How to check a script for security

Worker Joined: May 07, 2006 Posts: 172

I must admit I am rubbish at writing scripts so look for programs to do it for me Embarassed

For example, I need to collect results so turned to PHP-Form Wizard for help.

It produced this as a result.

Code:

<?php


# ----------------------------------------------------


# -----


# ----- This script was generated by PHP-Form Wizard 1.2.5 


# -----


# ----- http://www.tools4php.com


# -----


# ----------------------------------------------------








// Receiving variables


@$DateOfMatch = addslashes($_POST['DateOfMatch']);


@$Division = addslashes($_POST['Division']);


@$Home_Team = addslashes($_POST['Home_Team']);


@$Home_Score = addslashes($_POST['Home_Score']);


@$Away_Team = addslashes($_POST['Away_Team']);


@$Away_Score = addslashes($_POST['Away_Score']);


@$Submitted_By = addslashes($_POST['Submitted_By']);


@$Email = addslashes($_POST['Email']);


@$Comments = addslashes($_POST['Comments']);





// Validation


//Sending Email to form owner


$pfw_header = "From: $Email\n"


  . "Reply-To: $Email\n";


$pfw_subject = "League Result";


$pfw_email_to = "results@*********.org.uk";


$pfw_message = "DateOfMatch: $DateOfMatch\n"


. "Division: $Division\n"


. "Home_Team: $Home_Team\n"


. "Home_Score: $Home_Score\n"


. "Away_Team: $Away_Team\n"


. "Away_Score: $Away_Score\n"


. "Submitted_By: $Submitted_By\n"


. "Email: $Email\n"


. "Comments: $Comments\n";


@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;





//Sending auto respond Email to visitor


$pfw_header = "From: results@*********.org.uk\n"


  . "Reply-To: results@**********.org.uk\n";


$pfw_subject = "League Result";


$pfw_email_to = "$Email";


$pfw_message = "Just to confirm your result as\n"


. "Division $Division\n"


. "Home_Team $Home_Team\n"


. "Home_Score $Home_Score\n"


. "Away_Team$Away_Team\n"


. "Away_Score $Away_Score\n"


. "\n"


. "Please check the live results link to check your result is there.\n"


. "\n"


. "Regards\n"


. "P";


@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;





//saving record to MySQL database


//changing date formats








@$pfw_strQuery = "INSERT INTO `*****`(`DateOfMatch`,`Division`,`Home_Team`,`Home_Score`,`Away_Team`,`Away_Score`,`Submitted_By`,`Email`,`Comments`)VALUES (\"$DateOfMatch\",\"$Division\",\"$Home_Team\",\"$Home_Score\",\"$Away_Team\",\"$Away_Score\",\"$Submitted_By\",\"$Email\",\"$Comments\")" ;


@$pfw_host = "host";


@$pfw_user = "user";


@$pfw_pw = "password.";


@$pfw_db = "database";


$pfw_link = mysql_connect($pfw_host, $pfw_user, $pfw_pw);


if (!$pfw_link) {


 die('Could not connect: ' . mysql_error());


}


$pfw_db_selected = mysql_select_db($pfw_db, $pfw_link);


if (!$pfw_db_selected) {


die ('Can not use $pfw_db : ' . mysql_error());


}





//insert new record


$pfw_result = mysql_query($pfw_strQuery);


if (!$pfw_result) {


 die('Invalid query: ' . mysql_error());


}


mysql_close($pfw_link);





 echo("<p align='center'><font face='Arial' size='3' color='#FF0000'>Thank You<br>Please click the back button on your browser</font></p>");


?>

Does anyone know of a programme which will check scripts for security as I obviously don't want to leave a way in for someone to hack away.

Hope that makes sense. Very Happy

Posted: Sat Nov 01, 2008 12:50 pm

The only way you are going to do that is by reading something Smile

Sorry but there are just so many things to consider that it would be impractical to give you any decent advice without writing a book on it.
As a breif example, the database connection variables should be single quoted not double quoted, in fact the whole script should be single quoted, I definitely wouldn't use it as it is now.
Your recieving variables are prepended by ampersands which is good as it should prevent an error being generated and possibly giving away useful information to a would be script kiddie.
The problem though, there is next to no validation of the data being processed;
How do you know the email field contains an email address?
How do you know that only plain text is being passed in the fields that only require plain text?
.....

registered · Posted: Sat Nov 01, 2008 2:16 pm

Quote:

the database connection variables should be single quoted not double quoted, in fact the whole script should be single quoted

I don't understand why that would be a security issue. A string is a string, unless you want to parse $variables inside the string then double quotes will work.

Guardian is correct about the validation.
I see nothing obvious for SQL injections, as everything is escaped with addslashes. Doesn't mean there couldn't be other vulnerabilities, esp using the mail function.

Posted: Sat Nov 01, 2008 2:56 pm

Thanks for the quick replies guys.

I understand what you say about reading Guardian, but find that after learning something, I don't use it for months, by which time I've forgotten Rolling Eyes

So I have to try and re-learn. (must be my age Very Happy

)

I tried using validation within the program but received an error

Quote:

Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\html\forms\index.php on line 25

with this

Code:

if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $Email))


{


die('<p align='center'><font face='Arial' size='3' color='#FF0000'>Please enter a valid email</font></p>');


}

Quote:

other vulnerabilities, esp using the mail function.

Again I wouldn't know the problem with the mail function.

I can't expect you guys to sort out the many problems which may exist.

If there is no program to examin code, do you know of an idiots guide?

Posted: Sun Nov 02, 2008 12:47 am

No idiot's guide exists. But there are many PHP security books and online references

registered · Posted: Tue Nov 04, 2008 6:07 pm

And a good one is called PHP Pro Security I believe.

Posted: Fri Nov 07, 2008 11:16 am

Thanks Guys Very Happy