Search code examples
phpsecurityxsssql-injection

Whether a website search coded with PHP (with .txt file as indexing file) vulnerable to any attacks (like SQL Injection & XSS)?

I have a website search coded with PHP. It is essentially a PHP-AJAX search which gets triggered on onkeyup event of the search input field. The onkeyup triggers an AJAX call to a PHP file which reads indexes-file.txt file containing the indexes, by using PHP's file() function.

Although, here I am not dealing with Database, so I think that there is no chance for SQL-Injection or an XSS attack (correct me if I am wrong).

Also, I know about mysqli_real_escape_string() and htmlentities() function, their importance, and use case. What I am trying to know is whether this particular PHP-AJAX method is vulnerable or not.

Further, is there any other type of vulnerability exists in this type of case apart from server-side vulnerabilities?

The onkeyup function is:

function results(str) {
  var search_term = $("#search")
    .val()
    .trim();

  if (search_term == "") {
    // ...
  } else {
    $.ajax({
      url: "websearch.php",
      type: "post",
      data: {
        string: search_term
      },
      dataType: "json",
      success: function(returnData) {
        for(var i in returnData) {
                for(var j in returnData[i]) {
                    $('#results').append('<div><a target="_blank" href="'+returnData[i][j]+'">'+Object.keys(returnData[i])+'</a></div>');
                }
            }
      }
    });
  }
}

the indexes-file.txt contains: 

books*books.php  
newspaper*newspaper.php  
download manual*manual.php  
...

and my websearch.php file contains:

<?php
    error_reporting(0);
    $indexes = 'indexes-file.txt';
    $index_array = file($indexes, FILE_IGNORE_NEW_LINES);

    foreach($index_array as $st) {
        $section = explode('*', $st);
        $k = $section[0];
        $kklink = $section[1];
        $l_arr[] = array($k => $kklink);
    }

    //Get the search term from "string" POST variable.
    $var1 = isset($_POST['string']) ? trim($_POST['string']) : '';

    $webresults = array();

    //Loop through our lookup array.

    foreach($l_arr as $kk){
        //If the search term is present.
         if(stristr(key($kk), $var1)){
             //Add it to the results array.
            foreach($kk as $value) {
                 $webresults[] = array(key($kk) => $value);
            }
        }
     }

    //Display the results in JSON format so to parse it with JavaScript.
    echo json_encode($webresults);
?>
Solution

  • If you are not dealling with database it may be not vulnerable to sql injection but it's probably vulnerable to xss to prevent xss and script execution you should use:

    Prevent XSS

    PHP htmlentities() Function

    basic example of filter the inputs 

    <?php 

echo '<script>alert("vulnerable");</script>'; //vulnerable to xss
?>

    filtering the inputs with htmlentities() 

    <?php 
$input = '<script>alert("vulnerable");</script>';
echo  htmlentities($input); //not vulnerable to external input code injection scripts
?>

    so it prevent script and html tags injection from execute on site read more here

    for database you should use pdo with prepared statements

    Prevent SQL injection

    Use PDO Correctly setting up the connection Note that when using PDO to access a MySQL database real prepared statements are not used by default. To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is:

    $dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    read more here

    Fixing your code 

    <?php
    error_reporting(0);
    $indexes = 'indexes-file.txt';
    $index_array = file($indexes, FILE_IGNORE_NEW_LINES);

    foreach($index_array as $st) {
        $section = explode('*', $st);
        $k = $section[0];
        $kklink = $section[1];
        $l_arr[] = array($k => $kklink);
    }

    //Get the search term from "string" POST variable.
    $var1 = isset($_POST['string']) ? trim($_POST['string']) : '';

    $webresults = array();

    //Loop through our lookup array.

    foreach($l_arr as $kk){
        //If the search term is present.
         if(stristr(key($kk), $var1)){
             //Add it to the results array.
            foreach($kk as $value) {
                 $webresults[] = array(key($kk) => $value);
            }
        }
     }

    //Display the results in JSON format so to parse it with JavaScript.
   echo htmlentities(json_encode($webresults));
    //fixed 

?>

    Everytime you echo something from the outside use htmlentities

    echo htmlentities(json_encode($webresults));

    Your array problem I tested with a demo json string it's working fine 

    <?php 
$webresults = 
'
{  "aliceblue": "#f0f8ff",
  "antiquewhite": "#faebd7",
  "aqua": "#00ffff",
  "aquamarine": "#7fffd4",
  "azure": "#f0ffff",
  "beige": "#f5f5dc",
  "bisque": "#ffe4c4",
  "black": "#000000",

}';

echo htmlentities(json_encode($webresults));

 ?>