Code injection in PHP Form

Question

I have a script which gathers information from the users, validates it and sends it onwards to insert into a DB.

To avoid any nasty problems on each of the form fields I run always an "htmlspecialchars" and "addslashes".

Today I look in my error log and found the following error:

Unknown: open(/tmp/sess_574af1197644f6c4019d664d71ea5f9e, O_RDWR) failed: Permission denied (13)

This error is being generated in the file that process the form. Apparently, somebody try to 'hack' into my application. What I'm struggling with is how to prevent this. Luckily my server access level was setup in the correct way, but otherwise we would have an issue.

How/what do I need to change on my form validation to capture these kind of hacks on the front end and not at the server access level?

<?php
session_start();
include ($_SERVER['DOCUMENT_ROOT'].'/inc/config.inc.php');

if ($_POST[leverancier]) { $lid = CheckNumericGet($_POST[leverancier]); }

// Afhandelen van de submit
//
if ($_POST[a] == 'ervaring') {
$naam = CheckStringGet($_POST[naam]);
$ervaring = CheckStringGet($_POST[ervaring]);
$email = CheckStringGet($_POST[email]);
$twitter_naam = CheckStringGet($_POST[twitter_naam]);

// Als er een @ in twitternaam zit weghalen
//
if (substr($twitter_naam, 0,1) == '@') {
    $twitter_naam = substr($twitter_naam, 1);
}

include ($_SERVER['DOCUMENT_ROOT'].'/inc/functies_mail.inc.php');
$cont = "yes";

if ($naam == '' | $ervaring == '' |  $email == '' | $rating_foto == '' | $rating_service == '' | $besteld == 0) {
    $cont = "no";
    $msg[][1] = "Helaas, niet alle verplichte velden zijn ingevuld. Probeer het nogmaals.";
}

if (!CheckEmail($email)) {
    $cont = "no";
    $msg[][1] = "Het ingevulde email adres is niet correct";
}

#Als alle velden ingevuld zijn  
if ($cont == 'yes') {
    $server = gethostbyaddr($_SERVER['REMOTE_ADDR']);

    // Ervaring in database plaatsen
    //
    $query = "INSERT INTO 
". $tabel_ervaring ." (lid, naam, email, foto_score, service_score, ervaring, datum, foto, canvas, album, actief, twitter_naam, lev_akkoord)
        VALUES
            ($lid, '$naam', '$email', $rating_foto, $rating_service, '$ervaring', '$datum', '$foto', '$canvas', '$album', '0', '$twitter_naam', '$akkoord')";
    $result = mysql_query($query) or die(mysql_fout($query, $PHP_SELF));

    $ervaring_id = mysql_insert_id();

    $message = "";
    $subject = "Ervaring Fotovergelijk.nl: ";
    mail("xxx@xxx", "$subject", $message, htmlemailheaders($email));
}
$_SESSION[message] = $msg;

}

Answer 1

To avoid any nasty problems on each of the form fields I run always an "htmlspecialchars" and "addslashes".

This is most amusing part. Sounds like "I am always using condoms and safety belt to avoid nasty problems".
No "addslashes" nor "htmlspecialchars" can do any good if used like general purpose safety routines. Both have to be used for it's particular purpose.

Apparently, somebody try to 'hack' into my application.

The only thing one could say is that your server is just misconfigured. However, if it is not permanent problem but a random one, the issue can be more complex (and require more deep investigation.)

what do I need to change on my form validation

That is somewhat funny question. We do not know your form validation, so, we apparently cannot tell what to change.

Answer 2

Looks more like PHP failed to open the session file due to a permission error (Shared hosting with multiple sites running as different users + session collision). Doesn't look like a hack attempt.

However, you shouldn't use addslashes in security sensitive contexts (as stated on the manual page). Make sure you use prepared statements (Using PDO or mysqli... The use of the mysql extension is discouraged by Zend) with bound parameters instead.