[Wolves] PHP Sql select losing a row
Wayne Morris
waynelists at machx.co.uk
Tue Jul 16 00:06:00 UTC 2013
Hi Chris,
Thanks for your post and i take on board your comments about security,
however I need to clarify a couple of things :
1) The entire database consists of 750 property address records, growing
at about 10 records per month, none of which is personal information,
none of which is mission critical,
and all of which i enter myself directly thru phpmyadmin. In the very
unlikely case of db corruption by sql injection, it could be replaced
with minimal downtime.
The database is simply a list of housing stock, whether it is available
or not and when it was inspected and who by, and users have absolutely
no opportunity
to enter write ANY data to the database (apart from in a remarks column
which IS escaped) - all other interaction with the database is by radio
buttons, timestamps being entered
into fields automatically etc. The only real data being recorded is who
visited where and when, and what the found - 99% by dropdown lists.
In the 'postcode void' case quoted
a) The user has a list of properties of interest, he can select one to
view the details of via a hyperlink and at the bottom of the record he
is presented with a list of properties
with a similar postcode - he hasn't had an opportunity to enter the
postcode variable - the select is done from the postcode of the first
record.
On that page all he can do is check boxes , and enter his one set of
(escaped) remarks, then use the list of nearby properties to go and look at.
In fact the main point of this page is that the user scans a QR code
which takes him directly to the record, the table at the bottom showing
the nearby
addresses means that he could in principle never even see the postcode
variable in that search should I decide not to display it.
So sql injection impossible via this variable.
2) That said, this is only a proof of concept management information
trial - if it falls over or gets corrupted it doesn't matter - all that
is useful is to
see whether the functionality is what the users wants, as more uses for
it become apparent I throw in a few more checkboxes, or useful
information to
display.
If it ever gets to the point where it needs to be released into the
wild, I would give a proper programmer a brief to start from scratch
but make it look and work 'just like this'.
So for where I'm at with my coding ability I think 'it will do,
security' - eg user login in, user change tracking and minimal user data
entry choices, is
enough to be going on with , there doesn't seem to be spending hours
escaping things when I can't even get my search to work.
Regards
Wayne
On 15/07/2013 23:56, Chris Ellis wrote:
> Hi Wayne
>
> I'm deeply concerned by your poor attitude to security, there is no
> excuse for building applications which are vulnerable to both SQL
> Injection and Cross-Site Scripting vulnerabilities like your code
> sample is. Remember, that under the Data Protection Act, a business
> has a responsibility to look after the data it is storing.
>
> Using the code sample in a production system, in my view is being
> professionally negligent. Esd pecially given community members have
> pointed out the issues.
>
> In general terms, whenever data traverses a trust boundary it must be
> validated. For web applications, data must be validated for every
> single request. You cannot use a request parameter without first
> validating it. Never trust your users, they might not act
> maliciously, but they will act foolishly, never trust data they input.
>
> 1) You should never concatenate data into SQL queries without escaping
> it, its one function call. Preferably use prepared statements.
>
> $queryz = "SELECT * FROM property WHERE postcode like
> '%$postcodevoid%' and let = '1'";
>
> If $postcodevoid where to be something like:
>
> '; DROP TABLE property; --
>
> Your going to have a bad day.
>
>
> 2) You should never output data in HTML without HTML escaping it.
>
> print("<TD width=10% wrap style=\"wrap: 1 solid
> #800000\">".$rowz["address1"]. " </td> ". " ");
>
> If $rowz["address1"] where to be something like:
>
> <script>window.location='http://mybadsite.com/'</script>
>
> Your going to have a bad day.
>
>
> I'll leave you with: http://xkcd.com/327/
>
>
> Regards,
> Chris Ellis
>
>
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: https://mailman.lug.org.uk/mailman/listinfo/wolves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20130716/2858db6a/attachment.html>
More information about the Wolves
mailing list