Saved from hackers variables in php script

[auriaks]

Hi,
if I have variable from form:

PHP Code:

$name = $_POST['name']; 


I want to insert its value to mysql, but there can be php code which hacks my all script...

Will it be safe if I will do that?

PHP Code:

$name = mysql_real_escape_string($name); 


What I knew before, tjis line helped to keep safe the value from other script, or I'm wrong?

[Schmoopy]

Using the above will stop anyone from doing an SQL injection on your database. Google "SQL injection" for more information on it.

It won't stop all hackers, but it will stop people from being able to alter information in your database, at least in that query.

It's good practice to do what you've done with any variables that are input by the user.

[djr33]

Hackers must have a way to attack your script. There is no magical way that hackers work: they just find a weakness.
That line, as Schmoopy says, will stop hackers from using your MySQL queries against you. There might be other unrelated ways they can attack your script, but for MySQL that should be enough.

[auriaks]

I was atacked from my uploading system I didn't secured the files which users uploaded, so one of them uploaded gooog.php - that file showed all my script.

I solved that problem by putting secure of .php extensions... Maybe is there other files I should be aware of??

[bluewalrus]

From every sort of possible attack?

Could try looking at these examples http://ha.ckers.org/xss.html

[auriaks]

xss might be better if I would know something about it

[Schmoopy]

It's just not possible to make a site non-hackable, because there will always be some way of getting in. All you can really do is minimise the risk of that happening.

Generally you just want to make sure your passwords are not easily guessable, or use a word found in the dictionary (by itself).

Read that XSS article if you want, but if you don't understand it very well then you may want to look here instead: http://aachen-method.com/, very informative videos.

[djr33]

It's just not possible to make a site non-hackable, because there will always be some way of getting in.

Technically, it's the opposite. There are no ways in, then every bit of code (etc) that you add to the page becomes a possible way in. Unless as you make the site more complex you also keep the security level for every element high, there will then become ways to get in, but it will also be technically created by adding code to the site.


As for blocking the PHP extension, the way to do this is to only allow files that end in a certain extension. Do NOT disallow ".php", but instead ONLY allow ".jpg", or whatever you may need. It's much better to have a long list of allowed filetypes than to find out that someone uploaded a ".abc" file that then hacked your server. For example, blocking only .php means that they can still upload .asp, among other things.

[auriaks]

thanks, valuable information

[auriaks]

well, I found and used this script to prevent other types of files:

PHP Code:

  $allowedExtensions = array("jpg","jpeg","gif","png"); 
  foreach ($_FILES as $file) { 
    if ($file['tmp_name'] > '') { 
      if (!in_array(end(explode(".", 
            strtolower($file['name']))), 
            $allowedExtensions)) { 
        $error .= "'.<li>Nuotrauka yra neleistino formato.</li>";
      } 
    } 
  } 


but still... I found out one bad thing. You can't upload image.php extention, but you can upload image.php.png which is allowed. And then user can write ../..link../image.php what will execute his php script from file, as well.

How I can evade this problem?

Just write whats on you mind. Thanks.