Andy17 Posted September 27, 2008 Share Posted September 27, 2008 Hey guys! I am building a website where people are able to submit content that is then stored into my MySQL database. I am personally validating the content before it is displayed on the website, but I was wondering how I can make sure that the users do not post any code inside my text field. For example, if a user posts the following into my text field called "mytext", then this code would be run when a user visits that page: <script language="javascript"> alert("This is NOT cool!") </script> This obviously has serious security consequences (the code could be so much worse), so I want to prevent this but I am not entirely sure how. Also, now we are talking about security, I just want to make sure that my SQL injection fix is decent (it has confused me quite a bit but it seems to be working to me. But then again, I'm still new to this): <?php $text = mysql_real_escape_string($_POST['mytext']); mysql_query("INSERT INTO mytable (text) VALUES ('$text')") or die(mysql_error()); // Then I just withdraw $text from the database and when it's found, I do this: $stripped_text = stripslashes($db_text); echo $stripped_text; ?> Is this safe or did I misunderstand something? Thank you for your help. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted September 27, 2008 Author Share Posted September 27, 2008 Bump. No one reads page 2! Quote Link to comment Share on other sites More sharing options...
etabetapi Posted September 27, 2008 Share Posted September 27, 2008 I am also interested in this. I just got started in learning how to protect from SQL injection attacks, and I've gotten about as far as you have. Will you also be implementing SSL so that data sent from the form isn't captured by packet sniffers en route to your server? Quote Link to comment Share on other sites More sharing options...
Andy17 Posted September 27, 2008 Author Share Posted September 27, 2008 Will you also be implementing SSL so that data sent from the form isn't captured by packet sniffers en route to your server? Nah, I'm not going to be transferring personal information (no payment/addresses and such). Quote Link to comment Share on other sites More sharing options...
DarkWater Posted September 27, 2008 Share Posted September 27, 2008 Use htmlspecialchars() on the output. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted September 27, 2008 Author Share Posted September 27, 2008 Use htmlspecialchars() on the output. Yep, that fixes it, but by doing that, the spaces I got using nl2br() are all turned into <br />. How do I make people able to make spaces (<br>) in the content they submit and still prevent people from submitting scripts? I assume I'll have to allow certain tags somehow. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted September 28, 2008 Author Share Posted September 28, 2008 Bump. I meant "< br >" in my post bove. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted September 29, 2008 Author Share Posted September 29, 2008 Any ideas? Quote Link to comment Share on other sites More sharing options...
Andy17 Posted September 30, 2008 Author Share Posted September 30, 2008 Bump. Sorry, but it makes more sense to do this instead of making multiple topics. Quote Link to comment Share on other sites More sharing options...
Andy17 Posted October 1, 2008 Author Share Posted October 1, 2008 Still needing to find a solution for this. ??? Quote Link to comment Share on other sites More sharing options...
discomatt Posted October 1, 2008 Share Posted October 1, 2008 My first suggestion is using a BBCode system rather than HTML. If you need the flexibility of HTML input, use something like this http://php-ids.org/ http://htmlpurifier.org/ As allowing 'harmless' tags can lead to holes. <pre><?php $str = <<<XSS <img src="blank.gif" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-index: 999;" onclick="alert( 'XSS attack goes here' )" /> <script type="malacious"> but it really doesnt matter </script> <br /><br /><br /><br /><br /><br /><br /><br /> some random text <h1>other text</h1> XSS; echo strip_tags( $str, '<img>' ); echo '<br /><a href="#">Please click this link!</a>'; ?></pre> Quote Link to comment Share on other sites More sharing options...
DarkWater Posted October 1, 2008 Share Posted October 1, 2008 Use htmlspecialchars() on the output. Yep, that fixes it, but by doing that, the spaces I got using nl2br() are all turned into <br />. How do I make people able to make spaces (<br>) in the content they submit and still prevent people from submitting scripts? I assume I'll have to allow certain tags somehow. Use nl2br() after htmlspecialchars(). =/ Quote Link to comment Share on other sites More sharing options...
Andy17 Posted October 2, 2008 Author Share Posted October 2, 2008 Haha I cannot believe it. Sorry guys, my bad. Thanks to you both. I'll keep that link in mind, discomatt. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.