Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
Injection attacks and preventing them
Security in PHP example from a Well House Consultants training course
More on Security in PHP [link]

This example is described in the following article(s):
   • Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - [link]

Source code: inject.php Module: H117
<?php

/* This is a simple example that's designed to show what an HTML injection, a Javascript injection
and an SQL injection are. I have published the code here with the lines that add protection against
attacks NOT commented out so that this code in its current form in safe. Please be very careful if
you delete those lines ... */


# Grab the incoming raw string.

$lookfor = stripslashes($_GET[search]);
$report = stripslashes($_GET[search]);

# HTML Injection attack (using characters like < and & and ") :
# SOLUTION will be to use htmlspcialchars as in following line:
# -------------------------------------------
$report = htmlspecialchars($report);
# -------------------------------------------
# (Delete / comment out that line above if you want to try an injection)

# nasty thing to try:

# <h1>
# shout the rest of the page!

# {some Javascript}
# sends JS as part of the echo; browser then thinks
# it's clean because it's code delivered from the server
# this is known as a Javascript injection attack
# Cure is htmlspecialchars (again!)

$result = "Searching for $report<br />";

mysql_connect("localhost","wellho","4qash22m");
mysql_select_db("test");

# SQL injection attack (using characters such as ' ):
# SOLUTION will be to add_slashes as in following line:
# -------------------------------------------
$lookfor = mysql_real_escape_string($lookfor);
# -------------------------------------------
# (Delete / comment out that line above if you want to try an injection)

$r = mysql_query("select rid,tlc,postcode,name from railuse ".
        "where name like '%$lookfor%'");

# nasty thing to try:

# ' and postcode like 'ws
# searching by postcode even though script is by name

# ss' or postcode like 'ws
# adding in extra records even if they don't match

# Study your MySQL to find how to include things like
# "Drop Database" as a subcommand ... :-( ...

# See - alternative ways in mysqli and PDO:: routines

while ($row = mysql_fetch_assoc($r)) {
        $result .= "<br />$row[name]";
        }

?>
<html>
<head>
<title>Injection Attack Demo</title>
</head>
<body>
<h1>BAD EXAMPLE - do not copy to your system</h1>

<form>
Search for: <input name="search" size="60" /> and <input type=submit />
</form>

<hr />
Results from last time<br /><br >

<?php print($result); ?>
<br />
Copyright, etc
</body>
</html>

Learn about this subject
This module and example are covered on the following public courses:
 * Learning to program in PHP
 * PHP Programming
 * PHP Programming
 * Learning to program in PHP
Also available on on site courses for larger groups

Books covering this topic
Yes. We have over 700 books in our library. Books covering PHP are listed here and when you've selected a relevant book we'll link you on to Amazon to order.

Other Examples
This example comes from our "Security in PHP" training module. You'll find a description of the topic and some other closely related examples on the "Security in PHP" module index page.

Full description of the source code
You can learn more about this example on the training courses listed on this page, on which you'll be given a full set of training notes.

Many other training modules are available for download (for limited use) from our download centre or under an Open Training Notes License from our sister site http://www.training-notes.co.uk.

Other resources
• Our Solutions centre provides a number of longer technical articles.
• Our Opentalk forum archive provides a question and answer centre.
The Horse's mouth provides a daily tip or thought.
• Further resources are available via the resources centre.
• All of these resources can be searched through through our search engine
• And there's a global index here.

Purpose of this website
This is a sample program, class demonstration or answer from a training course. It's main purpose is to provide an after-course service to customers who have attended our public private or on site courses, but the examples are made generally available under conditions described below.

Web site author
This web site is written and maintained by Well House Consultants.

Conditions of use
Past attendees on our training courses are welcome to use individual examples in the course of their programming, but must check the examples they use to ensure that they are suitable for their job. Remember that some of our examples show you how not to do things - check in your notes. Well House Consultants take no responsibility for the suitability of these example programs to customer's needs.

This program is copyright Well House Consultants Ltd. You are forbidden from using it for running your own training courses without our prior written permission. See our page on courseware provision for more details.

Any of our images within this code may NOT be reused on a public URL without our prior permission. For Bona Fide personal use, we will often grant you permission provided that you provide a link back. Commercial use on a website will incur a license fee for each image used - details on request.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/resources/ex.php4 • PAGE BUILT: Thu Sep 18 11:03:17 2014 • BUILD SYSTEM: WomanWithCat