1

Can someone help me identify the vulnerabilities and resolve them with this? I posted this website this morning but It kept getting hacked or some thing and I am new to sql injection vulnerabilities. could someone help me find what they are?

    <?php
            //Variables for connecting to your database.
            //These variable values come from your hosting account.
            $hostname = "istheinternet.db.10527209.hostedresource.com";
            $username = "istheinternet";
            $dbname = "istheinternet";

            //These variable values need to be changed by you before deploying
            $password = "**********";
            $usertable = "posts";
            $yourfield1 = "post";
            $yourfield2 = "time";

            //Connecting to your database
            mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
            connect to database! Please try again later.");
            mysql_select_db($dbname);



           // Fetching from your database table.
            $query = "SELECT * FROM $usertable ORDER BY time DESC";
            $result = mysql_query($query);


            ?>
<html>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="Content-Language" content="English" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="style.css">
<head>
<img src="/istheinternetfuckingawesome/images/pageLogo.jpg">
<script type="text/javascript"><!--s
google_ad_client = "ca-pub-8924330365282159";
/* itifa header/footer */
google_ad_slot = "6694391056";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-40841654-1', 'istheinternetfuckingawesome.com');
  ga('send', 'pageview');

</script>
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script type="text/JavaScript">
function valid(f) {
!(/^[A-z!., &#209;!., &#241;0-9]*$/i).test(f.value)?f.value = f.value.replace(/[^A-z!., &#209;!., &#241;0-9]/ig,''):null;
} 
</script>
</head>
<div class="breadcrumbs">
</div>
<body>
<div>
<h1>What makes your internet awesome?</h1>
<form id="blog_form" action ="thisfile.php"
method ="POST" enctype="multipart/form-data">
<textarea name="post" placeholder="Tell us what makes your internet awesome!" rows="15" cols="50" maxlength="300"  onkeyup="valid(this)" onblur="valid(this)"> </textarea></body></br>
<button type="submit"> Post</button>
<button type="reset"> Clear</button>
</form>
</div>


<span class="column1">
<h2> Stories</h2>

<?php while ($row = mysql_fetch_assoc($result))  
{
    echo $row["$yourfield2"].", ".$row["$yourfield1"]."<br/>\n"."<br/>\n"; 
}
?>
</span>
<span class="column2">
<div>
<center>
<p><Strong>Keep in mind all posts are final unless the website owner finds errors in formatting.</Strong></p
<p><Strong><Strong>Welcome Reddit users</Strong></Strong></p>
<p>Please note that any links and or images will not post sorry to ruin your fun!</p>
</center>
</div>
</span>

<span class="column3">


<script type="text/javascript"><!--
google_ad_client = "ca-pub-8924330365282159";
/* itifa */
google_ad_slot = "3372494652";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</span>

</body>

<footer>
</footer>
</html>

submission php file 

            //These variable values need to be changed by you before deploying
            $password = "**********";
            $usertable = "posts";
            $yourfield1 = "time";
            $yourfield2="post";

            //Connecting to your database
            mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
            connect to database! Please try again later.");
            mysql_select_db($dbname);

           $post= trim($_REQUEST['post']);

           // Required field names
           $required = array('post');

           $insert_sql = "INSERT INTO posts (post)" . "Values('{$post}')";

           mysql_query($insert_sql) or die(mysql_error());
           header("Location: http://istheinternetfuckingawesome.com");


?>
rmushero
  • 39
  • 9

1 Answers1

1

See, the below picture, SQL injection is pretty much summed up, when a hacker/or someone.. inputs a malicious code, into your forms, so that code when executed by PHP, it does something bad to your database, like delete/drop/update your data/tables..

So, in the pictures case, I suppose the principal had a query in PHP to update his table Students Now, I assume, he may have had a query like: 

INSERT INTO Students (studentname) VALUE ('".$_POST['student_name']."');

Now, in the $_POST['student_name'] field, if someone had entered Robert'); DROP TABLE Students; then, the whole table would have been droped/deleted/lost

enter image description here

To prevent your site from SQL injection, learn about PDO, from here:

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

EDIT:

If you want a quick help, right now, then sanitize your inputs by doing: 

$password = strip_tags(mysql_real_escape_string("**********"));
$usertable = strip_tags(mysql_real_escape_string("posts"));
$yourfield1 = strip_tags(mysql_real_escape_string("time"));
$yourfield2= strip_tags(mysql_real_escape_string("post"));
samayo
  • 16,163
  • 12
  • 91
  • 106
  • I updated the question with the database submission type page. Do you see where I went wrong? I am sorry I am clueless on some of this stuff. – rmushero May 17 '13 at 21:08
  • @GluteFree BTW: Why did you say, you keep getting hacked? did you miss some data? or what was the problem? – samayo May 17 '13 at 21:10
  • They would add scripts to the form to make the page freakout so they were inserting information into the database that when it was posted on the site it would make the page look differently. – rmushero May 17 '13 at 21:12
  • @GluteFree if the page is looking differently, then it is `XSS` attack, not `mysql_injection` for that, I have added `strip_tags()` function, it will strip of all invalid tags when users post to your site. Make sure to follow, the above way when you are letting anyone submit a form to your website. – samayo May 17 '13 at 21:16
  • Awesome! You win my good sir...or ma'am does that mean I can remove – rmushero May 17 '13 at 21:22
  • If it has to do anything with validating input, you can remove it. – samayo May 17 '13 at 21:24
  • Will this prevent images and other things from being posted to the page? – rmushero May 17 '13 at 21:24
  • 1
    NO! This is for text only. For images/files or anything someone has to "upload" to your site, you should google, for "PHP Secure file uploading script" because, that is another subject. But, what I gave you is 100 times more secure than your script, but remember... it only checks for texts inputs, not file upload. – samayo May 17 '13 at 21:28
  • One more question then. Do I put it in both instances that I have $password = "**********"; $usertable = "posts"; $yourfield1 = "post"; $yourfield2 = "time"; Or just in the submission file – rmushero May 17 '13 at 21:31
  • 1
    @GluteFree you MUST put it in every form which anyone will submit a value if. So, meaning, if someone is going to log in using his username, you have to do `strip_tags(mysql_real_escape_string($_POST['username']))` You will not do anything in the HTML file. Just leave that as it is. You can only control user inputs from PHP server side. – samayo May 17 '13 at 21:34
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/30155/discussion-between-glutefree-and-php-noob) – rmushero May 17 '13 at 21:49