SQL injections from remote file

Question

I have a file, "submit.php", which writes a series of values submitted from a previous form in "choose-product.php" to a MySQL database. I've used mysql_real_escape_string as suggested in a previous question here, but I've noticed that if I upload my "choose-product.php" file to a separate server and change the opening of the form to

<form name="form" id="form" action="http://www.myserver.com/submit.php" method="post">

this will also write a series of values to the database. Obviously this is very bad! Now, I know there will be a way to rectify this, but as this is my first time writing such code, I'm a bit stumped.

Here's the full code for submit.php:

<?php
include("db.php");

function random_string() {
    $character_set_array = array();
    $character_set_array[] = array('count' => 7, 'characters' => 'abcdefghijklmnopqrstuvwxyz');
    $character_set_array[] = array('count' => 1, 'characters' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ');
    $character_set_array[] = array('count' => 3, 'characters' => '0123456789');
    $character_set_array[] = array('count' => 1, 'characters' => '!@#$*&:');
    $temp_array = array();
    foreach ($character_set_array as $character_set) {
        for ($i = 0; $i < $character_set['count']; $i++) {
            $temp_array[] = $character_set['characters'][rand(0, strlen($character_set['characters']) - 1)];
        }
    }
    shuffle($temp_array);
    return implode('', $temp_array);
}

$key = random_string();


if($_SERVER["REQUEST_METHOD"] == "POST") {
    $productid = mysql_real_escape_string($_POST['productid']);
    mysql_query("INSERT INTO sales VALUES('','$productid','$key',CURRENT_TIMESTAMP,'','active')");
    echo "
    <form action='XYZ' id='BB_BuyButtonForm' method='post' name='BB_BuyButtonForm' target='_top'>
        <input name='item_name_1' type='hidden' value='Test item 1'/>
        <input name='item_description_1' type='hidden' value='Testing item sales'/>
        <input name='item_quantity_1' type='hidden' value='1'/>
        <input name='item_price_1' type='hidden' value='0.5'/>
        <input name='item_currency_1' type='hidden' value='GBP'/>
        <input name='shopping-cart.items.item-1.digital-content.url' type='hidden' value='http://www.XYZ.com/download.php?key=$key'/>
        <input name='_charset_' type='hidden' value='utf-8'/>
        <input alt='' src='XYZ' type='image'/>
    </form>
    ";
}
?>

Answer 1

Welcome to the HTTP protocol.

http://www.myserver.com/submit.php can be called by anyone, at any time. The form that calls in can be on any other web page. Or the user may not actually call it from a form at all, but may use a command line tool to submit data. This tool could claim to be a web browser and you would not know.

I'm guessing from your Q:

Are you relying on choose-product.php to provide some kind of security for submit.php?

You can't.

You must do all checks for security on submit.php, even if you've just done them for choose-product.php 5 seconds ago.

Answer 2

This isn't an injection issue. Your php script has to have, somewhere, the location, username, and password for your database. Unless your database is configured specifically to not allow it, anyone with that info (such as your script here) can use it to make changes.

It is common, and easy, to restrict access to you local host. I am googling how to do that now.