Could a malicious user abuse this?

Question

I have a textbox on a page, like so:

<form action="verify.php" method="post">
<input type="text" width="30" name="securityCode"><br />
<input type="submit" value="Go" />
<form>

and on verify.php I have this:

<?php
$enteredCode=$_POST['securityCode'];
//Other stuff
?>

What I want to know is if anything malicious would come of this? E.g. if they entered some PHP into the textbox would it work?

EDIT

I didn't think it'd be important, but apparently it is. If they enter the correct code I'm setting $_SESSION['passedSecurityCheck'] to true, if not I'm setting it to false. Sorry for not specifying that. :)

Depends on what you do with `$enteredCode`. If you use `eval()` then yes. — John Conde, Aug 08 '12 at 13:11
What are you doing with $enteredCode? The answer to your question rather depends on that. — vascowhite, Aug 08 '12 at 13:11
possible duplicate of [Best way to prevent SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) — vascowhite, Aug 08 '12 at 13:12
@JohnConde Good god, you brain is amazing - the extrapolation you have for a question is stunning! Marry me! +1 — Fluffeh, Aug 08 '12 at 13:17
Are you checking the security code using a database - If so you have have inject issues. — Ed Heal, Aug 08 '12 at 13:32

score 3 · Answer 1 · answered Aug 08 '12 at 13:10

3

You are not doing anything with that value, as far as you are showing.
As such, there's nothing really that can be abused in that piece of code.

answered Aug 08 '12 at 13:10

deceze

510,633
85
743
889

@Red Just simple assignment of one variable to another or comparisons or things like that present no risk at all. You need to `eval` arbitrary text, concatenate it into an SQL query (which then gets evaluated) or HTML (which then gets evaluated), use the value to access anything on the system (file paths etc.) for anything malicious to happen. – deceze Aug 08 '12 at 13:16
@deceze is right. If you are only comparing to `$enteredCode` and don't actually use the value for anything else there's no risk. – Mahn Aug 08 '12 at 13:19

score 1 · Answer 2 · answered Aug 08 '12 at 13:49

Off the top of my head, possible problems:

Checking the security code:
- Are you using a database to do this - if so, SQL injection
- Using a file on your server to check the code, somebody could sniff somebodies elses file
- Are you using an external program - There is a whole lot of difficulties including (but not linited to) the shell, paramaters, filenames etc
What does the secuity code mean? Code just mean access to a simple text file to anything including adding other users, deleting users, .... The list is endless here
If another person (say in a library) is overlooking the users shoulder is that code in plain text or using the password field? If not easy for somebody to just a a sneeky peek.

I am sure that other people can think of other things.

score 0 · Answer 3 · answered Aug 08 '12 at 13:27

A simple comparison (is this value equal to that value) won't allow malicious code in itself.

I'm more worried about how you're comparing it. If you're doing a direct comparison, then I hope you aren't using a value that would possibly be used anywhere else in the world (e.g. a password set by the user themselves, which they may use elsewhere), since access to where the security code is stored reveals the security code. This isn't a big deal in itself (the attacker already has access) unless perhaps it was hard-coded into the file itself (in which case an exploit that reveals source - and there have been a few over the years - reveals how to log in), but if users can set the code then you've just revealed passwords that they potentially use on other sites.

Could a malicious user abuse this?

3 Answers3