stackoom
  简体   繁体   中英

Whether a website search coded with PHP (with .txt file as indexing file) vulnerable to any attacks (like SQL Injection & XSS)?

 原文  2019-07-29 00:36:45       php/ security/ xss/ sql-injection

Question

I have a website search coded with PHP. It is essentially a PHP-AJAX search which gets triggered on onkeyup event of the search input field. The onkeyup triggers an AJAX call to a PHP file which reads indexes-file.txt file containing the indexes, by using PHP's file() function.

Although, here I am not dealing with Database, so I think that there is no chance for SQL-Injection or an XSS attack (correct me if I am wrong).

Also, I know about mysqli_real_escape_string() and htmlentities() function, their importance, and use case. What I am trying to know is whether this particular PHP-AJAX method is vulnerable or not.

Further, is there any other type of vulnerability exists in this type of case apart from server-side vulnerabilities?

The onkeyup function is: 

function results(str) {
  var search_term = $("#search")
    .val()
    .trim();

  if (search_term == "") {
    // ...
  } else {
    $.ajax({
      url: "websearch.php",
      type: "post",
      data: {
        string: search_term
      },
      dataType: "json",
      success: function(returnData) {
        for(var i in returnData) {
                for(var j in returnData[i]) {
                    $('#results').append('<div><a target="_blank" href="'+returnData[i][j]+'">'+Object.keys(returnData[i])+'</a></div>');
                }
            }
      }
    });
  }
}

the indexes-file.txt contains: 

books*books.php  
newspaper*newspaper.php  
download manual*manual.php  
...

and my websearch.php file contains:

<?php
    error_reporting(0);
    $indexes = 'indexes-file.txt';
    $index_array = file($indexes, FILE_IGNORE_NEW_LINES);

    foreach($index_array as $st) {
        $section = explode('*', $st);
        $k = $section[0];
        $kklink = $section[1];
        $l_arr[] = array($k => $kklink);
    }

    //Get the search term from "string" POST variable.
    $var1 = isset($_POST['string']) ? trim($_POST['string']) : '';

    $webresults = array();

    //Loop through our lookup array.

    foreach($l_arr as $kk){
        //If the search term is present.
         if(stristr(key($kk), $var1)){
             //Add it to the results array.
            foreach($kk as $value) {
                 $webresults[] = array(key($kk) => $value);
            }
        }
     }

    //Display the results in JSON format so to parse it with JavaScript.
    echo json_encode($webresults);
?>

1 answers

solution1
 0 ACCPTED  2019-07-29 19:22:50

If you are not dealling with database it may be not vulnerable to sql injection but it's probably vulnerable to xss to prevent xss and script execution you should use:

Prevent XSS

PHP htmlentities() Function

basic example of filter the inputs

<?php 

echo '<script>alert("vulnerable");</script>'; //vulnerable to xss
?>

filtering the inputs with htmlentities()

<?php 
$input = '<script>alert("vulnerable");</script>';
echo  htmlentities($input); //not vulnerable to external input code injection scripts
?>

so it prevent script and html tags injection from execute on site read more here

for database you should use pdo with prepared statements

Prevent SQL injection

Use PDO Correctly setting up the connection Note that when using PDO to access a MySQL database real prepared statements are not used by default. To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is:

$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

read more here

Fixing your code

<?php
    error_reporting(0);
    $indexes = 'indexes-file.txt';
    $index_array = file($indexes, FILE_IGNORE_NEW_LINES);

    foreach($index_array as $st) {
        $section = explode('*', $st);
        $k = $section[0];
        $kklink = $section[1];
        $l_arr[] = array($k => $kklink);
    }

    //Get the search term from "string" POST variable.
    $var1 = isset($_POST['string']) ? trim($_POST['string']) : '';

    $webresults = array();

    //Loop through our lookup array.

    foreach($l_arr as $kk){
        //If the search term is present.
         if(stristr(key($kk), $var1)){
             //Add it to the results array.
            foreach($kk as $value) {
                 $webresults[] = array(key($kk) => $value);
            }
        }
     }

    //Display the results in JSON format so to parse it with JavaScript.
   echo htmlentities(json_encode($webresults));
    //fixed 

?>

Everytime you echo something from the outside use htmlentities

echo htmlentities(json_encode($webresults));

Your array problem I tested with a demo json string it's working fine

<?php 
$webresults = 
'
{  "aliceblue": "#f0f8ff",
  "antiquewhite": "#faebd7",
  "aqua": "#00ffff",
  "aquamarine": "#7fffd4",
  "azure": "#f0ffff",
  "beige": "#f5f5dc",
  "bisque": "#ffe4c4",
  "black": "#000000",

}';

echo htmlentities(json_encode($webresults));

 ?>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is this code vulnerable to SQL injection attacks? Prevent SQL injection and XSS attacks How to avoid SQL injection and XSS attacks when in PHP? _frontendCSRF cookie appears to be vulnerable to SQL injection attacks Is this php mailer file secure from injection attacks? How can this php code be made vulnerable to sql injection and cross site scripting attacks? preventing xss attacks / injection Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks? Is my code vulnerable to SQL Injection with this LIKE clause? PHP: Does this whitelist on file_get_contents() prevent injection attacks?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM