vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Is this safe? (https://vborg.vbsupport.ru/showthread.php?t=218353)

1Unreal 07-11-2009 03:11 AM
Is this safe?
 
I'm making an ajax autocomplete search and I want to make sure the server side is safe.

Is there anything wrong with this?

PHP Code:
<?php
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~ E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT''ajax_search');
define('CSRF_PROTECTION'true);
define('LOCATION_BYPASS'1);
define('NOPMPOPUP'1);

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once ('./global.php');
$vbulletin->input->clean_gpc('r''q'TYPE_STR);
$query $_REQUEST['q']; 

if(strlen($query) >= 3){
    $results $vbulletin->db->query_read("SELECT `query` FROM `search` WHERE `query` LIKE '$query%' LIMIT 1");
    $result $vbulletin->db->fetch_array($results);
    echo $result[query];
}
?>

Dismounted 07-11-2009 04:25 AM
That script is open to SQL injection. You're not safely escaping input. Apart from that, it could possibly cause some load issues (depending on how often AJAX calls the script).

1Unreal 07-11-2009 04:39 AM
Doesn't $vbulletin->input->clean_gpc() prevent injection?

Dismounted 07-11-2009 09:23 AM
No, it does not. $db->escape_string() prevents SQL injection.

1Unreal 07-11-2009 12:24 PM
Oh, I would have thought vB would automatically clean up all user input by default. Kind of a security flaw for us ignorant few.

Dismounted 07-11-2009 01:47 PM
Not all input needs to be escaped for SQL, as not all input is used in SQL queries. The same happens for XSS. Not all input needs to be escaped for XSS.

1Unreal 07-11-2009 03:54 PM
But there's no harm in escaping it though right?

Dismounted 07-12-2009 04:16 AM
Example
PHP Code:
$foo 'Some Random Quote: "PHP is better than Rails"';
$bar mysql_real_escape_string($foo);

// Some Random Quote: "PHP is better than Rails"
echo $foo;

// Some Random Quote: \"PHP is better than Rails\"
echo $bar
I think you can see the difference.

1Unreal 07-12-2009 10:43 PM
Sorry, you're right. I was presuming everything was being put in the database.

Marco van Herwaarden 07-14-2009 10:58 AM
Not only that, the input cleaner should not "clean" variables that still are used in their raw form (calculations for example). It will clean according to the class that is used.

Some examples:
TYPE_STR - Any string, including non-safe characters.
TYPE_NOHTML - Same as above, but cleaned of all HTML special characters. Safe to display on page (XSS), but not SQL-safe.

TYPE_INT - Non-numeric data is stripped, safe to display or use in query.
TYPE_UINT - Same as above, but only positive integers allowed.


All times are GMT. The time now is 10:34 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01053 seconds
  • Memory Usage 1,737KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete