[SOLVED] Secure HTML form input

[Andy17]

Hey guys!

 

I am building a website where people are able to submit content that is then stored into my MySQL database. I am personally validating the content before it is displayed on the website, but I was wondering how I can make sure that the users do not post any code inside my text field. For example, if a user posts the following into my text field called "mytext", then this code would be run when a user visits that page:

 

<script language="javascript">

alert("This is NOT cool!")

</script>

 

This obviously has serious security consequences (the code could be so much worse), so I want to prevent this but I am not entirely sure how.

 

Also, now we are talking about security, I just want to make sure that my SQL injection fix is decent (it has confused me quite a bit but it seems to be working to me. But then again, I'm still new to this):

 

<?php

$text = mysql_real_escape_string($_POST['mytext']);

mysql_query("INSERT INTO mytable (text) VALUES ('$text')") or die(mysql_error());

// Then I just withdraw $text from the database and when it's found, I do this:

$stripped_text = stripslashes($db_text);

echo $stripped_text;

?>

 

Is this safe or did I misunderstand something?

 

Thank you for your help.

[Andy17]

Bump. No one reads page 2!

[etabetapi]

I am also interested in this. I just got started in learning how to protect from SQL injection attacks, and I've gotten about as far as you have. Will you also be implementing SSL so that data sent from the form isn't captured by packet sniffers en route to your server?

[Andy17]

Will you also be implementing SSL so that data sent from the form isn't captured by packet sniffers en route to your server?

 

Nah, I'm not going to be transferring personal information (no payment/addresses and such).

[DarkWater]

Use htmlspecialchars() on the output.

[Andy17]

Use htmlspecialchars() on the output.

 

Yep, that fixes it, but by doing that, the spaces I got using nl2br() are all turned into <br />. How do I make people able to make spaces (<br>) in the content they submit and still prevent people from submitting scripts? I assume I'll have to allow certain tags somehow.

[Andy17]

Bump. I meant "< br >" in my post bove.

[Andy17]

Any ideas?

[Andy17]

Bump. Sorry, but it makes more sense to do this instead of making multiple topics.

[Andy17]

Still needing to find a solution for this.  ???

[discomatt]

My first suggestion is using a BBCode system rather than HTML.

 

If you need the flexibility of HTML input, use something like this

 

http://php-ids.org/

http://htmlpurifier.org/

 

As allowing 'harmless' tags can lead to holes.

 

<pre><?php

$str = <<<XSS
<img src="blank.gif" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-index: 999;" onclick="alert( 'XSS attack goes here' )" />

<script type="malacious">
but it really doesnt matter
</script>

<br /><br /><br /><br /><br /><br /><br /><br />
some random text
<h1>other text</h1>

XSS;

echo strip_tags( $str, '<img>' );

echo '<br /><a href="#">Please click this link!</a>';

?></pre>

[DarkWater]

Use htmlspecialchars() on the output.

 

Yep, that fixes it, but by doing that, the spaces I got using nl2br() are all turned into <br />. How do I make people able to make spaces (<br>) in the content they submit and still prevent people from submitting scripts? I assume I'll have to allow certain tags somehow.

 

Use nl2br() after htmlspecialchars(). =/

[Andy17]

Haha I cannot believe it. Sorry guys, my bad. Thanks to you both. I'll keep that link in mind, discomatt.