PHP Injection Discussion

Question

waveydaveywaves 0 Newbie Poster

13 Years Ago

right now my php script is vulnerable to anyone putting in a random member_id into the url and having it excute sucessfully

how can I encrypt the id="id#" in the url, so a guest is unable to type in there own id in the posted id retrieved through the url?

echo "<td><a href='perfectrecords.php?id=" . $row->id . "'>Edit</a></td>";

<?php


function html_encode($var)
{
	return htmlentities($var, ENT_QUOTES, 'UTF-8') ;
}
	require_once('auth.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
        <head>  
                <title>My interns</title>
                <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
        </head>
        <body>
                
             <h1> My Interns</h1>
                
                <p><b>View All</b> | <a href="../Copy/view-paginated.php">View Paginated</a></p>
                
                <?php
                        // connect to the database
                        include('../Copy/connect-db.php');
                        $var_id=$_SESSION['SESS_LOGIN'];
				
                        // get the records from the database
                        if ($result = $mysqli->query("SELECT * FROM `members`.`players` WHERE login='$var_id' "))
              
					 
					    {
                                // display records if there are records to display
                                if ($result->num_rows > 0)
                                {
                                        // display records in a table
                                        echo "<table border='1' cellpadding='10'>";
                                        
                                        // set table headers
                                        echo "<tr><th>ID</th><th>Name</th><th>Description</th><th>Qualifications</th><th>login</th><th>hours</th><th>days required to work</th><th>pay</th><th>duties</th></tr>";
                                     


                                        while ($row = $result->fetch_object())
                                        {
                                                // set up a row for each record
                                                echo "<tr>";
                                                echo "<td>" . $row->member_id . "</td>";
												echo "<td>" . $row->name . "</td>";
                                                echo "<td>" . $row->description . "</td>";
                                                echo "<td>" . $row->qualifications . "</td>";
												echo "<td>" . $row->login . "</td>";
												echo "<td>" . $row->hours . "</td>";
												echo "<td>" . $row->daysoftheweek . "</td>";
												echo "<td>" . $row->pay . "</td>";
												echo "<td>" . $row->duties . "</td>";
												  echo "<td>";
												
												
												
												
                                                echo "<td><a href='perfectrecords.php?id=" . $row->id . "'>Edit</a></td>";
                                                echo "<td><a href='delete.php?member_id=" . $row->id . "'>Delete</a></td>";
                                                echo "</tr>";
                                        }
                                        
                                        echo "</table>";
                                }
                                // if there are no records in the database, display an alert message
                                else
                                {
                                        echo "No results to display!";
                                }
                        }
                        // show an error if there is an issue with the database query
                        else
                        {
                                echo "Error: " . $mysqli->error;
                        }
                        
                        // close database connection
                        $mysqli->close();
                
                ?>
                
                <a href="../Copy/records.php">Add New Record</a>
        </body>
</html>

mysql php

2 Contributors
2 Replies
216 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by waveydaveywaves

jkon 636 Posting Whiz in Training

13 Years Ago

There are many ways but why not keeping the user id in session after log and check its existence and value when a person enters this page with id as url variable.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

waveydaveywaves 0 Newbie Poster · Answer 1 · 2011-02-03T00:34:30+00:00

the "id" column is not a unique table, nor is it in the same table as the members.

i would use that approach but, my next code it parses through the url from the next script. keeping it as a session would still display it through the URL wouldn't it?

any suggestions? a modification would be nice.

<?php
	
	



        // connect to the database
        include("connect-db.php");

        // creates the new/edit record form
        // since this form is used multiple times in this file, I have made it a function that is easily reusable
        function renderForm(  $name = '', $description ='',  $qualifications ='', $login ='', $hours ='', $daysoftheweek ='', $pay ='',$duties ='',  $id = '' )
        { ?>
                <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
                        <head>  
                                <title>
                                        <?php if ($id != '') { echo "Edit Record"; } else { echo "New Record"; } ?>
                                </title>
                                <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
                        </head>
                        <body>
                                <h1><?php if ($id != '') { echo "Edit Record"; } else { echo "New Record"; } ?></h1>
                                <?php if ($error != '') {
                                        echo "<div style='padding:4px; border:1px solid red; color:red'>" . $error
                                                . "</div>";
                                } ?>
                                
                                <form action="" method="post">
                                <div>
                                        <?php if ($id != '') { ?>
                                                <input type="hidden" name="id" value="<?php echo $id; ?>" />
                                                <p>ID: <?php echo $id; ?></p>
                                        <?php } ?>
                                        
                                        <strong>Name: *</strong> <input type="text" name="name"
                                                value="<?php echo $name; ?>"/><br/>
                                        <strong>description: *</strong> <input type="text" name="description"
                                                value="<?php echo $description; ?>"/><br/>
                                                 <strong>qualifications: *</strong> <input type="text" name="qualifications"
                                                value="<?php echo $qualifications; ?>"/><br/>
                                                <strong>login: *</strong> <input type="hidden" name="login"
                                                value="<?php echo $login; ?>"/><br/>
                                                 <strong>hours: *</strong> <input type="text" name="hours"
                                                value="<?php echo $hours; ?>"/><br/>
                                                <strong>days required to work: *</strong> <input type="text" name="daysoftheweek"
                                                value="<?php echo $daysoftheweek; ?>"/><br/>
                                                 <strong>pay: *</strong> <input type="text" name="pay"
                                                value="<?php echo $pay; ?>"/><br/>
                                                 <strong>duties: *</strong> <input type="text" name="duties"
                                                value="<?php echo $duties; ?>"/><br/>
                                  <input type="submit" name="submit" value="Submit" />
                                </div>
                                </form>
</body>
                </html>
                
        <?php }



        /*

           EDIT RECORD

        */
        // if the 'id' variable is set in the URL, we know that we need to edit a record
        if (isset($_GET['id']))
        {
                // if the form's submit button is clicked, we need to process the form
                if (isset($_POST['submit']))
                {
                        // make sure the 'id' in the URL is valid
                        if (is_numeric($_POST['id'], ENT_QUOTES))
                        {
                                // get variables from the URL/form
                                $id = $_POST['id'];
                                $name = htmlentities($_POST['name'], ENT_QUOTES);
                                $description = htmlentities($_POST['description'], ENT_QUOTES);
								$qualifications = htmlentities($_POST['qualifications'], ENT_QUOTES);
								$login = htmlentities($_POST['login'], ENT_QUOTES);
								$hours = htmlentities($_POST['hours'], ENT_QUOTES);
								$daysoftheweek = htmlentities($_POST['daysoftheweek'], ENT_QUOTES);
								$pay = htmlentities($_POST['pay'], ENT_QUOTES);
								$duties = htmlentities($_POST['duties'], ENT_QUOTES);
                                
                                // check that firstname and lastname are both not empty
                                if ($name == '' || $description == '' || $qualifications == '' || $login == '' || $hours == '' || $daysoftheweek == '' || $pay == '' || $duties == ''  )
                                {
                                        // if they are empty, show an error message and display the form
                                        $error = 'ERROR: Please fill in all required fields!';
                                        renderForm($name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay,$duties ,  $id, $error);
                                }
                                else
                                {
                                        // if everything is fine, update the record in the database
                                        if ($stmt = $mysqli->prepare("UPDATE players SET name = ?, description = ?, qualifications= ?, login =?, hours =?, daysoftheweek =?, pay =?, duties =?
                                                 WHERE id=? "))
                                        {
										
                                                $stmt->bind_param("ssssssssi", $name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties ,  $id);
                                                $stmt->execute();
                                                $stmt->close();
                                        }
                                        // show an error message if the query has an error
                                        else
                                        {
                                                echo "ERROR: could not prepare SQL statement.";
                                        }
                                        
                                        // redirect the user once the form is updated
                                        header("Location: viewworking.php");
                                }
                        }
                        // if the 'id' variable is not valid, show an error message
                        else
                        {
                                echo "Error!";
                        }
                }
                // if the form hasn't been submitted yet, get the info from the database and show the form
                else
                {
                        // make sure the 'id' value is valid
                        if (is_numeric($_GET['id']) && $_GET['id'] > 0)
                        {
                                // get 'id' from URL
                                $id = $_GET['id'];
                                
                                // get the recod from the database
                                if($stmt = $mysqli->prepare("SELECT * FROM players WHERE id=?"))
                                {
                                        $stmt->bind_param("i", $id);
                                        $stmt->execute();
                                        
                                        $stmt->bind_result($id,  $name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties );
                                        $stmt->fetch();
                                        
                                        // show the form
                                        renderForm($name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties ,  $id);
                                        
                                        $stmt->close();
                                }
                                // show an error if the query has an error
                                else
                                {
                                        echo "Error: could not prepare SQL statement";
                                }
                        }
                        // if the 'id' value is not valid, redirect the user back to the view.php page
                       else
                        {
                                header("Location: view.php");
                        }
                }
        }


        /*

           NEW RECORD

        */
        // if the 'id' variable is not set in the URL, we must be creating a new record
        else
        {
                // if the form's submit button is clicked, we need to process the form
                if (isset($_POST['submit']))
                {
                        // get the form data
                                                 $id = $_POST['id'];
                                $name = htmlentities($_POST['name'], ENT_QUOTES);
                                $description = htmlentities($_POST['description'], ENT_QUOTES);
								$qualifications = htmlentities($_POST['qualifications'], ENT_QUOTES);
								$login = htmlentities($_POST['login'], ENT_QUOTES);
								$hours = htmlentities($_POST['hours'], ENT_QUOTES);
								$daysoftheweek = htmlentities($_POST['daysoftheweek'], ENT_QUOTES);
								$pay = htmlentities($_POST['pay'], ENT_QUOTES);
								$duties = htmlentities($_POST['duties'], ENT_QUOTES);
                        // check that firstname and lastname are both not empty
                        if ($name == '' || $description == '' || $qualifications == '' || $login == '' || $hours == '' || $daysoftheweek == '' || $pay == '' || $duties == '' )
                        {
                                // if they are empty, show an error message and display the form
                                $error = 'ERROR: Please fill in all required fields!';
                                renderForm($name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay,$duties ,  $id, $error);
                        }
                        else
                        {
                                // insert the new record into the database
                                if ($stmt = $mysqli->prepare("INSERT players (name, description,  qualifications, login, hours , daysoftheweek, pay, duties ) VALUES (?, ?, ?, ?, ?, ?, ?, ?,)"))
                                {
                                        $stmt->bind_param("ssssssss", $name, $description,  $qualifications, $login, $hours , $daysoftheweek, $pay, $duties);
                                        $stmt->execute();
                                        $stmt->close();
                                }
                                // show an error if the query has an error
                                else
                                {
                                        echo "ERROR: Could not prepare SQL statement.";
                                }
                                
                                // redirec the user
                               header("location: access-denied.php");
                        }
                        
                }
                // if the form hasn't been submitted yet, show the form
                else
                {
                        renderForm();
                }
        }
        
        // close the mysqli connection
        $mysqli->close();
?>