Protecting Against SQL Injection But Still Providing Flexibility

[chaseman]

 

 

The nature of my script I'm working on is to echo everything out the same way the user inputed his data. I have a name input and a textarea, the name input is quite protected with trim() and mysqli_real_escape_string() ... BUT the textarea should allow every character and even spaces the same way the user has entered it, that means I can not use these type of protections.

 

For example:

Name: Halloween Skull

Input:

---

| |

-----

( o.o)

  |~|

  '''''

 

 

The skull should be echo'd out the same way it was entered, the echo'ing happens in <pre></pre> tags, meaning everything is echo'd out in between pre tags.

Even special characters like ÇÉËÄÑÐ are allowed.

 

Now I'm wondering how much of a security issue is this? I don't know much about SQL injection other than a few tricks.

 

And is there a way to protect yourself against attacks but still provide flexibility?

 

 

 

[Rifts]

I think you need to use  nl2br();

[chaseman]

nl2br messes the skull up into:

 

---

 

| |

 

-----

 

( o.o)

 

  |~|

 

  '''

 

 

EDIT: Just as a thought, I can post in this forum post any character that I want to as well, so how is this forum post protected against SQL injection?

[requinix]

1. SQL injection != HTML injection (aka XSS vulnerability). Protection against the former is easy with *_real_escape_string(); protection against the latter is easy with htmlentities/htmlspecialchars.

Using either of those will mean that the user cannot enter in any HTML. If you do want that, use strip_tags, but keep in mind that there's still a vulnerability: the attributes - notably with events (onclick, onfocus, etc) and CSS on IE (because of its expression()). The user comments have many attempts at more rigid versions of strip_tags() that are worth looking into.

 

2. nl2br() preserves newline characters. Since you're using a

 already, adding a nl2br() will effectively add a space between each line.

[laffin]

What u are referring to is not SQL injecttion but XSS attack.

 

given your example, if u use

 echo "<pre>$message</pre>";

 

what prevents a user into putting this into the message

---
| |
-----
( o.o)
  |~|
  '''
</pre><script>alert('XSS');</script><pre>

 

Oh, no... now that I know yer system is XSS exploitable. I can create a javascript function to say get user information, and send it to my server.

 

Rule #1) Don't trust user input

[chaseman]

rephinix,

 

Thanks for the helpful post, I ended up using htmlsepcialchars(), I cannot use strip_tags() because as I said the textarea should allow posting ALL characters just like this forum post allows posting all characters, if I use strip_tags, I couldn't post <(*.*)> anymore, that's why I used htmlspecialchars().

 

Would you recommend using something else instead of <pre>? I had to use <pre> so the spaces get maintained too, because without the <pre> THIS: < *    .  * ) >, becomes THIS: <*.*)>, meaning the spaces get eliminated.

 

Is the nl2br necessary? Is it important? If yes, is there a way I can implement it and still PRESERVE the spaces?

 

 

 

laffin,

 

Bear with me I'm only learning PHP since a week now. 

 

What type of user information could you get?

 

The script I'm building is fairly simple and is going to remain simple when it's finished, there are not many possibilities users can input, the only place were vulnerability can occur is the textarea which is supposed to allow echo'ing of every character possible and the name input.

 

The name input is protected with trim() and mysqli_real_escape_string(), I just now added strip_tags() to the name input as well.

 

 

By the way:

 

Are there any resources (like books) you would recommend on these type of security issues?

 

Right now I'm reading Head First PHP & MySQL, that's where I got the SQL injection topic from I didn't know till yet about XSS attacks.

 

Thanks to all.

[requinix]

Would you recommend using something else instead of

? I had to use 
 so the spaces get maintained too, because without the 
 THIS: , becomes THIS: , meaning the spaces get eliminated. 

The alternative is awkward: nl2br() + replacing spaces with  s.

A

 is fine, or even just the appropriate CSS styling on some element (such as a 
).
 




Is the nl2br necessary? Is it important? If yes, is there a way I can implement it and still PRESERVE the spaces?




The problem that nl2br() fixes is the one where HTML collapses multiple whitespace. Specifically, what it does with newlines characters: you get just one space. Since that's often not what you want, there's nl2br() which converts each \n into a \n
.

But you're using a 
 which doesn't apply any "collapse multiple whitespace" rules, so there's no problem to fix.

[chaseman]

Is the nl2br necessary? Is it important? If yes, is there a way I can implement it and still PRESERVE the spaces?

The problem that nl2br() fixes is the one where HTML collapses multiple whitespace. Specifically, what it does with newlines characters: you get just one space. Since that's often not what you want, there's nl2br() which converts each \n into a \n<br>.

But you're using a <pre> which doesn't apply any "collapse multiple whitespace" rules, so there's no problem to fix.

If that's the "simple" problem it fixes I can keep using <pre>, since there is no problem to be fixed as you said - I thought there might have been a more important purpose regarding security.

[laffin]

<?php $message=<<<EOF
---
| |
-----
( o.o)
  |~|
  '''
</pre><script>alert('XSS');</script><pre>
EOF;
?>
<pre>
<?php echo htmlspecialchars($message); ?>
?>
</pre>	

 

htmlspecialchars is a useful function when u want to display things.