user input question

[daniel.robert at acm.org (Danny)]

The big concern re: sanitizing input here is SQL injection.  If a user  
inputs a hash value like '20394kljadlk903; DELETE FROM  
your_hash_table', your executed query would be:

SELECT DISTINCT hash FROM your_hash_table WHERE hash = '$hash'; DELETE  
FROM your_hash_table

If these both successfully execute, you will retrieve the distinct  
hash value, but subsequently delete everything in your table.

If the user is simply inputting a hash value, consider using a regular  
expression or some means of validating what you expect to receive as a  
hash value.  For example, if it's a 20-character string of letters and  
numbers, the user will not be able to enter something malicious such  
as "DELETE FROM" if you don't allow spaces.

This was a pretty lame example I have provided, but it's probably what  
your friend was getting at in terms of santization.  You just need to  
make sure the input you're processing is the input you expect to be  
getting.

-Danny

Quoting Eric C <eric at newmag.org>:

>>> smattering of PHP (if you saw the code for the
> tracker
>>> I'm making you would give yourself a tummy ache
>>> giggling) I assumed that those were variables I'm
>
>> Do tell!  And let us know what you need help with.
>
> Well if I'm going to ask a question it should probably
> be on the part where I'm most likely to get cracked,
> user input.  Below is the page to handle a form on
> index.php.  Now stop laughing!  It's my first module.
> Anyway, if any of you real programmers see any
> particularly idiotic screwups please let me know.  A
> friend mentioned that I should sanitize the users
> input.  Any suggested reading on some simple ways to
> do this?  Thanks for suggestions.
> - Eric C.
>
> ****************************************
>
> <?php
> /*
>  * xpsTorrent! -  a bittorrent tracker module for
> XOOPS
>  *
>  * form.php
>  */
>
> require('../../mainfile.php');
> require(XOOPS_ROOT_PATH.'/header.php');
> global $xoopsDB;
> global $xoops_url;
>
> $name=htmlspecialchars($_POST['name']);
> $hash=htmlspecialchars($_POST['hash']);
> $announce=$_POST['announce'];
> $metadata=$_POST['metadata'];
> $linkback=$xoops_url;
>
> // Let's check to see if this hash is already in the
> database
> $query = "SELECT DISTINCT hash FROM
> ".$xoopsDB->prefix('xps_torrents'). " WHERE hash =
> '$hash'";
> $result = $xoopsDB->query($query);
> if ($result) {
>    if ($xoopsDB->getRowsNum($result) > 0) {
> echo " <p>This torrent is already in our database.
> <b>Please try again.</b></p>
>      <a href=$linkback>Click here to return to the
> main page.</a>";
> }
> else {
> // Insert a row into the table
> $sql = "INSERT INTO
> ".$xoopsDB->prefix('xps_torrents');
> $sql .= " ( name, hash, announce, metadata,
> last_scrape ) VALUES ";
> $sql .= " ( '$name', '$hash', '$announce',
> '$metadata', NOW() )";
>
> if ( ! $xoopsDB->query($sql) ) {
> echo( $xoopsDB->error." : ".$xoopsDB->errno );
> }
>    echo " <p>Your information has been successfully
> added to the database.</p>
>      <a href=$linkback>Click here to return to the
> main page.</a>";
> }
> }
> require(XOOPS_ROOT_PATH.'/footer.php');
>
> ?>
>
> ****************************************
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.