice teaching example - (2012-07-27)
  [3539] Separating program and artwork in PHP - easier maintainance, and better for the user - (2011-12-05)
  [2679] How to build a test harness into your PHP - (2010-03-16)
  [2430] Not just a PHP program - a good web application - (2009-09-29)
  [2221] Adding a newsfeed for your users to a multipage PHP application - (2009-06-06)
  [2199] Improving the structure of your early PHP programs - (2009-05-25)
  [1794] Refactoring - a PHP demo becomes a production page - (2008-09-12)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1623] PHP Techniques - a workshop - (2008-04-26)
  [1533] Short and sweet and sticky - PHP form input - (2008-02-06)
  [1490] Software to record day to day events and keep an action list - (2007-12-31)
  [1487] Efficient PHP applications - framework and example - (2007-12-28)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1391] Ordnance Survey Grid Reference to Latitude / Longitude - (2007-10-14)
  [1390] Converting from postal address to latitude / longitude - (2007-10-13)
  [1389] Controlling and labelling Google maps via PHP - (2007-10-13)
  [1381] Using a MySQL database to control mod_rewrite via PHP - (2007-10-06)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1321] Resetting session based tests in PHP - (2007-08-26)
  [1194] Drawing hands on a clock face - PHP - (2007-05-19)
  [1182] Painting a masterpiece in PHP - (2007-05-10)
  [1181] Good Programming practise - where to initialise variables - (2007-05-09)
  [1166] Back button - ensuring order are not submitted twice (PHP) - (2007-04-28)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1047] Maintainable code - some positive advice - (2007-01-21)
  [945] Code quality counts - (2006-11-26)
  [936] Global, Superglobal, Session variables - scope and persistance in PHP - (2006-11-21)
  [896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
  [839] Reporting on the 10 largest files or 10 top scores - (2006-08-20)
  [572] Giving the researcher power over database analysis - (2006-01-22)
  [563] Merging pictures using PHP and GD - (2006-01-13)
  [426] Robust checking of data entered by users - (2005-08-27)
  [394] A year on - should we offer certified PHP courses - (2005-07-28)
  [340] Code and code maintainance efficiency - (2005-06-08)
  [261] Putting a form online - (2005-03-29)
  [237] Crossfertilisation, PHP to Python - (2005-03-06)
  [123] Short underground journeys and a PHP book - (2004-11-19)

H117 - Security in PHP
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [345] Spotting a denial of service attack - (2005-06-12)

H303 - PHP - Long and short term cookies and security
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
  [1911] Remember Me - PHP - (2008-11-28)
  [1646] Using cookies and sessions to connect different URLs - PHP - (2008-05-18)


Back to
The Melksham News - July 2012 - Part 1, Campus and Chamber of Commerce
Previous and next
or
Horse's mouth home
Forward to
Returning guests - a sign of a good product. Cream teas and hotel rooms.
Some other Articles
Fpdf - generating .pdf documents easily from your PHP program
Want to escape the Olympics? Learn to program in the countryside!
The Melksham News - July 2012 - Part 2, TransWilts Rail, Wilts and Berks Canal
Returning guests - a sign of a good product. Cream teas and hotel rooms.
Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them
The Melksham News - July 2012 - Part 1, Campus and Chamber of Commerce
Associated Classes - using objects of one class within another
Reading files, and using factories to create vectors of objects from the data in C++
Dwarf Exception Unwind Info
Can you put names to faces?
4300 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/3813_Inj ... -them.html • PAGE BUILT: Thu Sep 18 15:30:25 2014 • BUILD SYSTEM: WomanWithCat