php security

solidgold

hi, i'm new here and i'm pretty new to php, but basically i've been trying to sort this out all day - i'm making a guestbook script but i cant seem to get the security right.
this is my code -

<?php

$self = $_SERVER ['PHP_SELF'];
$name = $_POST['name'];
$email = $_POST['email'];
$comments = $_POST['comments'];
$submit = $_POST['submit'];

#the html form
$form = "<form action\"$self\" method=\"post\" name=\"form\" onSubmit=\"return Check()\">";
$form.= "<input type=\"text\" value=\"Name\" name=\"name\" class=\"formbutton2\" ";
$form.= "size=\"50\" value=\"$name\"> <br>";
$form.= "<input type=\"text\" value=\"Website Address (without http://)\" name=\"email\" class=\"formbutton2\" ";
$form.= "size=\"50\" value=\"$email\"> <br>";
$form.= "<span class=\"content\">Comments:</span><br>";
$form.= "<textarea name=\"comments\" class=\"formbutton3\" ";
$form.= "rows=\"4\">$comments</textarea> <br>";
$form.= "<input type=\"submit\" name=\"submit\" class=\"formbutton\" ";
$form.= "value=\"Sign\"></form>";



#on first opening display the form
if ( !$submit) { $msg = $form; }

#or redisplay a message and the form if incomplete
else if ( !$name or !$email or !$comments)
{ $msg = "<b>Please complete all fields</b><br><br>";
$msg.= $form; }

#or add the form data to the guestbook database table
else #otherwise connect to mysql
{ $conn = @mysql_connect( "host.com", "database", "password" )
or die( "could not connect" );

$rs = @mysql_select_db( "database", $conn )
or die ( "could not select database" );

if( $name and $comments )
{
$sql ="insert into guestbook (name, email, comments)
values(\"$name\", \"$email\", \"$comments\")";
$rs = @mysql_query( $sql, $conn )
or die ( "could not execute sql query" ); }

if($rs)
{ $msg = "<h3>Thank you, your entry has been saved.";
$msg.= "<br><a href=\"view.php\">";
$msg.= "View guestbook</a></h3>"; }
}

echo( $msg );
?>

could somebody please show me how to make it secure from people trying to post malicious code on it? it'd be a massive help to me,
Solidgold

solidgold

please help

NogDog

Do you get any errors? If so, let us know exactly what they say. If not, make sure errors are being displayed:

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);

Also, for now you should get rid of the "@" characters which are suppressing PHP warnings/notices. (You can put them back later if you think you really need them.)

bpat1434

For one thing, you don't do any data verification!! Rule #1 is to limit what your users can give you. You should be expecting a certain format to the inputs (like a name is like 3 to 8 characters, and usually a space with more letters, but no numbers or underscores or other "characters").

Also, you don't escape any items. If a user came along and wanted to, right now could just input this in the "comments" field:

"; SHOW OPEN TABLES;

and they'd be given a view of what tables you have open at that point in time, which typically would be a "users" table and the comments table. With that knowledge, they can run further queries like DESCRIBE tablename or TRUNCATE table or whatever.

I suggest you purchase the book "Essential PHP Security" by Chris Shiflett. It really can teach you a lot about security. To fix the sql insert stuff, make sure you escape all your SQL input items with [man]mysql_real_escape_string/man, or you type-cast your integers like so:

$integer = (int)$_POST['integer_field_name'];