...

View Full Version : Confused on using injections



saxchick1
11-22-2011, 04:38 AM
I've been reading different tutorials on injections and been going by different examples. I am trying to prevent my guestbook users from spamming my guestbook and preventing xss, html, and sql injections. I've read that prepared statements automatically prevent injections, and that mysql_real_escape_string() along with string sanization to prevents sql injection. Also, I read that prepared statements shouldnt be used. If someone could please help and look over my code, not sure if I am getting the hang of things. :confused:




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Author: Reality Software
Website: http://www.realitysoftware.ca
Note: This is a free template released under the Creative Commons Attribution 3.0 license,
which means you can use it in any way you want provided you keep the link to the author

intact.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<link href="style.css" rel="stylesheet" type="text/css" /></head>
<body>


<!-- header -->
<div id="header">
<div id="logo"><a href="index.html">Header</a></div>
<div id="menu">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="">Link 1</a></li>
<li><a href="">Link 2</a></li>
<li><a href="">Link 3</a></li>
<li><a href="">Contact</a></li>
<li><a href="guestbook.php">Guestbook</a></li>
</ul>
</div>
</div>
<div id="icon"><a href="twitter.com/">
<img border="0" src="http://www.***************/forum/images/twitter.png" alt="twitter"

width="58px;" height="53px;" />
</a></div>

<!--end header -->
<!-- main -->
<div id="main">
<div id="content">


<div id="text">
<h1><strong>Guestbook</strong></h1>
</div>

<?php

function sanitizeString($string) {
return htmlentities( (string) $string, ENT_COMPAT, "UTF-8" );
}

$input = is_numeric($input) ? intval($input) : mysql_real_escape_string($input);
mysql_real_escape_string($comment);
mysql_real_escape_string($name);
mysql_real_escape_string($verif_box);


$db = new mysqli("localhost", "a7560006_host", "mypassword", "a7560006_guest");
$preparedStatement1 = $db->prepare('SELECT * FROM guestbook WHERE name = ? and verif_box = ? and comment = ? ');

$preparedStatement1 ->bind_param("s", $name);
$preparedStatement1 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement1->store();

$preparedStatement2 = $db->prepare('SELECT * FROM guestbook WHERE name = ? and verif_box = ?
and comment = ? ');

$preparedStatement2 ->bind_param("s", $verif_box);
$preparedStatement2 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement2->store();

$preparedStatement3 = $db->prepare('SELECT * FROM guestbook WHERE name = ? and verif_box = ?

and comment = ? ');
$preparedStatement3 ->bind_param("s", $comment);
$preparedStatement3 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement2->store();

while($preparedStatement1->fetch()){

$mysql_host = "localhost";
$mysql_database = "a7560006_guest";
$mysql_user = "a7560006_host";
$mysql_password = "mypassword";

// Connect to server and select database.
mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect

server");
mysql_select_db("$mysql_database") or die("cannot select DB");

$tbl_name="guestbook"; // Table name

$name = ($_POST['name']);
$comment = ($_POST['comment']);

$datetime=date("M-d-Y h:i:s A"); //date time
$verif_box = ($_POST['verif_box']);

if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?>
<table width="400" border="0" align="center">
<tr><td align="center"><h4>You have not entered captcha or entered incorrect

captcha!</h4></td></tr>
</table>

</div>
<!-- footer -->
<div id="footer">
<div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
<div id="right_footer">

<!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality

Software</a>

</div>
</div>
<!-- end footer -->
</div>
<!-- end main -->

</body>
</html>

<?
exit;
}

if(empty($name) || empty($comment)) { ?>
<table width="400" border="0" align="center">
<tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>
</table>
<?
} else {

$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment',

'$datetime')";
$result=mysql_query($sql);

//check if query successful
if($result) { ?>
<table width="400" border="0" align="center">
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>
</table>
<?
echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view

guestbook page
} else {
echo "ERROR";
}

mysql_close();
}
}
?>

</div>

<!-- footer -->
<div id="footer">
<div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
<div id="right_footer">

<!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality

Software</a>

</div>
</div>
<!-- end footer -->
</div>
<!-- end main -->

</body>
</html>

Dormilich
11-22-2011, 11:08 AM
I've read that prepared statements automatically prevent injections, and that mysql_real_escape_string() along with string sanization to prevents sql injection.
if you use Prepared Statements, you mustnít use mysql_real_escape_string().
a) mysql_* functions (which you would need for mysql_real_escape_string()) donít support Prepared Statements
b) you canít mix mysql_*, MySQLi and PDO
c) if you feed an escaped string to a Prepared Statement, it will insert that string as is (with(!) the backslashes) into the DB

however, you should use string sanitisation to prevent XSS attacks before you output the data from DB.

regarding that, in your code you can safely delete all the mysql_real_escape_string() stuff (you donít even have the required connection for that to work).
additionally your query will fail (or turn out differently) since you only provide one parameter instead of the required 3.
and why you revert to using mysql_query() (bottom half of the code) I donít understand at all.


Also, I read that prepared statements shouldnt be used.
IMO, a completely insane statement. I wonder where youíve read that.

XterM
11-23-2011, 02:47 AM
use htmlentities before insert it. it will prevent xss and html and sqlinjection.


$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('".htmlentities($name,ENT_QUOTE)."', '".htmlentities($comment,ENT_QUOTE)."', '$datetime')";


prevent from spamming, you can use captcha.

Inigoesdr
11-23-2011, 08:21 PM
use htmlentities before insert it. it will prevent xss and html and sqlinjection.
htmlentities() (http://php.net/htmlentities) is not for preventing SQL injections. Example (http://codepad.org/qvUCHCFS). Use strip_tags() (http://php.net/strip_tags) to remove HTML if you aren't expecting HTML for input, and always pass your user input through mysql_real_escape_string() (http://php.net/mysql_real_escape_string).

saxchick1
11-24-2011, 05:01 AM
htmlentities() (http://php.net/htmlentities) is not for preventing SQL injections. Example (http://codepad.org/qvUCHCFS). Use strip_tags() (http://php.net/strip_tags) to remove HTML if you aren't expecting HTML for input, and always pass your user input through mysql_real_escape_string() (http://php.net/mysql_real_escape_string).

Let me see if I understand this now.



<!--
Author: Reality Software
Website: http://www.realitysoftware.ca
Note: This is a free template released under the Creative Commons Attribution 3.0 license,
which means you can use it in any way you want provided you keep the link to the author intact.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<link href="style.css" rel="stylesheet" type="text/css" /></head>
<body>


<!-- header -->
<div id="header">
<div id="logo"><a href="index.html">Header</a></div>
<ul id="menu">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="">Link 1</a></li>
<li><a href="">Link 2</a></li>
<li><a href="">Link 3</a></li>
<li><a href="">Contact</a></li>
<li><a href="guestbook.php">Guestbook</a></li>
</ul>
<div id="icon"><a href="twitter.com/">
<img border="0" src="http://www.***************/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" />
</a></div>


</div>
<!--end header -->
<!-- main -->
<div id="main">
<div id="content">


<div id="text">
<h1><strong>Guestbook</strong></h1>
</div>

<?php
$db = new mysqli('host', 'user', 'password', 'db_name');
$tbl_name="guestbook"; // Table name

$name = $_POST['name'];
$name = strip_tags($name);
$comment = $_POST['comment'];
$comment = strip_tags($comment);


$datetime=date("M-d-Y h:i:s A"); //date time
$verif_box = $_POST['verif_box'];
$verif_box = strip_tags($verif_box);

if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?>
<table width="400" border="0" align="center">
<tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr>
</table>

</div>
<!-- footer -->
<div id="footer">
<div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
<div id="right_footer">

<!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a>

</div>
</div>
<!-- end footer -->
</div>
<!-- end main -->

</body>
</html>
<?
exit; }

if(empty($name) || empty($comment)) { ?>
<table width="400" border="0" align="center">
<tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>
</table>
<?
} else {
$stmt = $db->prepare("insert into $tbl_name values (?, ?, ?, ?)");
$stmt->bind_param("isss", $comm_id, $name, $comment, $datetime);
// "isss" means that the 4 parameters are an integer, a string, a string and a string.
$stmt->execute();
//check if query successful
if($stmt->affected_rows) { ?>
<table width="400" border="0" align="center">
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>
</table>
<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>
<?
} else {
echo "ERROR";
}

$stmt->close();
}
?>
</div>

<!-- footer -->
<div id="footer">
<div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
<div id="right_footer">

<!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a>

</div>
</div>
<!-- end footer -->
</div>
<!-- end main -->

</body>
</html>






<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Author: Reality Software
Website: http://www.realitysoftware.ca
Note: This is a free template released under the Creative Commons Attribution 3.0 license,
which means you can use it in any way you want provided you keep the link to the author intact.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<link href="style.css" rel="stylesheet" type="text/css" /></head>
<body>


<!-- header -->
<div id="header">
<div id="logo"><a href="index.html">Header</a></div>
<ul id="menu">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="">Link 1</a></li>
<li><a href="">Link 2</a></li>
<li><a href="">Link 3</a></li>
<li><a href="contact.php">Contact</a></li>
<li><a href="guestbook.php">Guestbook</a></li>

</ul>
<div><a href="twitter.com/">
<img border="0" src="http://www.***************/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" />
</a></div>


</div>
<!--end header -->
<!-- main -->
<div id="main">
<div id="content">


<div id="text">
<h1><strong>Guestbook</strong></h1>

<table width="400" border="0" align="center" cellpadding="3" cellspacing="0" bgcolor="#000000" >
<tr>
<td><strong>View Guestbook | <a href="guestbook.php">Sign Guestbook</a> </strong></td>
</tr>
</table>
<br>

<?php
$db = new mysqli('host', 'user', 'password', 'db_name');
$tbl_name="guestbook"; // Table name

$stmt = $db->prepare("select * from $tbl_name");
$stmt->bind_result($comm_id, $name, $comment, $datetime);
mysql_real_escape_string($name),
mysql_real_escape_string($comment)
mysql_real_escape_string($verif_box));
$stmt->execute();
$stmt->store_result();
while($stmt->fetch()) {
?>
<table width="400" border="0" align="center" cellpadding="0" cellspacing="1" >
<tr>
<td><table width="400" border="0" cellpadding="3" cellspacing="1">
<tr>
<td>ID</td>
<td>:</td>
<td><? echo $comm_id; ?></td>
</tr>
<tr>
<td width="117">Name</td>
<td width="14">:</td>
<td width="357"><? echo $name; ?></td>
</tr>
<tr>
<td valign="top">Comment</td>
<td valign="top">:</td>
<td><? echo nl2br($comment); ?></td>
</tr>
<tr>
<td valign="top">Date/Time </td>
<td valign="top">:</td>
<td><? echo $datetime; ?></td>
</tr>
</table></td>
</tr>
</table>
<BR>
<?
}
$stmt->close(); //close database
?>

</div>

</div>

<!-- footer -->
<div id="footer">
<div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
<div id="right_footer">

<!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a>

</div>
</div>
<!-- end footer -->
</div>
<!-- end main -->

</body>
</html>

Dormilich
11-24-2011, 07:10 AM
and always pass your user input through mysql_real_escape_string() (http://php.net/mysql_real_escape_string).

not necessary in case of Prepared Statements.

Inigoesdr
11-25-2011, 07:08 PM
not necessary in case of Prepared Statements.
Yeah, I was referring to the query example I was replying to which doesn't use a prepared statement.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum