Need help badly! htmlentities sql injection etc need help >.<

[Minimeallolla]

 

ok here is my comment protection >< very basic and simple but i just got htmlentitied lol =[ how do i protect against that?

	if (isset($_POST['submit'])) {

		$comment= trim(stripslashes(mysql_real_escape_string($_POST['comment'])));

this is my registration protection, sql can still get though >< it doesnt work ?

$_POST['pass'] = md5($_POST['pass']);
	if (!get_magic_quotes_gpc()) {
		$_POST['pass'] = trim(stripslashes(mysql_real_escape_string($_POST['pass'])));
		$_POST['username'] = trim(stripslashes(mysql_real_escape_string($_POST['username'])));
			}

[Vitamin]

Maybe I'm mistaken, but don't you want to do addslashes() insted of stripslashes()

[Minimeallolla]

i thought stripslashes was for inputting information and addslashes was for outputting information that has been slashed? im most likely wrong since im not that experienced. im only here to gain knowledge

[Vitamin]

Opps Ill just edit this out

[KevinM1]

You use stripslashes before using mysql_real_escape_string to combat against magic quotes.  The escape function escapes the data, but the slashes don't/shouldn't remain when you retrieve those values from the db.

 

What do you mean by 'I got htmlentitied'?

 

EDIT: @Vitamin - never use addslashes to escape data.  It's not secure.  Instead, use the escape function of the type of db you're using.

[Minimeallolla]

well i asked a few expert web devs to try to see any flaws in my site and one guy just said

you have been hacked, easy, one word. htmlentities.

 

\=

[Minimeallolla]

how what i replace this with? replace the stripslashes with addslashes?

$_POST['username'] = trim(stripslashes(mysql_real_escape_string($_POST['username'])));

[KevinM1]

how what i replace this with? replace the stripslashes with addslashes?

$_POST['username'] = trim(stripslashes(mysql_real_escape_string($_POST['username'])));

 

You don't.  Re-read my post.

[Minimeallolla]

so remove the stripslash altogether?

sorry for sounding so noob, im just here to gain knowledge and im not That experienced

[KevinM1]

well i asked a few expert web devs to try to see any flaws in my site and one guy just said

you have been hacked, easy, one word. htmlentities.

 

\=

 

And you didn't ask for an explanation? 

 

htmlentities should be used if you're going to output info a user saved to your db.  It ensures that any potential HTML or JavaScript they tried to insert will instead simply be displayed as HTML entities, thereby stopping the code from being rendered/executed.

[KevinM1]

so remove the stripslash altogether?

sorry for sounding so noob, im just here to gain knowledge and im not That experienced

 

Keep stripslashes where it is.  In fact, don't touch your code, as what you have has nothing to do with htmlentities.

[Minimeallolla]

ok thanks heaps night, i have but they are really stubborn, its over a forum like this lol. \=

 

	if (isset($_POST['submit'])) {

		$comment= trim(stripslashes(mysql_real_escape_string($_POST['comment'])));

so i should make it..

	if (isset($_POST['submit'])) {

		$comment= trim(
htmlentities((stripslashes(mysql_real_escape_string($_POST['comment'])))));

[Minimeallolla]

i will show you my users table.. this is what i meant, not sql injection proof..

6 	Hey')I hope you're protected -- 	1d94c749bd4d8477088e4a068f62012b 	testinshit@yahoo.com 	79.91.50.3
Edit 	Delete 	7 	' 	0cc175b9c0f1b6a831c399e269772661 	a@a.com 	212.130.82.110
Edit 	Delete 	8 	asdsad'OR DIEEeeee 	49f68a5c8493ec2c0bf489821c21fc3b 	asdasda@asdasd.se 	212.247.219.51
Edit 	Delete 	9 	;DROP TABLE users; 	49f68a5c8493ec2c0bf489821c21fc3b 	asdasda@asdasd.se 	212.247.219.51
Edit 	Delete 	10 	vag';DROP TABLE users 	7815696ecbf1c96e6894b779456d330e 	kaaa@ke.ee 	212.247.219.51
Edit 	Delete 	11 	');DROP TABLE users 	5a73678b7b674005056434a48054707d 	ke@keekek.se 	212.247.219.51
Edit 	Delete 	12 	;DROP TABLE 	3b79c04ca94351cb6754731f0d37fcfe 	le@lele.se 	212.247.219.51
Edit 	Delete 	13 	../../<?php phpinfo() ?>/../phpinfo 	0cc175b9c0f1b6a831c399e269772661 	a@a.com 	82.182.34.215
Edit 	Delete 	14 	test 	0cc175b9c0f1b6a831c399e269772661 	a@a.com 	82.182.34.215
Edit 	Delete 	15 	test'_:* 	0cc175b9c0f1b6a831c399e269772661 	a@a.com 	82.182.34.215
Edit 	Delete 	16 	........................ 	76d80224611fc919a5d54f0ff9fba446 	gjgyjgy@lo.com 	81.149.190.4
Edit 	Delete 	17 	omgomgomgomgomgomgomgomgomgomgomgomgomgomgomgomgom... 	76d80224611fc919a5d54f0ff9fba446 	adfwafwa@lol.com 	81.149.190.4
Edit 	Delete 	18 	lollollollollollollollollollollollollollollollollo... 	76d80224611fc919a5d54f0ff9fba446 	arawfr@fhtfrghf.com 	81.149.190.4
Edit 	Delete 	19 	asdsafs 	a9e0b61e6ff2ddd16e77e88ddd045028 	asdsafs@asdsafs.com 	80.101.44.18
Edit 	Delete 	20 	");dicks 	697b562318cce0ec13b9e6f4826257ac 	abc@gaylord.com 	87.211.28.14
Edit 	Delete 	21 	d 	8277e0910d750195b448797616e091ad 	d@d.dk 	94.146.244.5
Edit 	Delete 	22 	')"; echo "you are dumb"; 	0f18fd4cf40bfb1dec646807c7fa5522 	fuck@you.com 	173.55.149.58
Edit 	Delete 	23 	');DROP TABLE users 	e358efa489f58062f10dd7316b65649e 	t@hotmail.com 	121.218.198.177
Edit 	Delete 	24 	john 	9cdfb439c7876e703e307864c9167a15 	123@lol.com 	173.62.11.40
Edit 	Delete 	25 	fuck 	99754106633f94d350db34d548d60

[Minimeallolla]

ok this is what someone said, stripslashes will just undo all the work real_escape_string does.

 

If you're using stripslashes to 'fix' magic_quotes, then run stripslashes over the user's data before running real_escape_string.

 

so im going to replace all my sanitizing scripts with that?

if(get_magic_quotes_gpc())
{
    $_POST['myvar'] = stripslashes($_POST['myvar']);
}

$myvar = mysql_real_escape_string($_POST['myvar']);

[Minimeallolla]

ok so i put

if(get_magic_quotes_gpc())
{
    $_POST['username'] = stripslashes($_POST['username']);
    $_POST['pass'] = stripslashes($_POST['pass']);
}

$username= mysql_real_escape_string($_POST['username']);
$pass= mysql_real_escape_string($_POST['pass']);

all through it and still same thing happens:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ');DROP TABLE users'' at line 1

[KevinM1]

Do me a favor and stop listening to the people on the other forum.  They're confusing you, and making it harder for me to set you straight.

 

One of your problems is that you're freaking out and trying to throw a bunch of code at the wall to see what sticks.  Take a step back and look at it as a series of steps.

 

First, you nested your function calls backwards.  You need to use:

 

$comment = mysql_real_escape_string(stripslashes(trim($_POST['comment'])));

 

Look at it one step at a time:

 

1. trim is called first.

2. stripslashes is called second (this removes the non-secure slashes potentially added by magic quotes)

3. the proper escape function is executed last, properly securing your data from injection.

 

Notice that htmlentities is not in this chain of events.  That's because, like I said before, it's used when outputting items that have already been stored in the db.

 

$query = "SELECT * FROM Comments WHERE user_id = $id");
$result = mysql_query($query);

while($row = mysql_fetch_assoc($result))
{
   echo htmlentities($row['text'], ENT_QUOTES, "UTF-8");
}

 

For the tightest security, use the two options I gave above.

 

Note that this won't block scary-looking data from being inserted into your db.  You need to actually validate your form data to ensure that the data you expect to get is what you really get (e.g., if you're expecting a number, you shouldn't get a string).

[Minimeallolla]

ok thanks. i did this where it echoes the comments

<b>
<?php
include ("database.php");

  $query = "SELECT * FROM homecomments");
$result = mysql_query($query);

while($row = mysql_fetch_assoc($result))
{  
echo $row['username'] . "</b>: <Br> ";
	echo "<p>";
	echo htmlentities($row['comment'], ENT_QUOTES, "UTF-8");
}
?>

[Minimeallolla]

so thats the only protection needed for inserting into the database?

if (isset($_POST['submit'])) {


$comment = mysql_real_escape_string(stripslashes(trim($_POST['comment'])));


        	// now we insert it into the database
$insert = "INSERT INTO homecomments (username, comment)
VALUES ('[$username]', '[$comment]')";

[Minimeallolla]

ok i did it all and i commented "<strong><br> test"

and it accepts the html? so it didnt work ? ):

[KevinM1]

ok i did it all and i commented "<strong><br> test"

and it accepts the html? so it didnt work ? ):

 

Protection from injection doesn't mean the db magically blocks the input from being saved.  Also, do you know what HTML entities actually are?

 

You seem to have an unrealistic idea of how this all works.  Unless you put in some validation (like I mentioned before), if someone writes 'OR 1=1; DROP TABLES; it will still be inserted into the db as data.  It just won't be executed as a SQL command.

 

Similarly, look at your source code after you output some data... what do you see?

[Minimeallolla]

Welcome ;DROP TABLE homecomments;, you are logged in.

hmm it has seemed to block what its trying to do but idk it still shows up. \=

go on it and see the flaws for yourself?

http://www.rohan.giacjr.dino-hosting.net/index.php