Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Is this safe?
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-11-2009, 03:11 AM
1Unreal 1Unreal is offline
 
Join Date: Jul 2008
Location: London
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Is this safe?
I'm making an ajax autocomplete search and I want to make sure the server side is safe.

Is there anything wrong with this?

PHP Code:
<?php
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~ E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT''ajax_search');
define('CSRF_PROTECTION'true);
define('LOCATION_BYPASS'1);
define('NOPMPOPUP'1);

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once ('./global.php');
$vbulletin->input->clean_gpc('r''q'TYPE_STR);
$query $_REQUEST['q']; 

if(strlen($query) >= 3){
    $results $vbulletin->db->query_read("SELECT `query` FROM `search` WHERE `query` LIKE '$query%' LIMIT 1");
    $result $vbulletin->db->fetch_array($results);
    echo $result[query];
}
?>
Reply With Quote
  #2  
Old 07-11-2009, 04:25 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
That script is open to SQL injection. You're not safely escaping input. Apart from that, it could possibly cause some load issues (depending on how often AJAX calls the script).
Reply With Quote
  #3  
Old 07-11-2009, 04:39 AM
1Unreal 1Unreal is offline
 
Join Date: Jul 2008
Location: London
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Doesn't $vbulletin->input->clean_gpc() prevent injection?
Reply With Quote
  #4  
Old 07-11-2009, 09:23 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
No, it does not. $db->escape_string() prevents SQL injection.
Reply With Quote
  #5  
Old 07-11-2009, 12:24 PM
1Unreal 1Unreal is offline
 
Join Date: Jul 2008
Location: London
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Oh, I would have thought vB would automatically clean up all user input by default. Kind of a security flaw for us ignorant few.
Reply With Quote
  #6  
Old 07-11-2009, 01:47 PM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Not all input needs to be escaped for SQL, as not all input is used in SQL queries. The same happens for XSS. Not all input needs to be escaped for XSS.
Reply With Quote
  #7  
Old 07-11-2009, 03:54 PM
1Unreal 1Unreal is offline
 
Join Date: Jul 2008
Location: London
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
But there's no harm in escaping it though right?
Reply With Quote
  #8  
Old 07-12-2009, 04:16 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Example
PHP Code:
$foo 'Some Random Quote: "PHP is better than Rails"';
$bar mysql_real_escape_string($foo);

// Some Random Quote: "PHP is better than Rails"
echo $foo;

// Some Random Quote: \"PHP is better than Rails\"
echo $bar
I think you can see the difference.
Reply With Quote
  #9  
Old 07-12-2009, 10:43 PM
1Unreal 1Unreal is offline
 
Join Date: Jul 2008
Location: London
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Sorry, you're right. I was presuming everything was being put in the database.
Reply With Quote
  #10  
Old 07-14-2009, 10:58 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Not only that, the input cleaner should not "clean" variables that still are used in their raw form (calculations for example). It will clean according to the class that is used.

Some examples:
TYPE_STR - Any string, including non-safe characters.
TYPE_NOHTML - Same as above, but cleaned of all HTML special characters. Safe to display on page (XSS), but not SQL-safe.

TYPE_INT - Non-numeric data is stripped, safe to display or use in query.
TYPE_UINT - Same as above, but only positive integers allowed.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:53 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04769 seconds
  • Memory Usage 2,255KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete