Jump to content

Archived

This topic is now archived and is closed to further replies.

localhost

securing scripts...

Recommended Posts

I need to secure a few of my scripts against the following:
SQL Injection
<script> tags

I need to make it so when they insert <script>something</script> it deletes everything in between the script tags as well as the script tags.
Please dont say, use addslashes, or magic quotes, because im not understanding those, if someone can just put an example into the script below:

[code]if(isset($_POST['submit']) && !empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['cpassword']) &&
!empty($_POST['email']))
{

$username = $_POST['username'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
$email = $_POST['email'];
$website = $_POST['website'];
$icq = $_POST['icq'];
$aim = $_POST['aim'];
$msn = $_POST['msn'];
$yim = $_POST['yim'];
$location = $_POST['location'];

$ip = $_SERVER['REMOTE_ADDR'];
$date = date('m-d-Y');

$user_level = "1";

/* ****** CHECK IF BOTH PASSWORDS MATCH EACH OTHER ****** */
if($password!=$cpassword)
{
echo "Passwords do not match.";
} else {
/* ****** IF SO THEN WE ENCRYPT THE PASSWORD AND CONTINUE TO INSERT INTO THE DB ****** */
$sha1pass = sha1($password);

/* ****** INSERT THE DATABASE DETAILS INTO THE DATABASE TABLE users ****** */
$query = "INSERT INTO users (`username`, `password`, `email`, `regip`, `regdate`, `user_level`, `postcount`, `website`, `icq`, `aim`, `msn`, `yim`, `location`, `user_title`) VALUES ('$username', '$sha1pass', '$email', '$ip', '$date', '$user_level', '0', '$website', '$icq', '$aim', '$msn', '$yim', '$location', 'Member')";
$result = mysql_query($query) or die(mysql_error());[/code]

thanks for the help.

Share this post


Link to post
Share on other sites
have you read about function strip_tags?

ex:
$text = '<script>something here</script> my link is <a href="somelink.com">the link</a>';
say you have a text like that

$newtext = strip_tags($text,'<a>');
$newtext is now: 'my link is <a href="somelink.com">the link</a>'

note that all tags other than <a> are stripped.

Share this post


Link to post
Share on other sites
Use addslashes (http://www.php.net/addslashes) or mysql_real_escape_string (http://www.php.net/mysql_real_escape_string):
[code]
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$cpassword = mysql_real_escape_string($_POST['cpassword'];
$email = mysql_real_escape_string($_POST['email'];
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
$aim = mysql_real_escape_string($_POST['aim']);
$msn = mysql_real_escape_string($_POST['msn']);
$yim = mysql_real_escape_string($_POST['yim']);
$location = mysql_real_escape_string($_POST['location']);
[/code]

Be aware that you must have an open mysql connection to use mysql_real_escape_string.

If there is something about the functions that you don't understand, then ask and someone will help.

Share this post


Link to post
Share on other sites
Alright both of the above posts are very helpful! thanks for the quick response time.

hitman, now will real escape string prevent users from finding out that i use columns such as user_level?
will it make it so they cant run queries through my forms? also, does it prevent<script> tags

Share this post


Link to post
Share on other sites
Any syntax that would create an error in a mysql query is escaped...i.e. a string like "it's a boy" would become "it\'s a boy".  If you want to ensure that the <script> stuff doesn't get put in, then use strip_tags as was suggested above.

I don't see any of your fields above where that should be a problem...you should be limiting all of them to a max length of 20 or so...no reason to go above that...just <script></script> is 17 chars...which leaves 3 for them to insert some form of malacious code.

Share this post


Link to post
Share on other sites
well email and website? xxpc210@gmail.com thats 17 and I know alot of people have more than that, http://www.google.com that in itself is 21 and is a small url.

i suppose all but those 2 I could give some more slack.

also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?

Share this post


Link to post
Share on other sites
[quote]also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?[/quote]

Yep.

Share this post


Link to post
Share on other sites
All the addslashes function does is put backslashes before something that would interfere with the script. Example:

[quote]echo "<a href="phpfreaks.com">";[/quote]

If this were your script, all that would be echoed is "<a href=". That's because you started the echo with (") so the next (") it sees will end the echo. The correct code would be:

[quote]echo "<a href=\"phpfreaks.com\">";[/quote]

Notice the backslash before the quotations that are part of the echo. If you use the addslashes function, it automatically adds the backslashes before the quotes that are part of the echo, rather than you having to manually put them in.

Hope that helps. :)

Share this post


Link to post
Share on other sites
Alright, so so far I have my post variables something like this:
[code]
$username = addslashes(mysql_real_escape_string($_POST['username']));
$password = addslashes(mysql_real_escape_string($_POST['password']));
$cpassword = addslashes(mysql_real_escape_string($_POST['cpassword']));
$email = addslashes(mysql_real_escape_string($_POST['email']));
$website = addslashes(mysql_real_escape_string($_POST['website']));
$icq = addslashes(mysql_real_escape_string($_POST['icq']));
$aim = addslashes(mysql_real_escape_string($_POST['aim']));
$msn = addslashes(mysql_real_escape_string($_POST['msn']));
$yim = addslashes(mysql_real_escape_string($_POST['yim']));
$location = addslashes(mysql_real_escape_string($_POST['location']));
[/code]

I have tested, it does work against <script> attacks. Is there really anything else I should be worried about? It seems just putting in that stuff is to simple to protect against sql injection, etc.

Share this post


Link to post
Share on other sites
You only need to use mysql_real_escape_string();. You don't need to also do addslashes.

<?php
...
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
...
?>

Share this post


Link to post
Share on other sites
true mysql_real_escape_string takes out the use of <script>

This is for extremely important web software, so it needs to be as secure as possible, so anything other than mysql_real_escape_string(); that you recommend I use?

Share this post


Link to post
Share on other sites
Typecasting of values supplied by the user and used in the script.
As well as ensuring paths to dynamically included scripts are local-site only. (eg: no include($pagename); 's)

Never. EVER. [b]EVER[/b]. Trust user input. They could supply values you dont expect them to, so ensure your script can handel any value tossed at it without errors.

(eg: page.php?pagenum=blackcats
if you dont ensure that $_GET['pagenum'] is numeric, then you will have possible errors!)

Share this post


Link to post
Share on other sites
i would suggest something like this:
<?php
if (!is_numeric($_GET['im_supposed_to_be_a_number'))
{
$_GET['im_supposed_to_be_a_number'] = 0;
}
?>

This makes it so that even if a bad value is passed, the script continues to execute without error.

Share this post


Link to post
Share on other sites
you can also typecast the pagenum..i saw an article on the zend website about this:
$page num = (int)$_GET['pagenum'];

I quite like that method as its very short. Given that it is only to prevent malicious attemps, i dont see a need to handle the error by informing them that it was invalid - just to make sure that it cant do any damage etc.

Share this post


Link to post
Share on other sites
[quote]
Typecasting of values supplied by the user and used in the script.
[/quote]
beat ya to it ;) i jsut didnt link a definition of the term x)

It is important to note that all data in $_GET, $_POST, $_COOKIE is of the 'string' data type. Thus, performing "is_int($_REQUEST['var']);" always returns false unless the value has been type-cast to an integer.

Share this post


Link to post
Share on other sites
Yes. So use ctype-digit() if you are validating an expected integer from form input.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.