logs archiveIRC Archive / Freenode / #php / 2006 / February / 15 / 1
itrebal
has anyone information on 'finfo' functions?
Stormchaser
finfo?
itrebal
FileInfo in PECL
Stormchaser
you mean like `file` in the shell?
itrebal
theres a FileInfo extension in PECL that i'm looking for information on
lig
Morning
^Migs^
hey lig
(Action) high-fives lig
lig
hey ^Migs^
How's life on your side of the world?
swampwork
OK, let me try my question another way - I'm taking user input from a form. I want to do a fulltext query against a database on the search terms they enter.
         

^Migs^
hhmmm
kind of cold
a bit stuffy
but I'm perpetually awesome so it balances out
lig
hehe
swampwork
mysql_escape_string() replaces turns something like "frog jelly" into \\\"frog jelly\\\", which isn't what I want. The fulltext parser doesn't then seem to treat "frog jelly" as a literal phrase that has to be matched.
mybadluck
turn off magic quotes?
DoM
hi all
mybadluck
hi
Julian|Work
swampwork, it shouldn't-- looks like it's being escaped twice.
swampwork
But I don't want to pass an unescaped string from an eeeeeevil user into my query string, because of all the nasty things that could be lurking in it . So how do I escape the user input for passing to a fulltext search to be safe, without screwing up.
lig
mybadluck: mysql_real_escape_string should be used vice mysql_escape_string
Julian|Work
swampwork, make sure magic_quotes_gpc() and/or magic_quotes_runtime() are off
I bet your $_GET input is being escaped once, then you mysql_escape_string() it.
mybadluck
that's what i thought too!
DoM
i need to see long output from a shell command but i disabled functions like readfile,system,shell_exec,passthru,proc_open i have only exec and i need to do command like grep, less and zcat.Any ideas ?
swampwork
OK, I can do the same thing by the judicious use of stripslashes() before doing mysql_escape_string(), right?
mybadluck
yes
wait
swampwork
OK, I did that, but it still doesn't help.
mybadluck
why before the escape string
Julian|Work
DoM, those functions all perform the same action as exec(), for the most part. The only difference is what they return.
mybadluck
do it after the escape string
Julian|Work
DoM, so if you're allowing exec(), you may as well allow the others.
retroneo
I'm trying to get the output from a system call while it is executed, passthru and shell_exec only give it to me when it's finished, I tried this code, but it still doesn't work : http://pastebin.com/554994
         

DoM
i am allowed Julian|Work :) problem is output exec show me only last line
Julian|Work
swampwork, you should find out where the second escape is happening, rather than undoing it with stripslashes() -- you're doubling the work on your server, rather than halving it.
DoM
Julian|Work, and of course i need all output
Julian|Work
DoM, exactly, so allow the other functions that show you everything. shell_exec(), I believe.
DoM, if you have exec() enabled, it's no worse security-wise to enable the other.
swampwork
OK, it doesn't matter, because the REAL problem is that ANY escaping prevents the FULLTEXT matching engine from treating the double-quoted phrase as a required match.
Jonnay
retroneo: I told you, proc_open is what you want.
mybadluck
so don't escape it
or just escape things that will matter
Julian|Work
swampwork, if you do this correctly, the input will not be escaped in the database.
||cw
itrebal: http://cvs.php.net/viewcvs.cgi/pecl/fileinfo/php_fileinfo.h?view=markup&rev=1.2 and http://cvs.php.net/viewcvs.cgi/*checkout*/pecl/fileinfo/fileinfo.php?rev=1.1 and maybe php's var_export in 5.1+
retroneo
Jonnay, that's what I tried here, but I'm not getting the output : http://pastebin.com/554994
Julian|Work
You escape it in PHP, then pass that to mysql_query(), which inserts it normally.
DoM
Julian|Work, i dont know .. i am sure that exec can anyway execute commands but .. i dont know .. :\ i hoped to find another solution :\
swampwork
mybadluck: Which is the crux of my question: how do I only escape things that "matter" to prevent nasty MySQL injections in the text that users input for searching?
AfroTurf
i'm pulling photo paths from a db. and i need to make it soo that their is 5 photo's to a row and as many rows as their are pictures with total number of pictures could be 30. how would i set up my for or while loops?
Julian|Work
DoM, that's all you can really do.
mybadluck
what are they going to use as an injection if your parser already checks it
swampwork
(Action) sighs
I'm not explaining something properly.
mybadluck
why don't you do this
set it up without escaping
then try to inject something
if it works, fix that bit
Julian|Work
swampwork, I think you're a little unclear on the relationship between escaped strings in PHP and the database.
So I'll send you an example.
retroneo
Jonnay: actually using shell_exec and then echoing the result, I would get the output in real time (using the CLI), but is there a way I can run an IF on that?
swampwork
Julian|Work: thank you. I'm probably unclear on a lot of things.
mybadluck
what is IF?
AcidReign
HolyGoat: those demos are really good
HolyGoat
AcidReign: thanks :)
swampwork
mybadluck: Because I suspect that the Bad Guys are a lot more clever about thinking of ways to inject things than I would be. And I prefer a default stance of "only let what is known to be safe through" rather than "attempt to think of and prevent every specific bad thing I can think of".
Julian|Work
swampwork, http://pastebin.com/555012
swampwork
(Action) reads
Julian|Work
swampwork, now it looks like your problem is that $_GET['str'] is not coming in as "hello" -- it's already coming in as \"hello\"
swampwork, then you escape it again, which escapes even the backslashes-- you get \\\"hello\\\"
cheikh
help please here http://pastebin.com/554853
Julian|Work
Which DOES insert it into the database escaped, as \"hello\"
So find out how to stop escaping the input the first time around (which is probably turning off magic_quotes_gpc or magic_quotes_runtime), and run mysql_real_escape_string() normally
Make sense?
HolyGoat
Heh. Someone just told me I need to get out of my shell more often. It took a while before I realized she didn't mean bash.
bch2
what would prevent a php script from running system() or exec() with safe mode off?
Julian|Work
HolyGoat: I think that only reinforces their statement :P
bch2, add those functions to the disable_functions directive in php.ini
HolyGoat
Julian|Work: good for them :)
swampwork
Julian|Work: Yeah...only help me get this straight in my head.
bch2
Julian: I actually want them enabled
Julian|Work
bch2, alright, then nothing should prevent them, I suppose.
swampwork
what happens if the user enters (for $str) something like this (and I'll probably miss the syntax a bit, but you'll get the point):
Julian|Work
Go ahead
And $str is coming from $_GET or $_POST, correct?
bch2
Julian: any way to see the errors that are being generated? the commands work fine from the terminal...
swampwork
blah'); delete * from table2; select * from table1 where name like 'blah
mybadluck
bch2 be more specific
what are you trying to d
o
swampwork
Yes, from a $_GET or $_POST
Julian|Work
bch2, make sure display_errors is On in php.ini, and add "error_reporting(E_ALL);" above the line in question
swampwork
Thus, if you insert $str into the string passed to mysql_query(), you'd have something like
bch2
system("swift -n Callie "test" -p audio/output-file=/tmp/temp.wav");
FatalRemedy
whats the variable for the resolution? or resolution width?
swampwork
" INSERT into table values(); delete some stuff; select some stuff;"
Julian|Work
bch2, you need to escape your quotes.
LokeDK
What does $var % 7 do? it's difficult to look up % in the manual ..
mybadluck
also check your paths
but quotes first
Julian|Work
LokeDK: http://us2.php.net/manual/en/language.operators.arithmetic.php -- modulus
bch2
yeah, sorry, those should have been escaped, I took them out because it's a long text
system("swift -n Callie \"test\" -p audio/output-file=/tmp/temp.wav");
swampwork
Isn't that how mysql injection problems happen? If you include a string from the user into a query without escaping the nasty bits (in particular, I guess, single quotes and semi-colons) then the user can do multiple MySQL commands from that single mysql_query() call.
mybadluck
use absolute paths
LokeDK
thanks Julian|Work
Julian|Work
swampwork, correct, that's the point of escaping the data.
So here's what I'd do.
mybadluck
but i think your fulltext parser thing is going to take care of it?
Julian|Work
Before calling mysql_escape_string(), var_dump($_GET['str']);
See if it's escaped or not.
If it is escaped, PHP is doing it automatically and you probably want to disable that.
bch2
yeah, all the things that should be escaped are, and guarding against injections
Julian|Work
If it's not escaped, then call mysql_escape_string() once and you're good to go. It can safely be used in a query.
swampwork
Right. But what I'm saying is that it *appears* from my results that when I escape the data (as you did in your example - no previous slashes in existence), the existence of a single \ before the " makes the fulltext parser NO LONGER treat the double-quoted text as a double-quoted literal.
Julian|Work
bch2, then check what I said about error_reporting.
<Julian|Work> bch2, make sure display_errors is On in php.ini, and add "error_reporting(E_ALL);" above the line in question
swampwork
Julian|Work: I am no longer getting the \\\"frog jelly\\\"; I got the double-escaping part turned off.
Julian|Work
swampwork, so it's represented as "frog jelly" in your database, but FULLTEXT is still screwing up?
swampwork
My problem is that, even with \"frog jelly\" as the internal string representation in PHP, it won't work.
Julian|Work
Ah, well I'd check what FULLTEXT does.
swampwork
Julian|Work: No, I'm not inserting the $_GET[] value *into* the database; I'm attempting to use it as the search text.
Julian|Work
Gotcha
mybadluck
i think that you shouldn't escape your strings
if you're having something else parse it
DoM
Julian|Work, if on some dir i use openbase_dir there commands like shell_exec ('/bin/*'); and so on will not work or they will work ?
swampwork
So that I'm doing MATCH() AGAINST with it.
Julian|Work
swampwork, regardless of how you're using it, it sounds like MySQL is now the problem area
swampwork
Julian|Work: I don't think so; let me try to explain why.
Julian|Work
Also, try some of these queries on the mysql command line, so we can take the encoding mystery out of the picture
If they don't work there, it's definitely a MySQL problem. If they do work, it's a matter of getting your query from PHP to match what you typed in the command line.
swampwork
Right; the query I'm trying to build works fine on the command line, but only IF the double quotes aren't escaped when it gets it.
Right.
And that's what I'm trying to find out. Since mysql_escape_string() explicitly escapes double quotes, I'm wondering if there's a more appropriate function to use that leaves it alone.
Julian|Work
Are you wrapping single quotes around it?
swampwork
Yes, in the query string.
Julian|Work
MATCH('"str"')
mybadluck
you know what swampwork
mysql uses single quotes for its variables, iirc
so double quotes aren't a problem
don't escape those and you should be ok
Julian|Work
Nah, you can use double-quotes too.
mybadluck
yeah?
hm
well
swampwork
I would just strip out apostrophes, BUT then that would mean that users could not succesfully search for titles with an apostrophe it the text.
mybadluck
i would turn off escaping
swampwork
So that "Aren't you special" would turn into "Arent you special" and not match.
mybadluck
if you have something parse it, their craziness isn't going to work anyway
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 next »