Jump to content

securing scripts...


localhost

Recommended Posts

I need to secure a few of my scripts against the following:
SQL Injection
<script> tags

I need to make it so when they insert <script>something</script> it deletes everything in between the script tags as well as the script tags.
Please dont say, use addslashes, or magic quotes, because im not understanding those, if someone can just put an example into the script below:

[code]if(isset($_POST['submit']) && !empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['cpassword']) &&
!empty($_POST['email']))
{

$username = $_POST['username'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
$email = $_POST['email'];
$website = $_POST['website'];
$icq = $_POST['icq'];
$aim = $_POST['aim'];
$msn = $_POST['msn'];
$yim = $_POST['yim'];
$location = $_POST['location'];

$ip = $_SERVER['REMOTE_ADDR'];
$date = date('m-d-Y');

$user_level = "1";

/* ****** CHECK IF BOTH PASSWORDS MATCH EACH OTHER ****** */
if($password!=$cpassword)
{
echo "Passwords do not match.";
} else {
/* ****** IF SO THEN WE ENCRYPT THE PASSWORD AND CONTINUE TO INSERT INTO THE DB ****** */
$sha1pass = sha1($password);

/* ****** INSERT THE DATABASE DETAILS INTO THE DATABASE TABLE users ****** */
$query = "INSERT INTO users (`username`, `password`, `email`, `regip`, `regdate`, `user_level`, `postcount`, `website`, `icq`, `aim`, `msn`, `yim`, `location`, `user_title`) VALUES ('$username', '$sha1pass', '$email', '$ip', '$date', '$user_level', '0', '$website', '$icq', '$aim', '$msn', '$yim', '$location', 'Member')";
$result = mysql_query($query) or die(mysql_error());[/code]

thanks for the help.
Link to comment
Share on other sites

have you read about function strip_tags?

ex:
$text = '<script>something here</script> my link is <a href="somelink.com">the link</a>';
say you have a text like that

$newtext = strip_tags($text,'<a>');
$newtext is now: 'my link is <a href="somelink.com">the link</a>'

note that all tags other than <a> are stripped.
Link to comment
Share on other sites

Use addslashes (http://www.php.net/addslashes) or mysql_real_escape_string (http://www.php.net/mysql_real_escape_string):
[code]
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$cpassword = mysql_real_escape_string($_POST['cpassword'];
$email = mysql_real_escape_string($_POST['email'];
$website = mysql_real_escape_string($_POST['website']);
$icq = mysql_real_escape_string($_POST['icq']);
$aim = mysql_real_escape_string($_POST['aim']);
$msn = mysql_real_escape_string($_POST['msn']);
$yim = mysql_real_escape_string($_POST['yim']);
$location = mysql_real_escape_string($_POST['location']);
[/code]

Be aware that you must have an open mysql connection to use mysql_real_escape_string.

If there is something about the functions that you don't understand, then ask and someone will help.
Link to comment
Share on other sites

Alright both of the above posts are very helpful! thanks for the quick response time.

hitman, now will real escape string prevent users from finding out that i use columns such as user_level?
will it make it so they cant run queries through my forms? also, does it prevent<script> tags
Link to comment
Share on other sites

Any syntax that would create an error in a mysql query is escaped...i.e. a string like "it's a boy" would become "it\'s a boy".  If you want to ensure that the <script> stuff doesn't get put in, then use strip_tags as was suggested above.

I don't see any of your fields above where that should be a problem...you should be limiting all of them to a max length of 20 or so...no reason to go above that...just <script></script> is 17 chars...which leaves 3 for them to insert some form of malacious code.
Link to comment
Share on other sites

well email and website? xxpc210@gmail.com thats 17 and I know alot of people have more than that, http://www.google.com that in itself is 21 and is a small url.

i suppose all but those 2 I could give some more slack.

also when posting a thread i could make it so it checks for <script> and uses str_replace to replace it to '' couldn't I?
Link to comment
Share on other sites

All the addslashes function does is put backslashes before something that would interfere with the script. Example:

[quote]echo "<a href="phpfreaks.com">";[/quote]

If this were your script, all that would be echoed is "<a href=". That's because you started the echo with (") so the next (") it sees will end the echo. The correct code would be:

[quote]echo "<a href=\"phpfreaks.com\">";[/quote]

Notice the backslash before the quotations that are part of the echo. If you use the addslashes function, it automatically adds the backslashes before the quotes that are part of the echo, rather than you having to manually put them in.

Hope that helps. :)
Link to comment
Share on other sites

Alright, so so far I have my post variables something like this:
[code]
$username = addslashes(mysql_real_escape_string($_POST['username']));
$password = addslashes(mysql_real_escape_string($_POST['password']));
$cpassword = addslashes(mysql_real_escape_string($_POST['cpassword']));
$email = addslashes(mysql_real_escape_string($_POST['email']));
$website = addslashes(mysql_real_escape_string($_POST['website']));
$icq = addslashes(mysql_real_escape_string($_POST['icq']));
$aim = addslashes(mysql_real_escape_string($_POST['aim']));
$msn = addslashes(mysql_real_escape_string($_POST['msn']));
$yim = addslashes(mysql_real_escape_string($_POST['yim']));
$location = addslashes(mysql_real_escape_string($_POST['location']));
[/code]

I have tested, it does work against <script> attacks. Is there really anything else I should be worried about? It seems just putting in that stuff is to simple to protect against sql injection, etc.
Link to comment
Share on other sites

Typecasting of values supplied by the user and used in the script.
As well as ensuring paths to dynamically included scripts are local-site only. (eg: no include($pagename); 's)

Never. EVER. [b]EVER[/b]. Trust user input. They could supply values you dont expect them to, so ensure your script can handel any value tossed at it without errors.

(eg: page.php?pagenum=blackcats
if you dont ensure that $_GET['pagenum'] is numeric, then you will have possible errors!)
Link to comment
Share on other sites

i would suggest something like this:
<?php
if (!is_numeric($_GET['im_supposed_to_be_a_number'))
{
$_GET['im_supposed_to_be_a_number'] = 0;
}
?>

This makes it so that even if a bad value is passed, the script continues to execute without error.
Link to comment
Share on other sites

you can also typecast the pagenum..i saw an article on the zend website about this:
$page num = (int)$_GET['pagenum'];

I quite like that method as its very short. Given that it is only to prevent malicious attemps, i dont see a need to handle the error by informing them that it was invalid - just to make sure that it cant do any damage etc.
Link to comment
Share on other sites

[quote]
Typecasting of values supplied by the user and used in the script.
[/quote]
beat ya to it ;) i jsut didnt link a definition of the term x)

It is important to note that all data in $_GET, $_POST, $_COOKIE is of the 'string' data type. Thus, performing "is_int($_REQUEST['var']);" always returns false unless the value has been type-cast to an integer.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.