When programming web-based applications, using whatever your favourite programming language, for example, perl, c or php, it is always a good idea to check user input from web forms with function that will escape all special characters, for example "addslashes" in php. It is not a bad idea either to "trim" all the white space from beginning of the input. In php there is also this function "strip_tags", that will do a limited removal of html- and php-tags from a string in a variable.

Now you are asking the question: "Why?" Let me explain. Without checking user input, it is possible to the user to input malicious code that can break the system. For example, this hole could be used to break the database, generating loss of data or possibly corrupting the whole database. It is also possible to input code that would harm the operating system running this services, or even exploit the root password, which of course is very bad thing.

The checking of user input is often overlooked by web developers but is very important to close serious vulnerabilities in web systems. I am currently working on a project for a client that involves rewriting and designing their existing web application. This process started with looking at their existing system.

Within 10 minutes of investigation I was able to drop their entire database just through their web sites log in box. I was able to do this for the following reasons:

  • The log in form textbox had no maximum input length set, allowing me to enter a large input string including my concoction of SQL. This hole is not required as I could have written a spoof form without a maximum input length, but it made my life easier non-the-less.
  • There was no length checking for the username field. Their username database field is 10 chars long, and yet the server code did not check to make sure my input was 10 or fewer characters.
  • There was no invalid character stripping or conversion. By allowing me to place a single quote in the input text, I was able to fool their system into allowing me to run arbitrary SQL code on their database server.
  • The database user had full permissions on the database, including delete and drop permission.
By submitting code similar to what I've written below, I was able to execute whatever SQL I wanted on their database just through my web browser:
'; DROP DATABASE dbname; SELECT * FROM tbluser WHERE username = '
When this input is concatenated with the rest of the database query string, the following SQL query is created and executed on the database:
SELECT * FROM tbluser WHERE username = ''; DROP DATABASE dbname; SELECT * FROM tbluser WHERE username = '';
The first two characters of the user input terminate the first select statement, the next statement does the malicious drop of the database, and the last select statement is a dummy statement to use the original closing quote and make sure the whole query string is valid.

Of course, the attacker needs to know the name of the database or any other database structures that they need to reference, but these are often easy to guess by trial and error or by making the database throw up errors if they are not caught by the web application.

I hope this little demonstration of web app security is useful to web developers and makes clear the point of why checking user input from web forms is important.

Log in or registerto write something here or to contact authors.