View previous topic :: View next topic |
Author |
Message |
PaulK -
Joined: 26 Apr 2006 Posts: 132 Location: London, UK
|
Posted: Fri Jun 16, 2006 4:28 pm Post subject: Generically Securing PHP code |
|
|
HI there
I am having great problems securing my code, I have a requirment to run a shell command in php to output some text to a com port (and into a scolling display)
Code: | $output = shell_exec('echo ^<ID01^> '.$_POST['message'].' > com1'); |
The problem is that that my code is not secure type an & and you can then run another command, someone kindly demonstrated this to me today by shutting my server down. *cough*cmxflash*cough*
I beleive I am also prone to sql injection attacks and just little things like apostrophies screw everyting up.
I have been looking at htmlspecialcharacters, htmlentities and magic quotes, but I cant find a good way to implement them.
Is it possible to set up a security module that will protect against such things and use that as a php include that could be reused over and over?
Does anyone know what code I would have to implement to resolve the above issues if not?
Thnaks
Paul |
|
Back to top |
|
|
cmxflash -
Joined: 11 Dec 2004 Posts: 872
|
Posted: Fri Jun 16, 2006 5:06 pm Post subject: |
|
|
Well, you could use eregi to disallow any other character(s) than a-z and A-Z.
Off topic: Where did you get that display? |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Fri Jun 16, 2006 5:12 pm Post subject: |
|
|
Quote: | Off topic: Where did you get that display? |
Id also like to know :-) _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
MonkeyNation -
Joined: 05 Feb 2005 Posts: 921 Location: Cardiff
|
Posted: Fri Jun 16, 2006 6:51 pm Post subject: |
|
|
escapeshellcmd(). _________________
|
|
Back to top |
|
|
PaulK -
Joined: 26 Apr 2006 Posts: 132 Location: London, UK
|
Posted: Sat Jun 17, 2006 3:19 pm Post subject: |
|
|
I bought my prolite sign from ebay for about £30 they come up every now and then, it's easy to hook em up and it's a great toy, I hvae mine dispaying messages from the web and telling me who is connected to my website etc. They also make a nice clock.
This link may be useful: http://wls.wwco.com/ledsigns/prolite/purchase.html
dont forget to go to the root homepage for additional info
that's the off topic covered, can I get a little more help with the security pls :)
Paul |
|
Back to top |
|
|
MonkeyNation -
Joined: 05 Feb 2005 Posts: 921 Location: Cardiff
|
Posted: Sat Jun 17, 2006 3:57 pm Post subject: |
|
|
Code: | $output = shell_exec('echo ^<ID01^> '.escapeshellcmd($_POST['message']).' > com1'); |
_________________
|
|
Back to top |
|
|
PaulK -
Joined: 26 Apr 2006 Posts: 132 Location: London, UK
|
Posted: Sat Jun 17, 2006 5:15 pm Post subject: |
|
|
Thank you MN, gonna give it a whirl now |
|
Back to top |
|
|
PaulK -
Joined: 26 Apr 2006 Posts: 132 Location: London, UK
|
Posted: Sun Jun 18, 2006 9:19 am Post subject: |
|
|
So I have tested escapeshellcmd and that works really well against preventing other commands being run using '& command' but it doesn't prevent against sql injection.
I have been looking at ereg_replace and eregi_replace with the idea of spwapping '\' and '&' with '-' but I cant get the command to work with my output.
Do you good people think this is a good way of securing my code? and can anyone help me with formatting the code so it works?
Thanks
Paul |
|
Back to top |
|
|
MonkeyNation -
Joined: 05 Feb 2005 Posts: 921 Location: Cardiff
|
Posted: Sun Jun 18, 2006 1:15 pm Post subject: |
|
|
I don't know why you're worried about SQL injection with shell_exec, but addslashes() is what you're after.
It also might be worth creating a custom function for this, incase you want to change the way they're escaped further down the line. _________________
|
|
Back to top |
|
|
PaulK -
Joined: 26 Apr 2006 Posts: 132 Location: London, UK
|
Posted: Sun Jun 18, 2006 3:29 pm Post subject: |
|
|
My website takes mesage for the scrolling sign and outputs the text into mysql and displays it on the screen (give me some history of messages and is teaching me mysql) then it takes the output and squirts it to the com port so the sign can display it.
So i bhave two issues & shell commands (Fixed) and sql injection/special chars in DB
I have been playing with this code:
Code: | if (isset($_POST['message'])) {
$pattern = '(>[^<]/\&*)('. quotemeta($_POST['message']) .')';
$replacement = ".";
$_POST['message'] = eregi_replace($pattern, $replacement, $_POST['message']); |
but Im getting no where fast, I want to remove special characters so meta data etc can not be hidden in messages
it's been a long weekend :) |
|
Back to top |
|
|
MonkeyNation -
Joined: 05 Feb 2005 Posts: 921 Location: Cardiff
|
Posted: Sun Jun 18, 2006 5:07 pm Post subject: |
|
|
Dude, addslashes().
Code: | mysql_query("INSERT INTO `music` (`artist`,`title`) VALUES('".addslashes($_POST['artist'])."', '".addslashes($_POST['title'])."')"); |
You could also use mysql_real_escape_string() too, come to think of it. _________________
|
|
Back to top |
|
|
PaulK -
Joined: 26 Apr 2006 Posts: 132 Location: London, UK
|
Posted: Sun Jun 18, 2006 7:47 pm Post subject: |
|
|
Sorry for not listening MN, this worked:
Code: | message= '".addslashes($message)."', |
Protects SQL
and this worked:
Code: | $output = shell_exec('echo ^<ID01^> '.escapeshellcmd($_POST['message']).' > com1'); |
Prevents additional shell commands
and:
Code: | if (eregi("<", $_POST['message']) || eregi(">", $_POST['message'])) {
die("No Code Allowed!!!"); } |
Prevents '<' and '>'
I think that pretty secure, my thanks go to MonkeyNation and of course to cmxflash.
I hope this may be useful to others
Paul |
|
Back to top |
|
|
|