Placeholder Image

字幕表 動画を再生する

  • creating these classes requires equipment and service.

  • Is that cost money?

  • If you appreciate this education, please think about going to Eli the computer guy dot com and offering a one time or monthly recurring donation.

  • Welcome back.

  • As you know, I am Eli the computer guy, and in today's class, I'm going to be showing you how to sanitize your variables when you're sending data from your PHP scripts to you're my sequel.

  • Database tables.

  • So again, we're going to be using an HTML form.

  • That HTML form is going to be handing off the variable values to a PHP script that PhD script is going to then parts.

  • The values turned them into PHP variables.

  • Plug that into a sequel statement and ship that off to the my sequel database server to insert insert records into that.

  • My sequel Databases Table.

  • Now it's important.

  • Understand, whenever you're dealing with security and the computer around is that you're going to have to deal with security from multiple fronts too many times when people think about security again, when it comes to technology, they have this idea of like one product or one solution secures your system, which is just foolish again for dealing with a computer or dealing with a server.

  • You do not simply install anti virus in your system is sick.

  • You're one thing does not secure the system.

  • You have to have antivirus.

  • If it's ah, client computer, you probably want some anti spam or anti malware anti spyware software on there you need to have the firewall on.

  • You need to have the account policies set up properly.

  • Plus, you just need a backup system in case something stupid happens, right?

  • You have multiple ways to secure either your client system for your server system.

  • You don't just use one product the same mystery whenever you're dealing with things like my sequel database servers again, like a lot of people, hyper focus on one specific attack in order to secure their server, and they ignore the other ways that their systems could be attacked.

  • And, of course, at the end of the day, when something happens, they always say, I did what I was supposed to do.

  • It's not my problem.

  • What anyone s 01 of things we did in the last classes.

  • We did something called a prepared statement, so prepared statement tries to prevent what Ercole sequel injection attacks.

  • So the idea with a sequel injection attack is that you try to escape out of the statement that PHP is sending to your my sequel server and then essentially add your own sequel statement.

  • So there's an or there's a statement that supposed to be sent.

  • You try to do something to escape out of that statement and your own statement, and then you hope into my civil database server, then read your statement and actually execute that.

  • So this could be a something such as deleting a table.

  • This could be something like adding a record to a table.

  • Or this could be something such as backing up the tables or database to an off site location, going off some backup.

  • I'm just, you know, off citing it to someplace these people don't know exist.

  • That's all I'm doing right?

  • But one of things everything about with injection attacks is beyond an injection attack again.

  • Where you're doing something a sequel injection or to try to manipulate the server is that you can have your users also trying to insert things, suck as tags or such as other types of code that will be triggered in different ways.

  • Eso one of things that I'm going to show you today is basically where we're going to use the same form we've used, like 10 times.

  • Now where is the name?

  • It's Ah, the name.

  • It's an egg, It's a gender, and that goes into the students table.

  • One of things that I'm going to show you how to do is instead of typing out a normal names like his Bob or whatever else what I'm going to actually do is I'm gonna type in a hyper link with Bomb as the name's type out the entire a ref tag.

  • Plug that into the normal HTML form that will then get plugged into the my sequel database servers table.

  • And then when we do a select statement, basically we print that out onto our Web browser screen.

  • You'll see that there's one particular record where the name is that will actually now be a hyper link that you can click on it right on.

  • So this is one of the problems you can run into, and this is where we have to think about security from all aspects of your system.

  • So if you have users that are going to your site and somebody does something suckers plug in a.

  • Oh, a hyperlink were simply a name should be.

  • You then may have your users quick enough hyperlink that goes to a spam site or virus site or something like that.

  • And then you start causing all kinds of problems.

  • What we're going to do today is we're going to be.

  • Then it's sanitizing what is called a sanitizing that variable.

  • So we're going to use a function called filter Underscore Bar.

  • So what this function does, is it actually sanitizes variables?

  • Cdu's filter underscore bar.

  • You do parentheses, you then give the variable that you want to sanitize you, then do comma, and then you give it what filter you want to basically filter.

  • Sanitize that variable based on so they have a filter for strings.

  • They have a filter for e mails.

  • Actually, I'm like 20 different filters, and again, this is one of those things to be thinking about is not like you.

  • Just do one filter against the variables.

  • It depends on what what type of variable you're supposed to be using.

  • So if it's supposed to be an email address that somebody is submitting that you could do the filter underscore bar, dollar sign, email, whatever is comma, the whatever the filter is for the email address.

  • And then basically, what we do is what filter will do is it'll rip out everything that isn't supposed to be in an email address.

  • What I'll show you today, using the string filter is basically again.

  • I will.

  • I will plug in that a ref into the form will actually see how that works is an attack.

  • But then, after that, I will add this filter to our normal PHP code.

  • And what will happen is that this filter will go through and it'll actually rip out.

  • All the HTML tags on will simply leave the text that is supposed to be here.

  • So this is what we're talking about when we're talking about sanitizing variables, and that's why it's important when you're dealing with again.

  • HTML forms PHP inserting or updating into my sequel a database tables.

  • There's no riel warning warning for today it's Maur.

  • This is the type of thing that you are going to have to play with.

  • I know, I know.

  • Oh, Eli, what?

  • You being a tech professional is supposed to play an experiment and see what happens.

  • Shocking.

  • I can't believe the advice you give sometimes, Eli, but that's related case again.

  • When you're going through when you're trying to sanitize the variables with the particular function that I'm showing you today filter underscore bar.

  • There are many different filters.

  • So what I would suggest is you just you create some really nasty variables and then you you play and you go out and see what the results are When you send that nasty variable through these different filters and you figure out what result works best for you, I will also say again when you're talking about doing things like a sanitizing your variable that there are other functions you can use to sanitize variables how you d'oh.

  • Uh, the sanity ization of your variables really depends on what results you need.

  • And you expect, um, again.

  • And that that's one of those things you can run into or it's not.

  • It's not that there is one way to solve any problem.

  • It is for your specific situation.

  • You figure it out again.

  • Do make sure you play with this on test systems.

  • Sanitizing variables, actually does.

  • Shaking the frickin very simple.

  • So you do it on a production system.

  • You're not really sure what you're doing?

  • You could host something up really quickly, but that's really all the warning is today is Go play with this.

  • See?

  • See what actually happens.

  • It see if the results are acceptable.

  • Try a lot of different experimentations, see what happens, and then you go from there.

  • So with that, let's go to the computer and I'll show you how this works.

  • So here we are, back in my lab environment again.

  • I'm using a bunch of desktop 18.4 Lt s.

  • But realistically, any version of a bunch of desktop should work fine for you.

  • I have this right in a virtual machine and virtual box.

  • And of course, this is running on my Mac book pro in order to create a full lamp stack here, I used a tool called Task Cell Ta s k s E l that installed the a Paki of my sequel and PHP.

  • I have not modified any.

  • The default configurations PHP dot I and I ve host all of that type of thing.

  • Our standard out of the box.

  • The only modification that I have done as I did create a PHP folder within the Apache root Directory, I guess, is a place to dump these particular PHP scripts and keep it all nice and clean.

  • So that's the environment that we're going to be dealing with today.

  • So the first thing that we need to do, of course, is we no need to go.

  • And we need to take a look at our my sequel database.

  • Make sure we know what's going on with my single database.

  • Eso es type in terminal, the term and no in the search box to get to the command prompt.

  • From here we go into my sequel space.

  • I've been used, uh, Bob Space Life and P for a password Password.

  • 123456 Of course, we're using the same database we've been using for all of these things.

  • Projects we're gonna be using Class D B use class D be said Michael, going a class D B.

  • Then we go to show tables, make sure we know what tables were dealing with.

  • We can see here and basically a table that we're going to be dealing with is the students table.

  • Of course we do D E s c U to describe the students table just to make sure we know what's going on.

  • The students tables Colon, This will show us a student stable has a student underscore idea that is an indeterminate the primary key.

  • And that's an auto increment.

  • Basically, that's Kristen I d.

  • For all the different students we have named his text age is ended, your gender is text and we have a uniform feel we're not dealing with.

  • Today is also text we d'oh select oh, from students just to see what the records look like.

  • Semi colon, we can go and we can see.

  • And basically we've just got the standard kind of crappy down and that we should expect here, Right?

  • So if a student I d number 23 24 away for 38 we have a name Bob.

  • Susan, Patsy, Tom.

  • We have a nigga's.

  • We have genders on.

  • Then here we have known for the uniforms.

  • So this is this is what the data in this particular table should look like.

  • So let's go over.

  • Take a look at the form so This is just Mozilla Firefox.

  • This is up.

  • We've just going going to the form dot html.

  • So this is the HTML form we're using to submit data to the script.

  • And then that script will input Dad up into this particular table.

  • So if we go here Oh, we can just say, Let's say, Freddy, for a name we could do an age of 32 we can make Freddy be a boy.

  • We do a submit query.

  • So added Freddie 32.

  • Boy, I have created a little PHP script that will actually print out a select a statement to the screen.

  • So if I do a refresh, you go here again.

  • We see the same information that we see in the mice Equal database table.

  • That's where you can see if a record 39 we have Freddy on we have there a boy.

  • If you go back here again, select all from students.

  • We can see Freddie 32 boys.

  • So basically we can see all of this information is getting inputted.

  • We can pull this out again.

  • This is like a web before warm.

  • This is a report form.

  • Oregon's go back into my sequel Database Server actually do a select all for the table and see all the information there.

  • So let's see what this kind of insertion attack looks like and what we're trying to prevent.

  • So we go over to g et it, I can open this up and basically, just to make my life easier, I have created this hyper link for the name Bob.

  • So we can see here is a graph equals double quotation marks.

  • A key tp forward slash all that www dot CNN dot com clothes.

  • Then it will show Bob.

  • Then it will close the hyperlink.

  • And so what I can do is I can simply d'oh control, See?

  • So basically, I can copy this.

  • I can come over back to the same form that I was using before, and I could just copy and paste this lips back.

  • Copy paste this on And there again.

  • So a copy paste that in less came the eight here to 11 on Lestrange This to a girl and then we can submit query.

  • And so the first problem that you're going to see here is now we can see added we can see 11.

  • We can see girl.

  • But if we put our personal little cursor over this, we can now see that this is actually a link.

  • We go over here again.

  • This is just a printing out the slept statement to the screen.

  • I do a refresh when I can now see is that for record 40 Bob is a girl, but Bob is now a hyperlink.

  • See how none of these are hyperlinks is the hyperlink.

  • And if I click on this that it will send somebody over to CNN dot com.

  • No, yes, any of them to fake now, is that so horrible?

  • But like I say, this actually is an assertion.

  • And this actually works.

  • And so imagine.

  • Imagine if you have people inserting their names again into something like a forum into some some kind of system where other people are going to be looking at it.

  • If there is a hyperlink over their name or over some other object, you're going to get a certain number of people clicking that hyperlink.

  • And again, if it's a corporate environment that may be going to a virus, spyware, hacking tools, all kinds of problems.

  • So the way that we deal with this is that we use at the of the function of cold filter Underscore bar.

  • Right.

  • So we go over here, we take a look at the PHP form as it stands now.

  • So this is the form dot html.

  • So the form not html is this form here, right?

  • And so, as you can see, it's a normal form, so form action equals PHP form dot PHP.

  • So the information that's gathered from this form will be sent to the ph b form dot PHP.

  • We have a name is a text name his name.

  • Age is a text name is age, Gender is gender.

  • And then you get either nothing you get boy or girl.

  • And so this all gets tossed over to the pH B form, not PHP from here.

  • What happens is you get the post name right is turned into the PDP variable dollar side name the Post A has turned into the PHP variable dollar sign age and the post gender is turned into the variable dollar sign gender again.

  • So this name a gender history a fresh comes from name A and gender.

  • So whatever you name these fields here.

  • That's where you grabbed from the post.

  • Then pass that again.

  • We have no security in here.

  • We have no standardization so we can act to the server like we normally dio.

  • We create the actual connection like we normally dio.

  • If there's a problem with the connection, we fail like we normally d'oh!

  • And then simply from here we have a sequel statement that says Intern, insert into student's name, age, gender and you have values name, aid and gender, right?

  • So basically, if it's text in your my sequel database and you submit taxed, and then it's simply going to be inserted if that text is just the name or if that Texas A full hyper Laker, who the hell knows what else?

  • It will just get inserted again.

  • You can have Java script get inserted.

  • You have all kinds of stuff.

  • Get in certain, right and then, from here, basically connection.

  • Query.

  • If this is actually true, if the if the sequel statement actually runs the data, the record is created.

  • Then it simply prints out what was added.

  • So the name, the age and the gender, if not errors and connection closes.

  • So basically, what you can see here is this literally just takes whatever the hell comes in from the HTML form.

  • So if it's text, it just grabs that text turns into a variable, and then it inserts it into my Siegel database and nobody asks any questions.

  • So what we want to do is we want to grab this little thing here, so we're gonna be control.

  • See, you're gonna go back to appear before, and we're going on this here too.

  • Then a Santa ties are variable s.

  • So here we have dollar sign names, a dollar that sign name equals whatever comes in from the post named name.

  • So we're gonna do here is we're just going to the increasing say that the value of name we're going to give it a new value we're going to do is we're going to use this function.