Securing my code

Deposeni

After talking to numerous friends, I've come to the conclusion my code is insecure... I'm using the following types of queries

	$quser = mysql_query("SELECT * FROM login WHERE user='".$_POST['user']."' AND pword='".$_POST['pword']."'");

$updatetime = "UPDATE login SET laston= '".date("m/d/Y H:i")."', lastip= '$hostname'  WHERE user = '".$_POST['user']."'";

$add_user = "INSERT INTO login (user, pword, email, regip) VALUES ('".$_POST['user']."', '".$_POST['pword']."', '".$_POST['email']."', '$hostname' )";

How would I secure these? I hear theres a way to use Mysql bugs and completely destroy my tables, if I don't secure the queries correctly...

Also, how would I meta fresh a frame from another frame? And do it every few seconds?

stolzyboy

any specific reason why these queries are not secure, how else are you suppose to do a query, more information please, some examples as to why, etc...

Norman_Graham

I think what you mean is that users could potentially sabotage your website by putting nasties into a user submission form. This is certainly true. What you have to do is ensure that the input is cleaned up before you create your database UPDATE or ADD statements. To avoid nasty scripts in HTML/Javascript, you need htmlspecialchars() and/or addslashes(). To avoid nasty MySQL commands, you need mysql_escape_string.

You need to apply these special functions to your variables before declaring them ready for use in a query. The queries themselves can't be made more secure.

HTH

Norm

Paulus_Magnus

You can do an automatic refresh using the refresh tag in your <head> of your page that is framed. This will make it reload itself.

Otherwise, you're into some JavaScript and using the timer functions to reload the framed page.

To make sure your queries are safe, just parse your incoming data thoroughly and make sure it fits your column type.

You can also place array variables directly in strings if you enclose them in braces, you don't need to break out of the string,
i.e. "blah" . $POST['user'] . "blah" becomes "blah{$POST['user']}blah".

Deposeni

Originally posted by Norman Graham
I think what you mean is that users could potentially sabotage your website by putting nasties into a user submission form. This is certainly true. What you have to do is ensure that the input is cleaned up before you create your database UPDATE or ADD statements. To avoid nasty scripts in HTML/Javascript, you need htmlspecialchars() and/or addslashes(). To avoid nasty MySQL commands, you need mysql_escape_string.

You need to apply these special functions to your variables before declaring them ready for use in a query. The queries themselves can't be made more secure.

HTH

Norm

And how do I use these commands? I'm looking at them on php.net, but I'm not 100% sure I understand the context they're used in.

Also, thanks everyone... This will help me a lot.

laserlight

addslashes() escapes quotes, double quotes (etc)
This would be used on the data before you use it in a query, is magic_quotes_gpc is not set to 1.
If it is stored in the DB this way, then you would use stripslashes() on output.
mysql_escape_string() would be used for the same purpose as addslashes()

htmlspecialchars() would ensure that the given string, when output on a webpage, would not have its html parsed.

This could avoid silly users typing in things like
<script type="text/javascript">
while (1)
alert("Hello world!");
</script>
on your forums etc.

Deposeni

Would there be a way to do all this with javascript - before the user even gets to the query page? Like on the form... If the user has ' " /, etc. then it won't let them submit?

Norman_Graham

Oh, yes, absolutely, but bear in mind that some users may have JS disabled, so using JS for form validation would allow them to bypass the validation. If you use JS, you have to check that JS is enabled first, and then revert to a server-side solution if it isn't (or tell the user that they can't use the form at all and should just send an e-mail). This approach may be worthwhile on long and complicated forms with information-security issues, but is overkill on simple name/address/password/e-mail forms.

Using JS to find out if you have any data at all before allowing the data to be submitted for validation isn't a bad idea, but again not strictly necessary.

HTH

Norm

scoppc

Yeah, you can do it with javascript, of course, but that wont increase any security to any level. Coz, even a noob can always bypass. 🙂

Just to add the list of function to sanitize user's input:

function cleanup($input){
//This function will sanitize any input from user
//It will stripped off all HTML tags (without mercy)
//Secure any quotes
//Trim all extra space characters in front or behind input
$input=strip_tags($input);
$input=htmlspecialchars($input);
$input=addslashes($input);
$input=trim($input);
return $input;
}

klycette

So if this function is used on every entry that's made in a form, will that protect against most if not all things that a user might do to try to create havoc? Like most other people, I want to make sure that my users can enter any normal characters, but I want to make sure that they can't enter html, script, etc.

Norman_Graham

Yup, Scoppc's little function is pretty comprehensive. There are other approaches using reg exps etc., although reg exps are always prone to error because the syntax is so complicated, but Scoppc's function should certainly keep things safe for most uses.

HTH

Norm

klycette

Is there any real need for htmlspecialchars if you're already using strip_tags in this function? Does strip_tags miss certain entries? I'm going to be editing anything users enter before other users can see it anyway, so I primarily want to just protect my database. Thanks.

stolzyboy

strip_tags will remove all html tags <>'s, htmlspecialchars will convert if someone types an &, it will be converted into "& a m p;"

go here for more info

klycette

So if I'm editing each posting by hand anyway, is there a value to using htmlspecialchars if I'm already using strip_tags? I'd expect some users to want to use things like "&" in their posts and I'd rather not deal with having to remove extra characters after htmlspecialchars converts it.

stolzyboy

i wouldn't worry about it too much, it won't be any security issues or anything

it is just like if you are typing into notepad for an html doc and type an & or type "& a m p;", you will get the same results