Fixing Unvalidated Redirects and Forwards in PHP

Posted by on March 22, 2014 1 Comment

Note: This post is part of our series on “How to Fix Unvalidated Redirects and Forwards“. The series contains examples on how to fix unvalidated redirects and forwards in various programming languages.

 

The following code will allow you prevent unvalidated redirects and Fowards in PHP

<!--?php 	header('Location:  destination.php'); 	exit(); ?-->

Fixing Cross-site Scripting in PHP

Posted by on December 27, 2012 1 Comment

Note: This post is part of our series on “How to Fix Cross-site Scripting Vulnerabilities“. The series contains examples on how to fix Cross-site Scripting Vulnerabilities in various programming languages.

“Htmlspecialchars” Convert special characters to HTML entities

<?php
$name = htmlspecialchars($_POST['name'], ENT_QUOTES);
echo $name;
?>

Fixing Insecure Cryptographic Storage in PHP

Posted by on December 27, 2012 1 Comment

Note: This post is part of our series on “How to Fix Insecure Cryptographic Storage“. The series contains examples on how to implementing secure cryptography in various programming languages.

As seen below using the following code we can encrypt sensitive values such as passwords in PHP

<?php
    //Registration
    $salt = sha1(getRandomSalt());
    $password = sha1($salt,'user_password');
    // Insert into database
?>

Fixing SQL Injection in PHP and MS SQL

Posted by on May 27, 2011 0 Comment

Note: This post is part of our series on “How to Fix SQL Injection Vulnerabilities“. The series contains examples on how to fix SQL Injection Vulnerabilities in various programming languages.

An SQL Injection attack is a code injection attack when input from an attacker reaches one of your databases without any filteration or validation. As a result, a malicious user can execute Read / Write / Delete / Update query in your database. In addition to this he can also run system level commands. PHP for example has simple ways in preventing these attacks by filtering user inputs. Some of them are listed below:

Parameterized Query

$qualification = $_POST[‘quatification’];
$sex = $_POST[‘sex’];

$sql = "SELECT Name, City, Phone FROM Students WHERE Qualification = ? AND Sex = ?; 

$params = array($qualification, $sex);
$result = sqlsrv_query($conn, $sql, $params);

Here sqlsrv_query function accepts three parameters: $conn, $sql, $params (optional):

  • $conn – Connection to the SQL Server Database
  • $sql – The SQL query to fetch the data. Question marks (?) are used as placeholders for parameters.
  • $params – Array values that correspond to the placeholders (?) in the SQL query.

Stored Procedure

In the example below a stored procedure is created and the output is binded together with the variable using mssql_bind command.

// Create a new stored prodecure
$stmt = mssql_init('NewUserRecord');

// Bind the field names
mssql_bind($stmt, '@username',  'sameer',  SQLVARCHAR,  false,  false,  60);
mssql_bind($stmt, '@name',      'Sameer',  SQLVARCHAR,  false,  false,  60);
mssql_bind($stmt, '@age',       25,       SQLINT1,     false,  false,   3);

// Execute
mssql_execute($stmt);

Fixing SQL Injection in PHP and MySQL

Posted by on May 26, 2011 1 Comment

Note: This post is part of our series on “How to Fix SQL Injection Vulnerabilities“. The series contains examples on how to fix SQL Injection Vulnerabilities in various programming languages.

An SQL Injection attack is a code injection attack when input from an attacker reaches one of your databases without any filteration or validation. As a result, a malicious user can execute Read / Write / Delete / Update query in your database. In addition to this he can also run system level commands. PHP for example has simple ways in preventing these attacks by filtering user inputs. Some of them are listed below:

Escaping
It’s always a good practice to filter out the user input i.e. escaping the user input before passing it to the database. The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement.

The following characters are affected:

x00, n, r, , ', ", x1a

This function returns the escaped string on success, or FALSE on failure.

// User input is escaped using mysql_real_escape_string()
   $user = mysql_real_escape_string($user);
   $pwd = mysql_real_escape_string($password);

Note: This function will only escape string values where expected input and output are strings; not integers, date or other types.

Parameterized Query
A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time. The placeholders are typically type-specific (for example, int for integer data and text for strings) which allows the database to interpret the data strictly. For instance, a text placeholder is always interpreted as a literal, avoiding exploits such as the query stacking SQL injection. A mismatch between a placeholder’s type and its incoming datum causes execution errors, adding further validation to the query.

// Basic query to be used, with ? representing the input data
   $csquery = "SELECT `fname` FROM students WHERE (`sname` LIKE ?);

// Parse the input data through the function to escape any malicious data
   $sname = mysqli_real_escape_string ( $dblink, $_GET[‘sname’] );

// Initialize transaction with database
   $cs = mysqli_stmt_init ( $dblink );

// Send base query to database
   mysqli_stmt_prepare ( $cs, $csquery ) or die ( "Error: Please contact the administrator" );

// Send parameter type and value separately to the database
   mysqli_stmt_bind_param ( $cs, "s", $sname);

// Execute Query
   mysqli_stmt_execute ( $cs );

In the above example the query is initialized with “?” (placeholder for sname) representing user input. The input is then escaped using mysql_real_escape_string(). Next, database connection is initialized and the query is passed to the database without the value. The value and its type is type is then passed to the database. The query is then executed and values are displayed using the while loop

Note: You can pass multiple parameters to the database at once.

Data Validation
Using specific data type is another way how you can filter user input. For example if user input is age, amount etc; convert the data into numeric format. Other validation could be specific to the values expected by the database like date, email etc. This would not prevent SQL injection but it will make the attacker’s job a bit harder.

$age = int($_POST['age']);
$query = "SELECT * FROM students WHERE age = $age";

In the above example the value for age is validated using an int function. This would prevent user from passing any string character to the database.

Stored Procedure
Stored procedures are set of SQL commands that are stored in the database data server. After the storing of the commands is done, the tasks can be performed or executed continuously, without being repeatedly sent to the server. This also helps in decreasing the traffic in the networks and also reduces the CPU load.
Why use a stored procedure?

  • Develop the functionality once and all the applications can call the same commands.
  • Network Traffic reduced to a greater extent.
  • Centralization of all commands made possible, which is helpful for various applications that repeatedly call the same set of complicated commands.
  • Runs on any kind of environment.
DELIMITER $$
// Check if stored procedure exists, if yes delete it and create new one.
   DROP PROCEDURE IF EXISTS `UName`.`get_user`$$
   CREATE PROCEDURE  `Uname`.`get_user`
   (

// Pass the value for userId to the stored procedure
   IN userId INT,

// Return the value after the stored procedure has executed
   OUT firstName VARCHAR(100),
   OUT lastName VARCHAR(100)
   )
   BEGIN
   SELECT first_name, last_name
   INTO firstName, lastName
   FROM users
   WHERE users_id = userId;
   END $$
   DELIMITER ;

Fixing SQL Injection in PHP and Oracle

Posted by on May 26, 2011 1 Comment

Note: This post is part of our series on “How to Fix SQL Injection Vulnerabilities“. The series contains examples on how to fix SQL Injection Vulnerabilities in various programming languages.

An SQL Injection attack is a code injection attack when input from an attacker reaches one of your databases without any filteration or validation. As a result, a malicious user can execute Read / Write / Delete / Update query in your database. In addition to this he can also run system level commands. The following example shows how to prevent a malicious input in PHP by filtering user input before it is passed to Oracle.

Parameterized Query

<?php

// Accept a parameter called "dept" from a form.
$dept = $_POST['dept'];

// Connect to the Oracle databse
$conn = oci_connect("scott", "tiger", "DB10G");

if (!$conn) {
    echo "Unable to connect: " . var_dump(oci_error());
    die();
} else {
    echo "Connected sucessfully.n";
}

// Parse a query containing a bind variable.
$stmt = oci_parse($conn, "SELECT * FROM emp WHERE dept = :dept ORDER BY empno");

// Bind the value into the parsed statement.
oci_bind_by_name($stmt, ":dept", $dept);

// Execute the completed statement.
oci_execute($stmt, OCI_DEFAULT);

while (oci_fetch($stmt)) {
    $empno = oci_result($stmt, "EMPNO");
    $ename = oci_result($stmt, "ENAME");
}
oci_free_statement($stmt);
}
?>