| |||||||||||
| |||||||||||
Injection attacks and preventing them
Security in PHP example from a Well House Consultants training course
More on Security in PHP [link]
Source code: inject.php Module: H117
<?php
/* This is a simple example that's designed to show what an HTML injection, a Javascript injection and an SQL injection are. I have published the code here with the lines that add protection against attacks NOT commented out so that this code in its current form in safe. Please be very careful if you delete those lines ... */ # Grab the incoming raw string. $lookfor = stripslashes($_GET[search]); $report = stripslashes($_GET[search]); # HTML Injection attack (using characters like < and & and ") : # SOLUTION will be to use htmlspcialchars as in following line: # ------------------------------------------- $report = htmlspecialchars($report); # ------------------------------------------- # (Delete / comment out that line above if you want to try an injection) # nasty thing to try: # <h1> # shout the rest of the page! # {some Javascript} # sends JS as part of the echo; browser then thinks # it's clean because it's code delivered from the server # this is known as a Javascript injection attack # Cure is htmlspecialchars (again!) $result = "Searching for $report<br />"; mysql_connect("localhost","wellho","4qash22m"); mysql_select_db("test"); # SQL injection attack (using characters such as ' ): # SOLUTION will be to add_slashes as in following line: # ------------------------------------------- $lookfor = mysql_real_escape_string($lookfor); # ------------------------------------------- # (Delete / comment out that line above if you want to try an injection) $r = mysql_query("select rid,tlc,postcode,name from railuse ". "where name like '%$lookfor%'"); # nasty thing to try: # ' and postcode like 'ws # searching by postcode even though script is by name # ss' or postcode like 'ws # adding in extra records even if they don't match # Study your MySQL to find how to include things like # "Drop Database" as a subcommand ... :-( ... # See - alternative ways in mysqli and PDO:: routines while ($row = mysql_fetch_assoc($r)) { $result .= "<br />$row[name]"; } ?> <html> <head> <title>Injection Attack Demo</title> </head> <body> <h1>BAD EXAMPLE - do not copy to your system</h1> <form> Search for: <input name="search" size="60" /> and <input type=submit /> </form> <hr /> Results from last time<br /><br > <?php print($result); ?> <br /> Copyright, etc </body> </html> Learn about this subject
This module and example are covered on the following public courses:
* Learning to program in PHP * PHP Programming * PHP Programming * Learning to program in PHP Also available on on site courses for larger groups Books covering this topic
Yes. We have over 700 books in our library. Books
covering PHP are listed here and when you've selected a
relevant book we'll link you on to Amazon to order.
Other Examples
This example comes from our "Security in PHP" training module. You'll find a description of the topic and some
other closely related examples on the "Security in PHP" module index page.
Full description of the source code
You can learn more about this example on the training courses listed on this page,
on which you'll be given a full set of training notes.
Many other training modules are available for download (for limited use) from our download centre under an Open Training Notes License. Other resources
• Our Solutions centre provides a number of longer technical articles.
• Our Opentalk forum archive provides a question and answer centre. • The Horse's mouth provides a daily tip or thought. • Further resources are available via the resources centre. • All of these resources can be searched through through our search engine • And there's a global index here. Purpose of this website
This is a sample program, class demonstration or answer from a
training course. It's main purpose
is to provide an after-course service to customers who have attended our
public private or
on site courses, but the examples are made
generally available under conditions described below.
Web site author
Conditions of use
Past attendees on our training courses are welcome to use individual
examples in the course of their programming, but must check
the examples they use to ensure that they are suitable for their
job. Remember that some of our examples show you how not to do
things - check in your notes. Well House Consultants take no responsibility
for the suitability of these example programs to customer's needs.
This program is copyright Well House Consultants Ltd. You are forbidden from using it for running your own training courses without our prior written permission. See our page on courseware provision for more details. Any of our images within this code may NOT be reused on a public URL without our prior permission. For Bona Fide personal use, we will often grant you permission provided that you provide a link back. Commercial use on a website will incur a license fee for each image used - details on request. |
| ||||||||||
PH: 01144 1225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho PAGE: http://www.wellho.info/resources/ex.php • PAGE BUILT: Sun Oct 11 14:50:09 2020 • BUILD SYSTEM: JelliaJamb |