Jump to content


Photo

securing scripts...


  • Please log in to reply
16 replies to this topic

#1 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 18 July 2006 - 11:57 PM

I need to secure a few of my scripts against the following:
SQL Injection
<script> tags

I need to make it so when they insert <script>something</script> it deletes everything in between the script tags as well as the script tags.
Please dont say, use addslashes, or magic quotes, because im not understanding those, if someone can just put an example into the script below:

if(isset($_POST['submit']) && !empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['cpassword']) &&
!empty($_POST['email']))
{

$username = $_POST['username'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
$email = $_POST['email'];
$website = $_POST['website'];
$icq = $_POST['icq'];
$aim = $_POST['aim'];
$msn = $_POST['msn'];
$yim = $_POST['yim'];
$location = $_POST['location'];

$ip = $_SERVER['REMOTE_ADDR'];
$date = date('m-d-Y');

$user_level = "1";

/* ****** CHECK IF BOTH PASSWORDS MATCH EACH OTHER ****** */
if($password!=$cpassword)
{
echo "Passwords do not match.";
} else {
/* ****** IF SO THEN WE ENCRYPT THE PASSWORD AND CONTINUE TO INSERT INTO THE DB ****** */
$sha1pass = sha1($password);

/* ****** INSERT THE DATABASE DETAILS INTO THE DATABASE TABLE users ****** */
$query = "INSERT INTO users (`username`, `password`, `email`, `regip`, `regdate`, `user_level`, `postcount`, `website`, `icq`, `aim`, `msn`, `yim`, `location`, `user_title`) VALUES ('$username', '$sha1pass', '$email', '$ip', '$date', '$user_level', '0', '$website', '$icq', '$aim', '$msn', '$yim', '$location', 'Member')";
$result = mysql_query($query) or die(mysql_error());

thanks for the help.

#2 hvle

hvle
  • Members
  • PipPipPip
  • Advanced Member
  • 667 posts
  • Locationmelbourne, Australia

Posted 19 July 2006 - 12:20 AM

have you read about function strip_tags?

ex:
$text = '<script>something here</script> my link is <a href="somelink.com">the link</a>';
say you have a text like that

$newtext = strip_tags($text,'<a>');
$newtext is now: 'my link is <a href="somelink.com">the link</a>'

note that all tags other than <a> are stripped.

Life's too short for arguing.

#3 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 19 July 2006 - 12:24 AM

Use addslashes (http://www.php.net/addslashes) or mysql_real_escape_string (http://www.php.net/m...l_escape_string):
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$cpassword = mysql_real_escape_string($_POST['cpassword'];
$email = mysql_real_escape_string($_POST['email'];
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
$aim = mysql_real_escape_string($_POST['aim']);
$msn = mysql_real_escape_string($_POST['msn']);
$yim = mysql_real_escape_string($_POST['yim']);
$location = mysql_real_escape_string($_POST['location']);

Be aware that you must have an open mysql connection to use mysql_real_escape_string.

If there is something about the functions that you don't understand, then ask and someone will help.

#4 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 19 July 2006 - 12:28 AM

Alright both of the above posts are very helpful! thanks for the quick response time.

hitman, now will real escape string prevent users from finding out that i use columns such as user_level?
will it make it so they cant run queries through my forms? also, does it prevent<script> tags

#5 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 19 July 2006 - 12:33 AM

Any syntax that would create an error in a mysql query is escaped...i.e. a string like "it's a boy" would become "it\'s a boy".  If you want to ensure that the <script> stuff doesn't get put in, then use strip_tags as was suggested above.

I don't see any of your fields above where that should be a problem...you should be limiting all of them to a max length of 20 or so...no reason to go above that...just <script></script> is 17 chars...which leaves 3 for them to insert some form of malacious code.

#6 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 19 July 2006 - 12:38 AM

well email and website? xxpc210@gmail.com thats 17 and I know alot of people have more than that, http://www.google.com that in itself is 21 and is a small url.

i suppose all but those 2 I could give some more slack.

also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?

#7 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 19 July 2006 - 12:40 AM

also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?


Yep.

#8 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 19 July 2006 - 12:41 AM

All the addslashes function does is put backslashes before something that would interfere with the script. Example:

echo "<a href="phpfreaks.com">";


If this were your script, all that would be echoed is "<a href=". That's because you started the echo with (") so the next (") it sees will end the echo. The correct code would be:

echo "<a href=\"phpfreaks.com\">";


Notice the backslash before the quotations that are part of the echo. If you use the addslashes function, it automatically adds the backslashes before the quotes that are part of the echo, rather than you having to manually put them in.

Hope that helps. :)


#9 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 19 July 2006 - 07:24 AM

Alright, so so far I have my post variables something like this:
$username = addslashes(mysql_real_escape_string($_POST['username']));
$password = addslashes(mysql_real_escape_string($_POST['password']));
$cpassword = addslashes(mysql_real_escape_string($_POST['cpassword']));
$email = addslashes(mysql_real_escape_string($_POST['email']));
$website = addslashes(mysql_real_escape_string($_POST['website']));
$icq = addslashes(mysql_real_escape_string($_POST['icq']));
$aim = addslashes(mysql_real_escape_string($_POST['aim']));
$msn = addslashes(mysql_real_escape_string($_POST['msn']));
$yim = addslashes(mysql_real_escape_string($_POST['yim']));
$location = addslashes(mysql_real_escape_string($_POST['location']));

I have tested, it does work against <script> attacks. Is there really anything else I should be worried about? It seems just putting in that stuff is to simple to protect against sql injection, etc.

#10 Joe Haley

Joe Haley
  • Members
  • PipPipPip
  • Advanced Member
  • 103 posts
  • LocationCanada, eh?

Posted 19 July 2006 - 09:26 AM

You only need to use mysql_real_escape_string();. You don't need to also do addslashes.

<?php
...
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
...
?>
Give a man a fish; you have fed him for today.  Teach a man to fish; and you have fed him for a lifetime
Don't teach men to program. Teach them to fish.

Please, try the RTFM solution before asking for help:
http://php.net/manual/en/index.php

#11 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 19 July 2006 - 09:53 AM

true mysql_real_escape_string takes out the use of <script>

This is for extremely important web software, so it needs to be as secure as possible, so anything other than mysql_real_escape_string(); that you recommend I use?

#12 Joe Haley

Joe Haley
  • Members
  • PipPipPip
  • Advanced Member
  • 103 posts
  • LocationCanada, eh?

Posted 19 July 2006 - 10:14 AM

Typecasting of values supplied by the user and used in the script.
As well as ensuring paths to dynamically included scripts are local-site only. (eg: no include($pagename); 's)

Never. EVER. EVER. Trust user input. They could supply values you dont expect them to, so ensure your script can handel any value tossed at it without errors.

(eg: page.php?pagenum=blackcats
if you dont ensure that $_GET['pagenum'] is numeric, then you will have possible errors!)
Give a man a fish; you have fed him for today.  Teach a man to fish; and you have fed him for a lifetime
Don't teach men to program. Teach them to fish.

Please, try the RTFM solution before asking for help:
http://php.net/manual/en/index.php

#13 localhost

localhost
  • Members
  • PipPipPip
  • Advanced Member
  • 152 posts

Posted 19 July 2006 - 10:19 AM

how can i ensure pagenum is numeric?

#14 Joe Haley

Joe Haley
  • Members
  • PipPipPip
  • Advanced Member
  • 103 posts
  • LocationCanada, eh?

Posted 19 July 2006 - 10:25 AM

i would suggest something like this:
<?php
if (!is_numeric($_GET['im_supposed_to_be_a_number'))
{
$_GET['im_supposed_to_be_a_number'] = 0;
}
?>

This makes it so that even if a bad value is passed, the script continues to execute without error.
Give a man a fish; you have fed him for today.  Teach a man to fish; and you have fed him for a lifetime
Don't teach men to program. Teach them to fish.

Please, try the RTFM solution before asking for help:
http://php.net/manual/en/index.php

#15 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 19 July 2006 - 12:11 PM

you can also typecast the pagenum..i saw an article on the zend website about this:
$page num = (int)$_GET['pagenum'];

I quite like that method as its very short. Given that it is only to prevent malicious attemps, i dont see a need to handle the error by informing them that it was invalid - just to make sure that it cant do any damage etc.

#16 Joe Haley

Joe Haley
  • Members
  • PipPipPip
  • Advanced Member
  • 103 posts
  • LocationCanada, eh?

Posted 19 July 2006 - 12:20 PM

Typecasting of values supplied by the user and used in the script.

beat ya to it ;) i jsut didnt link a definition of the term x)

It is important to note that all data in $_GET, $_POST, $_COOKIE is of the 'string' data type. Thus, performing "is_int($_REQUEST['var']);" always returns false unless the value has been type-cast to an integer.
Give a man a fish; you have fed him for today.  Teach a man to fish; and you have fed him for a lifetime
Don't teach men to program. Teach them to fish.

Please, try the RTFM solution before asking for help:
http://php.net/manual/en/index.php

#17 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 19 July 2006 - 12:22 PM

Yes. So use ctype-digit() if you are validating an expected integer from form input.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users