Injection Attacks - PHP, SQL, HTML, Javascript

Main Content

Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them

Archive - Originally posted on "The Horse's Mouth" - 2012-07-22 17:37:36 - Graham Ellis
A delegate for tomorrow's PHP Techniques Course arrived early, and I've spent this afternoon taking a look at the fundamentals of what an "injection attack" is, and how to render attempts to attack your server using such methods harmless.

When you have a web application running, you'll be providing forms for your users to complete. And you have very little absolute control of what they can enter / submit - especially if you have geeky users who can work around any HTML limits and JavaScript checks you may have applied.

So ... what can they submit that's potentially nasty?

Let's say I entered <h1> as my name on a web form. The response page is very likely to echo my name - dear <h1> ... only it won't appear like that if it's simply echoed, as the browser will interpret the <h1> as a request to treat the following text - the rest of the response page - as a headline. That's an example of an HTML injection

Many pages these days include Javascript - programatic elements that are included by the server in the stream of data sent out as HTML to the browser, instructing the browser to run code in certain circumstances. Your browser will typically trust Javascript received from the server, as it's known code that designed to work within the particular page. If you include some Javascript that the server really shouldn't be telling the browser to run - perhaps code that compromises the server's security, you can have a very real issue. For if you have a trusted server / client exchange going on and something nasty gets into the mix, it can cause problems at both ends. That's an example of a Javascript injection

I'm afraid there's more. If there's a box on my form who's contents get passed on to a database, and some user adds in a piece of SQL that would be valid in the context in which it's used, I can get into all sorts of trouble. There's the urban myth about the parents who christened their child "Drop Tables" and had terrible trouble signing him up to the local school because their computer system kept blanking out ... and That's an example of an SQL injection

Only a few characters in the input stream - less that, ampersand and various quotes - cause the problems I have described, and you can very easily innoculate yur code against attacks by ensuring they're dealt with for all inputs; in PHP, the htmlspecialchars function deals with HTML output, and the mysql_real_escape_string or mysqli_real_escape_string deal with SQL injections. Javascript injections are really just a special form of HTML injections.

The example from this afternoon, showing code examples of the attacks and how to counter them, is [here]. Note that I have chosen to publish only the cleaned code; if you want to try it our for real, you'll need to comment out lines as indicated.

A further form attack - though not an injection attack - is a cross site request forgery (csrf). See [here] to read more about these (and for links to PHP programs that demonstrate how you can deal with the issue).