Newgrounds.com — Everything, By Everyone.

PHP: Main

First of all, welcome to this tutorial!
You are expected to have a basic knowledge about using MySQL with PHP (and ofcourse PHP itself).
This tutorial will go over some basic security issues that most beginners seem to forget.

Part 1: Preventing SQL injects
1.1 The URL
SQL Injects: a PHP programmer's biggest fear. Say, you have a neat flash portal built and you use shiny links like

this: portalview.php?flash=55325. This works very well, ofcourse. Untill you have a visitor that thinks:

"hey, let's screw up this stupid kid's DB (with an evil grin)". Without the needed security, he could just do this:
portalview.php?id=55; DROP TABLE flash
And I guess you realise what that does. Indeed. It drops your valued flash table! All data is lost and you sit

there... hoping you have a backup.
Ofcourse, there is some easy way to prevent this =) This magical function is called Intval(). It basically takes the first integer value

from a string.
So our example page portalview.php should contain this code:
<?php
$id = intval($_GET['id']);
?>
Problem solved, and only the numerical value 55 is passed in the previous example, and not that dreaded SQL inject

;)
1.2 The Form
Well, basically, the same thing can be done from within a form. BUT ofcourse there is a way around this again =)
The used function is either mysql_real_escape_string() or addslashes(). These basically do the same, although

the first function is better =)
What they do is this: they put an escape character, in this case a backslash (\), before every character that could

be used to cause an SQL inject. Mostly, this is a quote (').
So, easyness says it:
<?php
$name = mysql_real_escape_string($_POST['name']);
?>
Note: Most webservers will have magic_quotes_gpc() on. This automatically adds these slashes. but don't rely

on it!

Part 2: register_globals
This was THE biggest mistake PHP ever made. It's a PHP ini setting that automatically registers your global

variables ($_GET, ...) to normal variables ($id, $name, ...). It's known to be horribly insecure and with it not

being enabled everywhere, many people usually whine about their scripts not working.
Nobody ever explained to me why exactly it's so insecure, but I can think of a few things...
Take this script for an example:
<?php
$funcs = array("lower", "upper");
for($i = 0; $i < 12; $i++)
{
$func = "strto".$funcs[array_rand($funcs)];
@$pass .= $func(chr(mt_rand(48, 93)));
}
?>
It's a script I wrote for generating passwords. BUT with register_globals on, I could access this page like this:
passgen.php?pass=yay. this would prefix the generated password with "yay".
In this example, it isn't a security risk per se, but it can be riskier on other occasions ;)

I guess this kinda sums up this small tutorial =) I hope it was helpful, and feel free to leave any notes!

-- Bekko

Cool tutorial!

For future reference, when you link back to PHP: Main, plage put 9999 as the page rather than the actual page number.

But yeah, you went over some really important stuff that all beginners should learn.

At 8/15/06 01:04 PM, DFox2 wrote: Cool tutorial!

For future reference, when you link back to PHP: Main, plage put 9999 as the page rather than the actual page number.

But yeah, you went over some really important stuff that all beginners should learn.

Thanks =) And I didn't know that, sorry =(

Please refrence back to the site you got this off. Thanks.

At 8/16/06 10:29 AM, --Amish-- wrote: Please refrence back to the site you got this off. Thanks.

wtf? I wrote this myself...

Great tutorial!

nice tutorial...i will never use a $_GET['id']; again with out using the intvar thing.....lol

Runs and hides in corner sucking thumb....waiting for the netcop-oes

i would advise using the intval() thing for POST data and coockies aswell, better safe then sorry.

one big security issue that I know of, validating that the POST/GET data was subbmitted from teh right source, ie not from some other server. thus is important with things like voting. i could make a page on my site, that when I vote with it, sends a realy high score to you voteing page.

dose any one know how to do what i am on about, it can be done, just i cant remember how.

At 10/28/06 03:27 PM, thecoshman wrote: dose any one know how to do what i am on about, it can be done, just i cant remember how.

If you're doing a voting thing, no matter what, you should always make sure the vote is between x and x...

well yes there is that. but there are times when you want to make sure that the data the has been sent to the page via POST or GET is from your own site, say for like a fourm, so that people can't set up some sort of system on their site that uato logs in and ands psot to someone else forum.

Never tested it, but it could be that the referer is sent when submitting a form.
Use $_SERVER['HTTP_REFERER'] to check.

well that would get the details of the server sending that data right, so say for newgrounds, would that send 'www.newgrounds.com' and presumerly you will need to use $_SERVER['SERVER_NAME'] to comapre the two values?

i am just going to try this now, though obviusly, i can not check if it does stop others from sending data two my site, is any one willing to try this out with me? pm me to sort somthing out in terms of testing this.

It'll probably send

http://www.yoursite...ar=val&var2=val2

etc

ok then, all is solved.

$_server['http_refferer'];

this is basically the url of the page you where last at, handy if you want to make a back button or somthing after you update a table or somting.

so if you want to make sure that the data was sent from the right place you have to compare the refferer with what you would expect it to be. at the moment it is hardcoded for me, but that does the job for me.