PHP/MySQL Issue - Be Aware of this

[ledeanio]

Hello,

We have come across an issue using PHP/MySQL that most people may not be aware of.

When a user fills in a php form on a website, they can add some javascript code in a field and save the form. If this code is not converted/encoded and neutralised before it is saved, then when the data is viewed, it can execute and cause a real nuisance.

Unfortunately we had found this when it was too late.

This is just a consideration to bear in mind when building forms.

Cheers,

[brouwer]

You always have to check data from POST or GET values (and initialise all variables that you use when php_register_globals is on). Otherwise, SQL injections is possible.

[ledeanio]

Yep. I didn't realise that. Luckily it wasn't a major attack we had, but it left us scratching our heads for a while.

The attack had a prompt which wasn't the most pleasant of prompts )

But, you learn from your mistakes i suppose.

I've also found the value of MD5 encryption for any data in the GET headers.

[unplugged]

The general rule when desiging web stuff is never trust data where you cant verfy the source

there are plenty of ways around it strip_tags() is one of them to dump all HTML etc and another is entity_encode.

If someone for example puts ">mwahahahahaha into a textbox or </table></html> HAHAHAHA or whatever it can seriously break the page viewing it

[brouwer]

Quote:

Originally Posted by ledeanio

I've also found the value of MD5 encryption for any data in the GET headers.

You should not encode data stored in a database (except for data that should be encoded, like passwords etc.). If you read the database from e.g. phpMyAdmin, you should see the data as it is (so no encoded data, no slashed data,etc.).

[unplugged]

There is no such thing as "MD5 Encryption" if you take a 4GIG file and run it though MD5 you will get a 32byte string that is HASHING not Encryption.

It is also non reversible you cannot take a MD5 string and reverse MD5 it into the original plain text its a 1 way hashing algorithm which is why its so popular for use in passwords. You cant "MD5" the HTTP headers for a start it would require the users browser to send you the data in MD5 and even if it did you wouldn't be able to go back to the original value and it would NOT fix the problem at hand it would still store and execute the JavaScript.

[ledeanio]

I meant hashing sorry. We've now started to look into SHA-1 as a way to disguise passwords etc. I should have paid more attention in my Computer Security course as I would then know about SHA-1.

[unplugged]

SHA-1 is slowly replacing MD5 personally I havent had any problems with MD5 there are a few weeknesses but this will always be the issue with hashing algorithms its very unlikly there going to be able to break a md5 password.

I will prob start switching over now the functions are there in PHP.