securing scripts...

[localhost]

I need to secure a few of my scripts against the following:
SQL Injection
<script> tags

I need to make it so when they insert <script>something</script> it deletes everything in between the script tags as well as the script tags.
Please dont say, use addslashes, or magic quotes, because im not understanding those, if someone can just put an example into the script below:

[code]if(isset($_POST['submit']) && !empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['cpassword']) &&
!empty($_POST['email']))
{

$username = $_POST['username'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
$email = $_POST['email'];
$website = $_POST['website'];
$icq = $_POST['icq'];
$aim = $_POST['aim'];
$msn = $_POST['msn'];
$yim = $_POST['yim'];
$location = $_POST['location'];

$ip = $_SERVER['REMOTE_ADDR'];
$date = date('m-d-Y');

$user_level = "1";

/* ****** CHECK IF BOTH PASSWORDS MATCH EACH OTHER ****** */
if($password!=$cpassword)
{
echo "Passwords do not match.";
} else {
/* ****** IF SO THEN WE ENCRYPT THE PASSWORD AND CONTINUE TO INSERT INTO THE DB ****** */
$sha1pass = sha1($password);

/* ****** INSERT THE DATABASE DETAILS INTO THE DATABASE TABLE users ****** */
$query = "INSERT INTO users (`username`, `password`, `email`, `regip`, `regdate`, `user_level`, `postcount`, `website`, `icq`, `aim`, `msn`, `yim`, `location`, `user_title`) VALUES ('$username', '$sha1pass', '$email', '$ip', '$date', '$user_level', '0', '$website', '$icq', '$aim', '$msn', '$yim', '$location', 'Member')";
$result = mysql_query($query) or die(mysql_error());[/code]

thanks for the help.

[hvle]

have you read about function strip_tags?

ex:
$text = '<script>something here</script> my link is <a href="somelink.com">the link</a>';
say you have a text like that

$newtext = strip_tags($text,'<a>');
$newtext is now: 'my link is <a href="somelink.com">the link</a>'

note that all tags other than <a> are stripped.

[hitman6003]

Use addslashes (http://www.php.net/addslashes) or mysql_real_escape_string (http://www.php.net/mysql_real_escape_string):
[code]
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$cpassword = mysql_real_escape_string($_POST['cpassword'];
$email = mysql_real_escape_string($_POST['email'];
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
$aim = mysql_real_escape_string($_POST['aim']);
$msn = mysql_real_escape_string($_POST['msn']);
$yim = mysql_real_escape_string($_POST['yim']);
$location = mysql_real_escape_string($_POST['location']);
[/code]

Be aware that you must have an open mysql connection to use mysql_real_escape_string.

If there is something about the functions that you don't understand, then ask and someone will help.

[localhost]

Alright both of the above posts are very helpful! thanks for the quick response time.

hitman, now will real escape string prevent users from finding out that i use columns such as user_level?
will it make it so they cant run queries through my forms? also, does it prevent<script> tags

[hitman6003]

Any syntax that would create an error in a mysql query is escaped...i.e. a string like "it's a boy" would become "it\'s a boy".  If you want to ensure that the <script> stuff doesn't get put in, then use strip_tags as was suggested above.

I don't see any of your fields above where that should be a problem...you should be limiting all of them to a max length of 20 or so...no reason to go above that...just <script></script> is 17 chars...which leaves 3 for them to insert some form of malacious code.

[localhost]

well email and website? xxpc210@gmail.com thats 17 and I know alot of people have more than that, http://www.google.com that in itself is 21 and is a small url.

i suppose all but those 2 I could give some more slack.

also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?

[hitman6003]

[quote]also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?[/quote]

Yep.

[treilad]

All the addslashes function does is put backslashes before something that would interfere with the script. Example:

[quote]echo "<a href="phpfreaks.com">";[/quote]

If this were your script, all that would be echoed is "<a href=". That's because you started the echo with (") so the next (") it sees will end the echo. The correct code would be:

[quote]echo "<a href=\"phpfreaks.com\">";[/quote]

Notice the backslash before the quotations that are part of the echo. If you use the addslashes function, it automatically adds the backslashes before the quotes that are part of the echo, rather than you having to manually put them in.

Hope that helps. :)

[localhost]

Alright, so so far I have my post variables something like this:
[code]
$username = addslashes(mysql_real_escape_string($_POST['username']));
$password = addslashes(mysql_real_escape_string($_POST['password']));
$cpassword = addslashes(mysql_real_escape_string($_POST['cpassword']));
$email = addslashes(mysql_real_escape_string($_POST['email']));
$website = addslashes(mysql_real_escape_string($_POST['website']));
$icq = addslashes(mysql_real_escape_string($_POST['icq']));
$aim = addslashes(mysql_real_escape_string($_POST['aim']));
$msn = addslashes(mysql_real_escape_string($_POST['msn']));
$yim = addslashes(mysql_real_escape_string($_POST['yim']));
$location = addslashes(mysql_real_escape_string($_POST['location']));
[/code]

I have tested, it does work against <script> attacks. Is there really anything else I should be worried about? It seems just putting in that stuff is to simple to protect against sql injection, etc.

[Joe Haley]

You only need to use mysql_real_escape_string();. You don't need to also do addslashes.

<?php
...
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
...
?>

[localhost]

true mysql_real_escape_string takes out the use of <script>

This is for extremely important web software, so it needs to be as secure as possible, so anything other than mysql_real_escape_string(); that you recommend I use?

[Joe Haley]

Typecasting of values supplied by the user and used in the script.
As well as ensuring paths to dynamically included scripts are local-site only. (eg: no include($pagename); 's)

Never. EVER. [b]EVER[/b]. Trust user input. They could supply values you dont expect them to, so ensure your script can handel any value tossed at it without errors.

(eg: page.php?pagenum=blackcats
if you dont ensure that $_GET['pagenum'] is numeric, then you will have possible errors!)

[localhost]

how can i ensure pagenum is numeric?

[Joe Haley]

i would suggest something like this:
<?php
if (!is_numeric($_GET['im_supposed_to_be_a_number'))
{
$_GET['im_supposed_to_be_a_number'] = 0;
}
?>

This makes it so that even if a bad value is passed, the script continues to execute without error.

[GingerRobot]

you can also typecast the pagenum..i saw an article on the zend website about this:
$page num = (int)$_GET['pagenum'];

I quite like that method as its very short. Given that it is only to prevent malicious attemps, i dont see a need to handle the error by informing them that it was invalid - just to make sure that it cant do any damage etc.

[Joe Haley]

[quote]
Typecasting of values supplied by the user and used in the script.
[/quote]
beat ya to it ;) i jsut didnt link a definition of the term x)

It is important to note that all data in $_GET, $_POST, $_COOKIE is of the 'string' data type. Thus, performing "is_int($_REQUEST['var']);" always returns false unless the value has been type-cast to an integer.

[GingerRobot]

Yes. So use ctype-digit() if you are validating an expected integer from form input.