Results 1 to 6 of 6

Thread: can you inject past any of these? PHP / mysqli

  1. #1
    Join Date
    Feb 2007
    Location
    Colorado, USA
    Posts
    3,716
    Mentioned
    51 Post(s)
    Quoted
    624 Post(s)

    Default can you inject past any of these? PHP / mysqli

    if( preg_match( "#[^A-Za-z0-9_-]#", $name) ) {die('Bad name.');}

    if( preg_match( "#[^A-Za-z0-9_-]#", $youtube) ) {die('Bad youtube.');}

    if( preg_match( "#['<>^$\"]#", $image_raw) ) {die('Bad image URL detected.');}

    if( preg_match( "#['<>^$\"]#", $ava_raw) ) {die('Bad avatar URL detected.');}


    $post = htmlspecialchars($post_raw, ENT_QUOTES);


    Also will be using:

    http://www.php.net/manual/en/mysqli....ape-string.php


    wondering, does real escape is it just adding flashes to stuff?
    The only true authority stems from knowledge, not from position.

    You can contact me via matrix protocol: @grats:grats.win or you can email me at the same domain, any user/email address.

  2. #2
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    I don't know what you mean by the escape adds flashes to stuff..

    As for injecting past these.. Well here is a downside to a regex.

    A regex matches a pattern which leaves the door wide open for injection. IIRC, tumblr had pattern matching a couple months ago.. There's weren't as good as yours but the trick to getting around it was to base64 encode everything and send that as the data instead. Their servers saved it and when requested, sent it..

    The browser decodes base64 automatically and bam.. messed up their whole site.


    That being said, the only things I see that "could possibly" get injected is the Images/Raw images.. It's easier to just check the header (usually first 8-18 bytes) of the image and restrict it to just 3-4 types.. The most common: BMP, PNG, GIF, JPG.

    I don't think anyone I'd be able to inject past them.. Well I can't think of anything atm. Does your regex match ''? What if the user enters '' (nothing) for a username and password? Perhaps someone might try Unicode?
    Last edited by Brandon; 02-09-2013 at 03:21 PM.
    I am Ggzz..
    Hackintosher

  3. #3
    Join Date
    Feb 2007
    Location
    Colorado, USA
    Posts
    3,716
    Mentioned
    51 Post(s)
    Quoted
    624 Post(s)

    Default

    I meant slashes not flashes lol my bad

    and also sorry I didn't update the original post, I changed them like right after I posted this, those were just my originals:

    if( preg_match( "#[^A-Za-z0-9_ -]#", $name) ) {die('Bad name.');}else if (strlen($name ) > 20) {die('Your name is too long.'); }
    if( preg_match( "#[^A-Za-z0-9_-]#", $youtube) ) {die('Bad youtube.');}else if (strlen($youtube ) > 15) {die('Your youtube is too long.'); }
    if( preg_match( "#['<>^$\"]#", $image_raw) ) {die('Bad image URL detected.');}else if (strlen($image_raw ) > 145) {die('Your image is too long.'); }
    if( preg_match( "#['<>^$\"]#", $ava_raw) ) {die('Bad avatar URL detected.');}else if (strlen($ava_raw ) > 145) {die('Your avatar is too long.'); }
    if (strlen($post_raw ) < 3) {die('No post found or post too short.'); }else if (strlen($post_raw ) > 2000) {die('Your post is too long.'); }

    $post = htmlspecialchars($post_raw, ENT_QUOTES);



    PHP Code:
    if( preg_match"#[^A-Za-z0-9_ -]#"$name) ) {die('Bad name.');}else if (strlen($name ) > 20) {die('Your name is too long.'); }

    if( 
    preg_match"#[^A-Za-z0-9_-]#"$youtube) ) {die('Bad youtube.');}else if (strlen($youtube ) > 15) {die('Your youtube is too long.'); }

    if( 
    preg_match"#['<>^$\"]#"$image_raw) ) {die('Bad image URL detected.');}else if (strlen($image_raw ) > 145) {die('Your image is too long.'); }

    if( 
    preg_match"#['<>^$\"]#"$ava_raw) ) {die('Bad avatar URL detected.');}else if (strlen($ava_raw ) > 145) {die('Your avatar is too long.'); }

    if (
    strlen($post_raw ) < 3) {die('No post found or post too short.'); }else if (strlen($post_raw ) > 2000) {die('Your post is too long.'); }



    $post htmlspecialchars($post_rawENT_QUOTES); 

    php brackets make them look ugly??


    also sorry, but I have no idea what you're talking about in your post, can you show an example? I looked around for your base64 I am confused

    anyway, to my knowledge I block out all of the bad characters that could cause problems I think?

    also, the empty fields are handled elsewhere when the database is queried, but there are default print outs for blank entries

    thanks for your help, I just wanted to make sure it was pretty secure, I don't really have anything on my servers this has access to that I'd care if it got hacked/stolen or whatever, I just like to learn how to make it secure
    Last edited by grats; 02-09-2013 at 11:15 PM.
    The only true authority stems from knowledge, not from position.

    You can contact me via matrix protocol: @grats:grats.win or you can email me at the same domain, any user/email address.

  4. #4
    Join Date
    Nov 2012
    Posts
    141
    Mentioned
    0 Post(s)
    Quoted
    43 Post(s)

    Default

    If you're worried about SQLi, you may want to have a look at PDO, though adding slashes will greatly reduce what can be done to your server (you usually need quotes if you want to upload a shell with SQLi).
    However, if you are uploading images (doesn't seem like it) you want to crack down on those.
    Always helps to add security.

  5. #5
    Join Date
    Feb 2012
    Location
    DON'T PM ME ASKING FOR STUFF
    Posts
    2,170
    Mentioned
    38 Post(s)
    Quoted
    423 Post(s)

    Default

    Quote Originally Posted by Neodymium View Post
    If you're worried about SQLi, you may want to have a look at PDO, though adding slashes will greatly reduce what can be done to your server (you usually need quotes if you want to upload a shell with SQLi).
    However, if you are uploading images (doesn't seem like it) you want to crack down on those.
    Always helps to add security.
    PDO really won't make all that much difference to be honest Neo

  6. #6
    Join Date
    Feb 2007
    Location
    Colorado, USA
    Posts
    3,716
    Mentioned
    51 Post(s)
    Quoted
    624 Post(s)

    Default

    yea, I have PDO anyway, lol..

    and yea, no uploading at all, pretty much the most that goes on is text input.. though I have images locked down through NGiNX and not with php since there are too many image exploits with php.. just to be on the extra, extra safe side

    thanks for the help though guys, I guess it is pretty secure, I just was making sure I didn't forget something huge
    The only true authority stems from knowledge, not from position.

    You can contact me via matrix protocol: @grats:grats.win or you can email me at the same domain, any user/email address.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •