Interesting PHP Oddity - help please! :)

Bryan

Very Happy KH VPS User
#1
Hey guys...

I'm honestly at a complete loss as to what is happening with one of my PHP scripts. It was working before I moved here. But since I don't personally use the script a whole lot, I don't know when it broke. Nothing changed in the coding, so I'm kinda at a loss as to what went wrong.

I can't send you guys to the actual page, as it's behind a password protected member's site for a client of mine.

To give an overview...that specific page gives a membership roster, with names, phone numbers, addresses, etc., and by clicking on the headings, "Name, Address, Phone" etc., the columns are supposed to be sorted.

The sql call I'm using is: ORDER BY '$sort' ASC" where $sort is determined in the script by what you click on.

So for instance, if somebody clicked address, it would $sort would = address.

Like I said, it worked fine in the past. Is there anything specific in PHP that would cause this to stop functioning? I'm using 4.4.4 right now on the server.

Thanks in advance!!
 
#2
Kinda hard to diagnose without any code whatsoever. Are the sort parameters being passed in a query string, and if so, is the rest of the script assuming that register_globals is enabled?
 
#3
aside from that (since there is no code to check here), if that sql is correct, that is a major XSS hazard. user could set $sort to a payload value and inject an unauthorized query into the db. assuming $sort is a public variable, there should be a private variable which is matched to it to produce the query member.
 
#4
aside from that (since there is no code to check here), if that sql is correct, that is a major XSS hazard. user could set $sort to a payload value and inject an unauthorized query into the db. assuming $sort is a public variable, there should be a private variable which is matched to it to produce the query member.
Hi, do you think you could explain what you mean by "there should be a private variable which is matched to it to produce the query member". I feel like i could be making this mistake on a website of mine.
 
#5
Hi, do you think you could explain what you mean by "there should be a private variable which is matched to it to produce the query member". I feel like i could be making this mistake on a website of mine.
Rather than simply taking

Code:
$_GET['sort_order']
you would validate the input against a list of acceptable possibilities such as

Code:
switch ( $_GET['sort_order'] )
{
	case 'ASC':
		
		$sort_order = 'ASC';
	
		break;
		
	case 'DSC':
	
		$sort_order = 'DSC';
		
		break;
		
	default:
	
		die('Sorry, Charlie...');
		
		break;
}
That way if I try to pull something like

Code:
http://www.yourdomain.com/yourscript.php?sort_order=do%20something%20evil
that input will not actually become a part of the subsequent database query.
 

Bryan

Very Happy KH VPS User
#7
Khiltd, you're right. I actually took the script over and modified it from somebody else's...hadn't really had a chance or desire to change it yet.

But even so, it's a password protected script that is used by about 75 people who would have no idea how or why to insert evil code. ha ha!

There really isn't any code to show. The only piece of code that actually does something is:

"SELECT * FROM members ORDER BY '$sort' ASC";

And $sort is passed into the script by clicking on the column heading. I.e. it might be address, first_name, last_name, etc. etc.

It actually worked at some point. :)

Thanks again guys!
 
Top