开发者

Do I need to check for sql injection even on validated inputs?

This is about a classifieds website... I use PHP and MySql to insert records into a db.

I have a HTML form, and users must fill in this form to proceed.

Below is the form inputs and the validation made on each input (javascript):

Name (Only letters allowed)

Tel (Only numbers allowed)

Email (Special email-regexp match)

Headline (No special characters allowed, all else is fine. By special characters I mean !(#)<> etc. Max length 35 chars.)

Text (Same as headline, just no limit on length)

Price (Only numbers allowed)

I do mysql_real_escape_string() on the Headline and Text, but nothing else.

My question is simply, is this enough?

I have no other security measures whatsoever.

UPDATE

var alphaExp = /^[a-zA-ZåäöÅÄÖ\s\-]+$/; 
var numExp = /^(?=(?:\D*\d){0})[\d -]{0,20}$/;
var num_only = /^[0-9]+$/;
var emailExp = /^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/;
var textExp = /^\s*([\wåäö\-\*][^\w]*){3}.*$/gmi;
var headlineExp 开发者_如何学JAVA= /^[\s\da-zA-ZåäöÅÄÖ&()+%\/*$€é:,.'"-]*$/;


All security measures that are implemented in Javascript can be circumvented by the user, for example by turning it off, by removing listeners or messing around with the code. Don't rely on the client there!


I have no other security measures whatsoever.

Security must be implemented in layers. Many times, programmers do not understand this because it's outside of their purview (most have the mantra "if it compiles, ship it"). You must implement security at every reasonable point. You can never, ever trust user input especially if it sees with Wild Wild Web. Regular expression checks, known injection checks, and server and application hardening are essential.

Note that there is a reasonableness standard attached. It is sometimes easy to have security theater or overkill. It's up to you and the other project stakeholders to determine what levels of precaution are necessary to implement. Time and materials have costs associated with it, so if you spend $100,000 on security implementation but only get a $80,000 return, then it's self-defeating.


Everything that comes from the user to be checked. JavaScript execution before the user sends it. I do not need to run your JavaScript code to send a POST request.


You shouldn't use MySQL Extension at all. It's 2010 and PDO is the way to go.


In almost all cases, the default answer to "Do I really need to..." when it comes to security questions is "Yes, absolutely."

<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array('calories' => 175, 'colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>

The code above is from this page in the PHP library. Don't bother with mysql_real_escape_string() anymore, and try to incorporate prepared statements with your SQL queries.


Lots of people here talk about bypassing your javascript but I want to go one step further and show you how it is done, since context makes all the difference. Here's one Firefox addon that I love to use when I do penetration testing or anything of the sort: Groundspeed.

As has been said a million times, client-side validations are good because you can use them to keep well-behaved users from hitting your server with bad requests, but every validation client-side must be mirrored server-side as well. And yes, prepared statements are your friend. Also, sanitize anything coming OUT of your database as well since that's a step a lot of people forget about.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜