[Wolves] PHP Sql select losing a row

Wayne Morris waynelists at machx.co.uk
Tue Jul 16 00:06:00 UTC 2013 

Hi Chris,

Thanks for your post and i take on board your comments about security, 
however I need to clarify a couple of things :

1) The entire database consists of 750 property address records, growing 
at about 10 records per month, none of which is personal information, 
none of which is mission critical,
and all of which i enter myself directly thru phpmyadmin. In the very 
unlikely case of  db corruption by sql injection, it could be replaced 
with minimal downtime.
The database is simply a list of housing stock, whether it is available 
or not and when it was inspected and who by, and users have absolutely 
no opportunity
to enter write ANY data to the database (apart from in a remarks column 
which IS escaped) - all other interaction with the database is by radio 
buttons, timestamps being entered
into fields automatically etc.  The only real data being recorded is who 
visited where and when, and what the found - 99% by dropdown lists.

In the 'postcode void' case quoted
a) The user has a list of properties of interest, he can select one to 
view the details of via a hyperlink and at the bottom of the record he 
is presented with a list of properties
with a similar postcode - he hasn't had an opportunity to enter the 
postcode variable - the select is done from the postcode of the first 
record.

On that page all he can do is check boxes , and enter his one set of 
(escaped) remarks, then use the list of nearby properties to go and look at.
In fact the main point of this page is that the user scans a QR code 
which takes him directly to the record, the table at the bottom showing 
the nearby
addresses means that he could in principle never even see the postcode 
variable in that search should I decide not to display it.
So sql injection impossible via this variable.


2) That said, this is only a proof of concept management information 
trial - if it falls over or gets corrupted it doesn't matter - all that 
is useful is to
see whether the functionality is what the users wants, as more uses for 
it become apparent I throw in a few more checkboxes, or useful 
information to
display.
If it ever gets to the point where it needs to be released into the 
wild, I would give a proper programmer a brief to start from scratch
but make it look and work 'just like this'.

So for where I'm at with my coding ability I think 'it will do, 
security' - eg user login in, user change tracking and minimal user data 
entry choices, is
enough to be going on with , there doesn't seem to be spending hours 
escaping things when I can't even get my search to work.


Regards

Wayne



On 15/07/2013 23:56, Chris Ellis wrote:
> Hi Wayne
>
> I'm deeply concerned by your poor attitude to security, there is no 
> excuse for building applications which are vulnerable to both SQL 
> Injection and Cross-Site Scripting vulnerabilities like your code 
> sample is.  Remember, that under the Data Protection Act, a business 
> has a responsibility to look after the data it is storing.
>
> Using the code sample in a production system, in my view is being 
> professionally negligent.  Esd pecially given community members have 
> pointed out the issues.
>
> In general terms, whenever data traverses a trust boundary it must be 
> validated.  For web applications, data must be validated for every 
> single request.  You cannot use a request parameter without first 
> validating it.  Never trust your users, they might not act 
> maliciously, but they will act foolishly, never trust data they input.
>
> 1) You should never concatenate data into SQL queries without escaping 
> it, its one function call.  Preferably use prepared statements.
>
>   $queryz = "SELECT * FROM property WHERE postcode like 
> '%$postcodevoid%' and let = '1'";
>
> If $postcodevoid where to be something like:
>
>   '; DROP TABLE property; --
>
> Your going to have a bad day.
>
>
> 2) You should never output data in HTML without HTML escaping it.
>
>   print("<TD width=10% wrap style=\"wrap: 1 solid 
> #800000\">".$rowz["address1"]. " </td>    ". " ");
>
> If $rowz["address1"] where to be something like:
>
>   <script>window.location='http://mybadsite.com/'</script>
>
> Your going to have a bad day.
>
>
> I'll leave you with: http://xkcd.com/327/
>
>
> Regards,
> Chris Ellis
>
>
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: https://mailman.lug.org.uk/mailman/listinfo/wolves

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20130716/2858db6a/attachment.html>

More information about the Wolves mailing list