can I be hacked with this code?
I purchased a script that has some weird code in it. I'm a PHP beginner but know a little about things like sanitizing input data.
This is the code:
<form action="sendpass.php" method="post" id="sendpassform">
<input type="text" name="email" />
<input type="submit" name="sendpass" value="Send" />
</form>
?>
...
if($_REQUEST['email'] != ''){
$email = $_REQUEST['email'];
$k = mysql_query("SELECT * FROM开发者_高级运维 users WHERE email='".$email."'") or die(mysql_error());
$result= mysql_fetch_array($k);
....
}
What I'm curious of, is if someone can hack the site using this form, because the email field is just passed directly to SQL with any escaping...
Yes. This is called SQL injection. Anywhere user supplied values are directly included in a SQL statement, this is a possibility.
Yes quite easily with SQL injection.
You should use be doing $email = mysql_real_escape_string($_REQUEST['email']);
That should prevent any SQL injection attacks.
To answer your question, it's possible but whether there is any damage or not depends on what you do with the data retrieved from MySQL (not shown)
The short answer is yes, though I cannot give you a play by play on how that would happen; I don't have enough info on your database structure to know - and I don't want to know. :)
There are some very easy steps you can take to make the code more secure:
$email = mysqli_real_escape_string($database_connection, $_REQUEST['email')
this escapes any dangerous characters that can adversely affect SQL string
$email = mysqli_real_escape_string($database_connection, trim($_REQUEST['email'))
in this step we added the trim function which takes out any whites spaces - which are used to launch SQL Injection attacks
If you want more information on SQL/Programming security i would suggest the following books:
- Head Firs PHP & MySQL (for beginners - it's really good)
- Hacking exposed Web Applications 3rd Edition good luck feel free to ask any questions you might have
That should be listed as a prime example for a possibility of SQL injection. Of course you need to escape the $email
variable.
The $email variable is escaped when used in the SQL. But the contents of the variable can be the escape characters and other SQL. This could result in someone running arbitrary SQL on the server.
This looks like an example out of a sql-injection tutorial. If you have to integrate user input in a database query, you should always consider the following two security measures. Both should be applied if possible, just in case:
- Use prepared statements (if your database-driver supports this)
- Perform input validation
You should only use the input if it is plausible. A regular expression to validate an email-address is something like this (taken from ESAPI, the Enterprise Security API):
^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
精彩评论