1

I have a script which gathers information from the users, validates it and sends it onwards to insert into a DB.

To avoid any nasty problems on each of the form fields I run always an "htmlspecialchars" and "addslashes".

Today I look in my error log and found the following error:

Unknown: open(/tmp/sess_574af1197644f6c4019d664d71ea5f9e, O_RDWR) failed: Permission denied (13)

This error is being generated in the file that process the form. Apparently, somebody try to 'hack' into my application. What I'm struggling with is how to prevent this. Luckily my server access level was setup in the correct way, but otherwise we would have an issue.

How/what do I need to change on my form validation to capture these kind of hacks on the front end and not at the server access level?

<?php
session_start();
include ($_SERVER['DOCUMENT_ROOT'].'/inc/config.inc.php');

if ($_POST[leverancier]) { $lid = CheckNumericGet($_POST[leverancier]); }

// Afhandelen van de submit
//
if ($_POST[a] == 'ervaring') {
$naam = CheckStringGet($_POST[naam]);
$ervaring = CheckStringGet($_POST[ervaring]);
$email = CheckStringGet($_POST[email]);
$twitter_naam = CheckStringGet($_POST[twitter_naam]);

// Als er een @ in twitternaam zit weghalen
//
if (substr($twitter_naam, 0,1) == '@') {
    $twitter_naam = substr($twitter_naam, 1);
}

include ($_SERVER['DOCUMENT_ROOT'].'/inc/functies_mail.inc.php');
$cont = "yes";

if ($naam == '' | $ervaring == '' |  $email == '' | $rating_foto == '' | $rating_service == '' | $besteld == 0) {
    $cont = "no";
    $msg[][1] = "Helaas, niet alle verplichte velden zijn ingevuld. Probeer het nogmaals.";
}

if (!CheckEmail($email)) {
    $cont = "no";
    $msg[][1] = "Het ingevulde email adres is niet correct";
}

#Als alle velden ingevuld zijn  
if ($cont == 'yes') {
    $server = gethostbyaddr($_SERVER['REMOTE_ADDR']);

    // Ervaring in database plaatsen
    //
    $query = "INSERT INTO 
". $tabel_ervaring ." (lid, naam, email, foto_score, service_score, ervaring, datum, foto, canvas, album, actief, twitter_naam, lev_akkoord)
        VALUES
            ($lid, '$naam', '$email', $rating_foto, $rating_service, '$ervaring', '$datum', '$foto', '$canvas', '$album', '0', '$twitter_naam', '$akkoord')";
    $result = mysql_query($query) or die(mysql_fout($query, $PHP_SELF));

    $ervaring_id = mysql_insert_id();

    $message = "";
    $subject = "Ervaring Fotovergelijk.nl: ";
    mail("xxx@xxx", "$subject", $message, htmlemailheaders($email));
}
$_SESSION[message] = $msg;

}

Improve this question
2
  • 5
    Based on the error it looks more like there was an error accessing the data your app stores in the session, not a hack-attempt. You should provide your form's code or it will be hard to say anything for sure. Commented Feb 18, 2012 at 13:33
  • 1
    Unless I'm missing something, $_POST[leverancier] should be $_POST['leverancier'] otherwise PHP will try and interpret leverancier as a constant. Same goes for your other $_POST variables. Commented Feb 18, 2012 at 14:59

2 Answers 2

Reset to default
3

Looks more like PHP failed to open the session file due to a permission error (Shared hosting with multiple sites running as different users + session collision). Doesn't look like a hack attempt.

However, you shouldn't use addslashes in security sensitive contexts (as stated on the manual page). Make sure you use prepared statements (Using PDO or mysqli... The use of the mysql extension is discouraged by Zend) with bound parameters instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

To avoid any nasty problems on each of the form fields I run always an "htmlspecialchars" and "addslashes".

This is most amusing part. Sounds like "I am always using condoms and safety belt to avoid nasty problems".
No "addslashes" nor "htmlspecialchars" can do any good if used like general purpose safety routines. Both have to be used for it's particular purpose.

Apparently, somebody try to 'hack' into my application.

The only thing one could say is that your server is just misconfigured. However, if it is not permanent problem but a random one, the issue can be more complex (and require more deep investigation.)

what do I need to change on my form validation

That is somewhat funny question. We do not know your form validation, so, we apparently cannot tell what to change.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.