tinker

okay dokey, better example time... Theres a little bloat for managing the db. Whilst looking through strip_tags docs i came across the strip_tags_content() function, as seen being used when outputting. <html><head></head><body> <?php $host = 'localhost'; $user = 'user'; $pass = 'pass'; $db = 'db'; $conn = mysql_connect($host, $user, $pass) or die(mysql_error()); mysql_select_db($db, $conn) or die(mysql_error()); // INSTALL $install=1; if($install){ $s = "DROP TABLE test_store"; mysql_query($s, $conn); $s = "CREATE TABLE test_store (id int not null primary key auto_increment, title varchar(128), blog text )"; if(mysql_query($s, $conn)){ print "creation success<br /><br />"; } else{ print "creation failed<br /><br />"; } $s = "INSERT INTO test_store VALUES('1', '<b>myTitle <script>alert(\'tit<>led\');</script></b>','<b>Blog <script>alert(\'blogged\');</script> blog blog</b>')"; if(mysql_query($s, $conn)){ print "insert success<br /><br />"; } else{ print "insert failed<br /><br />"; } } $title=""; $blog=""; function scheck_code($s){ //$s = strip_tags($s); return htmlspecialchars($s); } function scheck_code_d($s){ $s=strip_tags($s); return htmlspecialchars_decode($s,ENT_QUOTES); } // php.net functions // see... http://uk3.php.net/manual/en/function.strip-tags.php function strip_only($str, $tags) { if(!is_array($tags)) { $tags = (strpos($str, '>') !== false ? explode('>', str_replace('<', '', $tags)) : array($tags)); if(end($tags) == '') array_pop($tags); } foreach($tags as $tag) $str = preg_replace('#</?'.$tag.'[^>]*>#is', '', $str); return $str; } function strip_tags_content($text, $tags = '', $invert = FALSE) { preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags); $tags = array_unique($tags[1]); if(is_array($tags) AND count($tags) > 0) { if($invert == FALSE) { return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text); } else { return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text); } } elseif($invert == FALSE) { return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text); } return $text; } // end php.net functions // UPDATE DATA if(isset($_POST['submit'])){ $title=$_POST['title']; $blog=$_POST['blog']; $title=mysql_real_escape_string($title); $blog=mysql_real_escape_string($blog); $title=scheck_code($title); $blog=scheck_code($blog); $s = "UPDATE test_store SET title = '".$title."', blog='".$blog."' WHERE id = 1"; if(mysql_query($s, $conn)){ print "update success<br>"; } else{ print "update failed<br>"; } } // RETRIEVE DATA $s = "SELECT * FROM test_store WHERE id = 1"; $res = mysql_query($s, $conn) or die(mysql_error()); if(mysql_num_rows($res)==1){ while($a = mysql_fetch_array($res)){ $title=$a['title']; $blog=$a['blog']; } } print "<br />\n"; print "<b>TITLE:</b> ".scheck_code_d($title)."<br />\n"; print "<b>TITLE:</b> ".strip_only($title,array('script'))."<br />\n"; print "<b>TITLE:</b> ".strip_tags_content($title,'<script>',true)."<br />\n"; print "<b>BLOG:</b> ".scheck_code_d($blog)."<br />\n"; print "<br /><br />\n"; print "<br />\n <form method='POST' action=''><table> <tr valign='top'><td align='right'>Title</td><td><input type='text' name='title' size='32' value='".htmlentities($title,ENT_QUOTES)."'></td></tr> <tr valign='top'><td align='right'>Blog</td><td><textarea name='blog' rows='7' cols='32'>".$blog."</textarea></td></tr> <tr valign='top'><td align='right'></td><td><input type='submit' name='submit' value=''></td></tr> </table></form><br />"; ?> </body></html> is this function up to scratch? What else should be checked for, for instance: function strip_cdata($string) { preg_match_all('/<!\[cdata\[(.*?)\]\]>/is', $string, $matches); return str_replace($matches[0], $matches[1], $string); }

last night i noticed that i could pass scripts to a field and they didn't get santitised, i do take certan measures generally, but they wernt working for some reason. heres a bit of a demo... <html><head></head><body> <?php function scheck_code($s){ $s=strip_tags($s); return htmlspecialchars($s); } $s="<script>alert('test 1');</script>"; print $s."<br />\n"; print scheck_code($s)."<br />\n"; ?> </body></html> i'll post another shortly because my example involves text and textarea form elements and is stored in mysql. tbh i dont generally use strip_tags, i convert to htmlentities and then apply bbcode parsing i think..

check your server logs for agent and referer

ok

so how would you do it?

When you view or save a page, it may have the '.php' extension or the like, but that page should have been parsed by the server and contain no php, if there is it's either because the server is setup incorrectly or the code is buggy. A web browser simply downloads a page, then scans it for any resource links it may contain (images, frame links, rss feed, adverts, etc) and also downloads them, then it renders it.

I was reading in some PDF from some blackhat conference about the security issues of AJAX. It referred numerous times about how much easier it is to hack an AJAX site that use's GET instead of POST. Any reasoning as to why?

If your worried about snooping peeps in the middle and your boss won't fork out for a ssl cert then here's something I posted a while ago that may be of interest...

He's already stated that there is a login system. If your using GET or POST then the link in the bookmark will still take you to the right place, just not show the relevant info, but that should only be a single click away. To complicate things even more, you could use a lookup system of ref's, where on each generation of the page a list of refs are added to a table which also ref the page with an id. These entries are then nullified or deleted once one has bee used. I can see issues, but hey if you want security... This is similar to the proper implementation of the CAPTCHA protocol.

mmm, your issue sounds more like css/html, even though it's to incorporate ajax chat (js). As XoSilenceoX states, you should be looking at layers (<div>)...

no i wasn't using any uniques, but i've just had an idea which does, if i combine the two keys into a single, then that will be unique, e.g. tn (id, user_n_room, last) $user_n_room = $u_id.":".$room; this solves my abuse of sql networks but not my understanding of sql logic... sigh! merci

What i'm trying to prevent is, if there are multiple groups and you are only allowed to see the details of your group members, then by changing the id in the request would let you trawl the db, whereas using name would restrict you to users of which you know their login usernames (many more variations). However they can still trawl (albeit limited), therefore md5 the name with a salt of the hour/day. For escaping see this. Yes, GET and POST are equally abusable, there are many ways to generate POST packets, I tend to use telnet to test my security in this area...

[NOT IN ORDER?] a) All PHP files served by a server should get processed by the PHP interpreter and will only display any HTML (etc) that the PHP code outputs. So technically no people can't just download your PHP pages. b) Once you have some kind of system to login, then you use some logic like this: if($logged_in==1) { print "Hi user"; } else { print "Who the f are you?"; }

I thought I understood your issue, yet reading through i'm less sure, however concerning this, I considered this the other day, thinking that I should use usernames instead then they can't just increment the number to trawl the db. I liked the idea of md5'ing the identifier, but if you take an id, hash it, send it, retrieve it, compare it... it doesn't appear to be any different except theres a process being thrown in for 'good' measure. If you were to do such a thing, I might suggest salting it with the id/name of the requesting user (supposing that they are logged in).

update if two fields match values, otherwise insert a new record. I don't believe I can use the duplicates catch because of depending upon two fields? Basically it's a bit of a log thing for a chat room, however you may be present in multiple chat rooms at once. The table looks a bit like this: tn (id, u_id, room_id, last_time) If u_id and room_id match then update time, else insert new. Every now and again everyone one in a room within x amount of time will be harvested and sent back as a buddy list. Also set up in cron is a function which clears any out over a certain age... I've got a solution that i'm currently using, but it makes a sql call, then depending upon the result it decides upon 1 of 2 other sql calls, it just seems a bit wasteful and I like learning something new (to me anyway). Cheers for any consideration...