Proper way to implement strlen to prohibit DoS attacks?

schwim

Hi there guys,

Moving on through my list of to-do's that I got in the code review section, and I'm almost completely done with it, but I'm having problems with strlen.

I was told that if I don't limit the number of characters on the admin login, it could allow a DoS attack. I've been looking around, and I found ways to count characters with it, but is there a particular way to stop the insert from being too long without the query getting processed?

I don't know what exactly I need to do with strlen to keep this safe:

$myusername=mysql_real_escape_string($_POST['myusername']);

$mypassword=mysql_real_escape_string($_POST['mypassword']);



$encrypted_mypassword=md5($mypassword);



$query = "SELECT * FROM ".$prefix."admin WHERE username='$myusername' and password='$encrypted_mypassword'";

$result = mysql_query($query) or die('MySQL error: ' . mysql_error() . '<hr/>' . $query);

Also, would it be best to implement the strlen check on any input that is available outside of the password protected(forms, etc)?

thanks,
json

zabmilenko

There are countless ways of doing this, but I like this one:

define('MAX_FIELD_LENGTH', 255);  // adjust as you see fit

$myusername=mysql_real_escape_string(substr($_POST['myusername'],0,MAX_FIELD_LENGTH));
$mypassword=mysql_real_escape_string(substr($_POST['mypassword'],0,MAX_FIELD_LENGTH));

You could call strlen and crash out as well:

if (strlen($_POST['username']) > 255 || strlen($_POST['password']) > 255)
{
   die('hacking attempt!');
}

But for some reason I don't like doing this.

In one app I have, I even did this:

define('MAX_REQUEST_LENGTH', 20000);  // adjust as you see fit

if (strlen(serialize($_REQUEST)) > MAX_REQUEST_LENGTH)
{
    die('hacking attempt');
}

But that is messy.

You have a few other options as well.

etully

Can someone explain where and what the vulnerability is? Is it MD5? SQL? Apache? The OS? PHP? Or something else that's vulnerable?

zabmilenko

DoS is a broad subject. The acronym stands for Denial of Service. It's a class of attacks meant to cause your server to work way harder than necessary, thereby denying resources to typical and honest users.

The issue in this case is the sql queries. You see, there are two connections going on here, one from the browser to the apache server and the other from the apache server to the mysql server.

Apache does fairly well at preventing too much data from "flooding" a PHP app, but the setting is very liberal (2 to 8 megabytes). The type of vulnerability we are trying to secure from in this post occurs at the second level, between the script and the database server.

If someone was able to put 2 megs of data in the username field, and the poster doesn't trim it down, then he COULD end up with a 2 megabyte query being sent on his end. This would slow down the database and possibly expose the system to deadlocks and intense lag (depending on how his setup is).

Now, mysql does have a limiter for query length, but in many situations users don't know how to set it or it's out of their control.

In the end, it's simply smarter to check inputs for length as well as validity before passing them in a query.