[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 180
  • Last Modified:

Support for all characters in text boxes sent to CGI.

I am creating a script to allow me to make updates to an online journal.  Not unlike a blog, but I'm anti other people's software (*pride*).  I've using SQL to store the info and it's working except for certain characters.

I'm using a textarea to type in, and after being submitted with an apostrophe it breaks.  Also, it loses the carrige returns.  How and when do I prepare for these situations?  It looks like there is some level of this happening now, but that is borrowed code so I don't fully understand what it does.

The part I don't fully understand is this:  $value[$i] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;  And I have a feeling that this may be partly to blame for my issues.

This is what happens to the data now: (paraphrased)

if ($ENV{'REQUEST_METHOD'} eq 'POST')
{
     $i = 0;
     read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
     @pairs = split(/&/, $buffer);
     foreach $pair (@pairs)
     {
          ($name[$i], $value[$i]) = split(/=/, $pair);

          $value[$i] =~ tr/+/ /;
          $value[$i] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

          $name[$i] =~ tr/+/ /;
          $name[$i] =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

          ++$i;
     }
}

$stuff = $value[2];

$SQL = "insert into $main_table(stuff) values('$stuff');";
$InsertRecord = $dbh->do($SQL);

# That gets the data from the form and sends it to my SQL table

# Then to recall it:

$SQL = "SELECT * FROM $main_table;";
$Select = $dbh->prepare($SQL);
$Select->execute();

while($Row = $Select->fetchrow_hashref)
{
     $stuff = $Row->{stuff};
}

print "Stuff: $stuff
\n";

I did just think about something...do I need to put it into an array instead of a variable?  Would that solve the carrige return issue?  I still have the aprostrophe issue though.

Thanks in advance.
0
archaic0
Asked:
archaic0
  • 3
  • 3
  • 2
1 Solution
 
ahoffmannCommented:
> .. after being submitted with an apostrophe it breaks.
your (posted) code is totally unsecure, in particular vulnerable for SQL-Injection and cross-site-scripting.
SQL Injection is happening here, cause you pass $stuff unfilterd to the SQL engine, which treats the ' as end of a value (and anythings else somehow, as command in worst case).

>  The part I don't fully understand is this:
this code does the URL-decoding, means converts the hex-coded characters back to ASCII-characters.

What to do?
  befor using any value (like $stuff), you need to parse it, and escape problematic characters.
  'cause you use $stuff in both, SQL and HTML, you have to do it twice.

  A simple, to be improved in many ways, check might be:

  $html = $sql = $stuff;
  $html =~ s/</$lt;/g; $html =~ s/>/$gt;/g; $html =~ s/&/$amp;/g; $html =~ s/"/$quot;/g;
  $sql  =~ s/'/''/g;
  $sql  =~ s/%//g;   # needed if $sql is used in a WHERE or LIKE clause
  Also do a:

  $pair =~ s/%00/d;  # before splitting into name, value

These are just some basic steps, you need to check input very carefully. I highly recommend to match against a positive list, like [a-zA-Z0-9_]* etc. but never against a negative list like [^%>&]*
0
 
chapattiCommented:
ahoffmann,

I agree with your solution but you got a few typos in this line:

$html =~ s/</$lt;/g; $html =~ s/>/$gt;/g; $html =~ s/&/$amp;/g; $html =~ s/"/$quot;/g;

...should be (ampersands instead of dollar signs):

$html =~ s/</&lt;/g; $html =~ s/>/&gt;/g; $html =~ s/&/&amp;/g; $html =~ s/"/&quot;/g;

cheers,

chapatti
0
 
ahoffmannCommented:
duuh, thanks for correction
 (typos wouldn't be harmfull, just the wrong display;-)
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
archaic0Author Commented:
Thanks for the help guys.

Will doing all of that preserve carrage returns to be sent to SQL and display the carrige returns when I recall it?

(...and I'll be giving the points to ahoffmann unless chapatti has a problem with that.)

0
 
chapattiCommented:
oh, no problem at all!
She / he deserves them!
0
 
archaic0Author Commented:
sorry it took so long...I lost track of my questions...
0
 
ahoffmannCommented:
you traced the track, somehow ...
Thanks for coming back and grading.
0
 
archaic0Author Commented:
asdkjf
a;klsdjf
;alksdjf
a;lsdkfj
a;lskdjf
a;klsdfj
;laksdjf
;alsdkfj
'kladsjf
a.sdlkjf
;.adsflkj
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now