PHP Injection

[systech44]

Hi All,

I heard of php injection. But I do not found good tutorials on it. Again I do not know what it is and how to implement it. Please let me know about it and of course, the implementation techniques. Please try to provide a simple example with respect to a email submit form. Please help.

Thank you so much.

[visualAd]

PHP Injection?

As far as I am aware PHP injections are vulnerabilities within your application. You most certainly do not want to implement them within your scripts. What you really want to do is avoid them altogether and test your scripts to ensure they are not vulnerable.

There are several types of vulnerability you should guard against in your applications. All three involve sanitization of the input vectors (i.e: POST and GET) variables.

• SQL injection vulnerabilities. These are caused when you do not escape meta characters which could be included in input variables for SQL queries. This could result in an attacker extracting data from the database that may be confidential. You can prevent such attacks by using functions such as mysql_escape() on all input variable which will go in to a query. If you have PHP5 you should also use PDO or MysqlI which allow you to use parametrized queries.
  
  
• File Inclusion Vulnerabilities. Probably the most dangerous of all. These vulnerabilities a caused when input variables to be used in file inclusion are not checked for meta characters I.e: :,/,. This could allow an attacker to include any PHP file on the system or worse include a PHP file on another system. I would go as far as saying that NO input variable should ever be used to build a string in a PHP include statement and instead a switch statement with hard coded strings should be used instead.
  
  
• File Open Vulnerabilities These are similar to Inclusion vulnerabilities but may instead allow an attacker to open and display the contents of any file your script has access to. In addition it could allow an attacker to open a file on another server by passing it a URL. Again; a switch statement should be used to prevent any input variable ever being used in an fopen() string.
  
  
• Mail Injection Vulnerabilities Caused when a input vector form what is usually a contact form which is later to be included in an email header is not properly sanitized. This it usually an email address which may appear in the from part of the email as a header. The injection of additional Cc headers can allow the email to be sent to arbitrary addresses. Spammers often look for scripts with these vulnerabilities and use them to carry out anonymous mass mailing campaigns.
  
  
• Cross Site Scripting Vulnerabilities These are caused when input vectors that are later output as HTML are not properly escaped. This will allow an attacker to insert arbitrary HTML code including Javascript code which could change they way in which the page behaves. Attackers usually use this kind of vulnerability to steal data from victims who are unaware the location of the data they are submitting has changed. This vulnerability can .be easily eliminated by using the htmlspecialchars() function on any output you do not wish to be interpreted as HTML.

[JRSofty]

One point that VisualAd missed is the use of the eval() function in PHP. If at all possible stay away from this function as it will evaluate a string as PHP code. If you do need to use it make sure that it doesn't work with anything that a user would input meaning:
GET, POST variables, $_SERVER['HTTP_USER_AGENT'] (Yep someone could slip code or SQL in the user agent name of their browser). I'm sure that there are others.

Using eval() without protection can allow someone to inject PHP.