Kind of confused by this homework assignment...malformed PHP?

S

sharkapult

Limp Gawd
Joined
May 2, 2006
Messages
479
/* assume $name is user data culled from a POSTed HTML form... */
$query = "SELECT * FROM customers WHERE lastname = '" . $name ."';"
$result = mysql_query($query);

Construct a simple PHP edit that will catch malformed (malicious?) POST/GET data in $name.


I guess I'm simply confused...

I'm under the impression that I'm supposed to edit the above code, but the wording confuses me. Odds are I won't hear back from the teacher until Monday, and it's due Wednesday...but any insight might be helpful.

My guess is it has something to do with the "' . $name .'";", with the first thing striking my attention is the fact that the ; is inside the last ". I would think it should be:
$query = "SELECT * FROM customers WHERE lastname = '" . $name ."'"; if we actually are supposed to edit the above line.
 
sharkapult said:
/* assume $name is user data culled from a POSTed HTML form... */
$query = "SELECT * FROM customers WHERE lastname = '" . $name ."';"
$result = mysql_query($query);

Construct a simple PHP edit that will catch malformed (malicious?) POST/GET data in $name.


I guess I'm simply confused...

I'm under the impression that I'm supposed to edit the above code, but the wording confuses me. Odds are I won't hear back from the teacher until Monday, and it's due Wednesday...but any insight might be helpful.

My guess is it has something to do with the "' . $name .'";", with the first thing striking my attention is the fact that the ; is inside the last ". I would think it should be:
$query = "SELECT * FROM customers WHERE lastname = '" . $name ."'"; if we actually are supposed to edit the above line.
Click to expand...


i think what the teacher is asking is for you to re-write the code to prevent SQL injection attacks. In SQL, an unescaped single quote in your querystring can be used to as an avenue to attack the DB server. At the very least it will cause your query to fail due to a syntax error. Do a google search for SQL INjection and you'll get the idea.

The simplest (though not the best) solution is to run the POST variable through the addslashes function to escape any single quotes before sending it to your query string.
 
The ";" is to terminate the MySQL string. I believe this is optional since PHP will automatically terminate your MySQL query when you execute it.

You are correct though, that the teacher forgot the ; at the end of the PHP line.

";"; would be the correct ending, as you mentioned.

What would happen if a user inputed this for his username:

smith' OR 1=1;


Write out what the SQL query would look like.

What do you think that query would return?
 
I understand what you're getting at. I know nothing abut SQL. I'll go back to the book to see if it says anything, but I don't remember anything being mentioned about malicious entries...maybe I'll find something to tell me how to do it.

(I'm using the Peachpit Press PHP for the World Wide Web ebook...for what it's worth)


Also, is there away to execute PHP from a linux command prompt? All the examples in this book are talking about HTML as well...not sure if I can get around trying to make a webpage for this or not...
 
I understand what you're getting at. I know nothing abut SQL. I'll go back to the book to see if it says anything, but I don't remember anything being mentioned about malicious entries...maybe I'll find something to tell me how to do it.

(I'm using the Peachpit Press PHP for the World Wide Web ebook...for what it's worth)



But, if I understand what's going on with the addslashes...I would think it would turn out like this:

/* assume $name is user data culled from a POSTed HTML form... */

$name = addslashes($name);
$query = "SELECT * FROM customers WHERE lastname = '" . $name ."';";
$result = mysql_query($query);



Unfortuantely, I can't test it until I figure out how to execute PHP in the terminal.
 
Sure, just type

whereis php
or
which php

to see where it is (prolly /usr/local/bin)

and then make this the first line of your php script:

#!/usr/local/bin/php

Now you can execute it by running it. ./myscript.php

(make sure you own it and chmod o+x myscript.php or chmod 755 myscript.php)
 
Actually, I'm not even sure I could run it, as I don't have any SQL data to test it with at the moment.


But, add in the fact that php is doing nothing for me.

ubuntu@ubuntu:~/Desktop$ whereis php
php:
ubuntu@ubuntu:~/Desktop$ which php
ubuntu@ubuntu:~/Desktop$ ./asdfasdfa
bash: ./asdfasdfa: /usr/bin/php: bad interpreter: No such file or directory
 
I try to use the built in mysql character escape.

Code: 
function dbescape($escape){
  //add db info better to not pass this around.
      $username="user";
      $password="pass";
      $database="database";
      $server="localhost";

    mysql_connect($server,$username,$password) or die( "unable to connect with database.<br> while cleaning ".$escape."<br>");
    $escape=mysql_real_escape_string($escape);
    mysql_close(); 	//close mysql connection.
    return $escape;

Then in your case I would call the function with the name variable as such

Code: 
$name = dbescape($name);

That's how I've managed to get things to work someone with a little more experience might be able to help you out a lot more.

Also a php script can be run in linux like this.
Code: 
/# php myscriptname.php
 
sharkapult said:
Actually, I'm not even sure I could run it, as I don't have any SQL data to test it with at the moment.


But, add in the fact that php is doing nothing for me.

ubuntu@ubuntu:~/Desktop$ whereis php
php:
ubuntu@ubuntu:~/Desktop$ which php
ubuntu@ubuntu:~/Desktop$ ./asdfasdfa
bash: ./asdfasdfa: /usr/bin/php: bad interpreter: No such file or directory
Click to expand...

do you have php installed?

apt-get install php5 php5-cli

and you wouldnt need a database, you're just messing with strings write now. assuming there isnt more to this assignment that you left out in your first post.
 
try:

ls /usr/local/bin |grep php

which php just tells you which location php would be executed from if you typed php. Since it didn't return anything, php is not in your path.

whereis is a simplified, often useless indexed search that can help you find binaries in predefined locations. It generally searches /usr/bin /sbin /usr/sbin/ /usr/bin /usr/local/bin

Since neither found PHP it looks like you might not have it installed - but doing that command I posted should help :)
 
ubuntu@ubuntu:~/Desktop$ ./asdfasdfa HEy You



/* assume $name is user data culled from a POSTed HTML form... */

$name = addslashes($name);
$query = "SELECT * FROM customers WHERE lastname = '" . $name ."';";
$result = mysql_query($query);


Well, I'm not sure what it's doing now. I didn't tell it to display anything.. I guess since there is no posted form for me to go off of, that I just cross my fingers?
 
Hey, I have the exact same assignment. I'm having a lot of trouble with it too. :confused: Thanks for the heads up guys. I did a little research on the addslashes function and it seems a little clearer now.
 
You must log in or register to reply here.
Back
Top