music_fan01 Posted November 17, 2011 Share Posted November 17, 2011 I am trying to protect my guestbook entries from injections such as html, xss, and mysql injections. My php knowledge is very little. If possible, can I have some help please with protecting my entries. I have a few bits and pieces of code to protect my guestbook from injections that I got from some tutorials that I was reading. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Author: Reality Software Website: http://www.realitysoftware.ca Note: This is a free template released under the Creative Commons Attribution 3.0 license, which means you can use it in any way you want provided you keep the link to the author intact. --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link href="style.css" rel="stylesheet" type="text/css" /></head> <body> <!-- header --> <div id="header"> <div id="logo"><a href="index.html">Header</a></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="">Link 1</a></li> <li><a href="">Link 2</a></li> <li><a href="">Link 3</a></li> <li><a href="">Contact</a></li> <li><a href="guestbook.php">Guestbook</a></li> </ul> </div> </div> <div id="icon"><a href="twitter.com/"> <img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> </a></div> <!--end header --> <!-- main --> <div id="main"> <div id="content"> <div id="text"> <h1><strong>Guestbook</strong></h1> </div> <?php $input = is_numeric($input) ? intval($input) : mysql_real_escape_string($input);function sanitizeString($string) { return htmlentities( (string) $string, ENT_COMPAT, "UTF-8" ); } $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); $rows = $preparedStatement->fetchAll(); $mysql_host = "localhost"; $mysql_database = "a7560006_guest"; $mysql_user = "a7560006_host"; $mysql_password = "mypassword"; // Connect to server and select database. mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server"); mysql_select_db("$mysql_database") or die("cannot select DB"); $tbl_name="guestbook"; // Table name $name = ($_POST['name']); $comment = ($_POST['comment']); $comment = stripslashes($comment); $name = stripslashes($name); $comment = str_replace("<","<",$comment); $name = str_replace("<","<",$name); $datetime=date("M-d-Y h:i:s A"); //date time $verif_box = ($_POST['verif_box']); if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> <table width="400" border="0" align="center"> <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr> </table> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> <? exit; } if(empty($name) || empty($comment)) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr> </table> <? } else { $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')"; $result=mysql_query($sql); //check if query successful if($result) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr> </table> <? echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view guestbook page } else { echo "ERROR"; } mysql_close(); } ?> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/ Share on other sites More sharing options...
gizmola Posted November 17, 2011 Share Posted November 17, 2011 You used a prepared statement at the top. This is a good way to prevent sql injections -- use that technique in all your queries. Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string For xss, i'd suggest using htmlentities(). That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes. Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1288879 Share on other sites More sharing options...
cypher86 Posted November 17, 2011 Share Posted November 17, 2011 You used a prepared statement at the top. This is a good way to prevent sql injections -- use that technique in all your queries. Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string For xss, i'd suggest using htmlentities(). That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes. actually if you use prepared statement you don't need at all to use stripslashed or mysql_rea_escape_string or others functions. prepared statement allow you to define what is the value and what is not==>no sql injection Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1288883 Share on other sites More sharing options...
music_fan01 Posted November 18, 2011 Author Share Posted November 18, 2011 Just make sure that I am coding my prepared statements correctly. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Author: Reality Software Website: http://www.realitysoftware.ca Note: This is a free template released under the Creative Commons Attribution 3.0 license, which means you can use it in any way you want provided you keep the link to the author intact. --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link href="style.css" rel="stylesheet" type="text/css" /></head> <body> <!-- header --> <div id="header"> <div id="logo"><a href="index.html">Header</a></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="">Link 1</a></li> <li><a href="">Link 2</a></li> <li><a href="">Link 3</a></li> <li><a href="">Contact</a></li> <li><a href="guestbook.php">Guestbook</a></li> </ul> </div> </div> <div id="icon"><a href="twitter.com/"> <img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> </a></div> <!--end header --> <!-- main --> <div id="main"> <div id="content"> <div id="text"> <h1><strong>Guestbook</strong></h1> </div> <?php $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name'); $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE comment = :comment'); $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE verif_box = :verif_box'); $preparedStatement->execute(array(':name' => $name)); $preparedStatement->execute(array(':comment' => $comment)); $preparedStatement->execute(array(':verif_box' => $verif_box)); $rows = $preparedStatement->fetchAll(); $mysql_host = "localhost"; $mysql_database = "a7560006_guest"; $mysql_user = "a7560006_host"; $mysql_password = "mypassword"; // Connect to server and select database. mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server"); mysql_select_db("$mysql_database") or die("cannot select DB"); $tbl_name="guestbook"; // Table name $name = ($_POST['name']); $comment = ($_POST['comment']); $datetime=date("M-d-Y h:i:s A"); //date time $verif_box = ($_POST['verif_box']); if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> <table width="400" border="0" align="center"> <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr> </table> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> <? exit; } if(empty($name) || empty($comment)) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr> </table> <? } else { $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')"; $result=mysql_query($sql); //check if query successful if($result) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr> </table> <? echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view guestbook page } else { echo "ERROR"; } mysql_close(); } ?> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1289181 Share on other sites More sharing options...
cypher86 Posted November 18, 2011 Share Posted November 18, 2011 wrong!! first you have to open the connection, then you have to to prepare/execute one query at a time so your snippet would be: $db = new mysqli("localhost", "user", "pass", "db"); $preparedStatement1 = $db->prepare('SELECT * FROM guestbook WHERE name = ?'); $preparedStatement1 ->bind_param("s", $name); $preparedStatement1 ->execute(); $prerapedStatement1->bind_result($attr1,$attr2,.........); $preparedStatement1->store(); $preparedStatement2 = $db->prepare('SELECT * FROM guestbook WHERE verif_box = ?'); $preparedStatement2 ->bind_param("s", $box); $preparedStatement2 ->execute(); $prerapedStatement2->bind_result($attr1,$attr2,.........); $preparedStatement2->store(); while($preparedStatement1->fetch()){ ................. } Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1289220 Share on other sites More sharing options...
MasterACE14 Posted November 18, 2011 Share Posted November 18, 2011 You used a prepared statement at the top. This is a good way to prevent sql injections -- use that technique in all your queries. Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string For xss, i'd suggest using htmlentities(). That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes. actually if you use prepared statement you don't need at all to use stripslashed or mysql_rea_escape_string or others functions. prepared statement allow you to define what is the value and what is not==>no sql injection And that value has come from a form, hence it does require filtering. Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1289228 Share on other sites More sharing options...
music_fan01 Posted November 19, 2011 Author Share Posted November 19, 2011 You used a prepared statement at the top. This is a good way to prevent sql injections -- use that technique in all your queries. Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string For xss, i'd suggest using htmlentities(). That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes. actually if you use prepared statement you don't need at all to use stripslashed or mysql_rea_escape_string or others functions. prepared statement allow you to define what is the value and what is not==>no sql injection And that value has come from a form, hence it does require filtering. So do use stripslashes and htmlentities() as well? Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1289433 Share on other sites More sharing options...
music_fan01 Posted November 19, 2011 Author Share Posted November 19, 2011 Now I think I may go it. Also, do I need to add a prepared statement for where my guest have to leave a comment? <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Author: Reality Software Website: http://www.realitysoftware.ca Note: This is a free template released under the Creative Commons Attribution 3.0 license, which means you can use it in any way you want provided you keep the link to the author intact. --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link href="style.css" rel="stylesheet" type="text/css" /></head> <body> <!-- header --> <div id="header"> <div id="logo"><a href="index.html">Header</a></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="">Link 1</a></li> <li><a href="">Link 2</a></li> <li><a href="">Link 3</a></li> <li><a href="">Contact</a></li> <li><a href="guestbook.php">Guestbook</a></li> </ul> </div> </div> <div id="icon"><a href="twitter.com/"> <img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> </a></div> <!--end header --> <!-- main --> <div id="main"> <div id="content"> <div id="text"> <h1><strong>Guestbook</strong></h1> </div> <?php $db = new mysqli("localhost", "a7560006_host", "mypassword", "a7560006_guest"); $preparedStatement1 = $db->prepare('SELECT * FROM guestbook WHERE name = ?'); $preparedStatement1 ->bind_param("s", $name); $preparedStatement1 ->execute(); $prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime); $preparedStatement1->store(); $preparedStatement2 = $db->prepare('SELECT * FROM guestbook WHERE verif_box = ?'); $preparedStatement2 ->bind_param("s", $verif_box); $preparedStatement2 ->execute(); $prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime); $preparedStatement2->store(); while($preparedStatement1->fetch()){ $mysql_host = "localhost"; $mysql_database = "a7560006_guest"; $mysql_user = "a7560006_host"; $mysql_password = "mypassword"; // Connect to server and select database. mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server"); mysql_select_db("$mysql_database") or die("cannot select DB"); $tbl_name="guestbook"; // Table name $name = ($_POST['name']); $comment = ($_POST['comment']); $datetime=date("M-d-Y h:i:s A"); //date time $verif_box = ($_POST['verif_box']); if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> <table width="400" border="0" align="center"> <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr> </table> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> <? exit; } if(empty($name) || empty($comment)) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr> </table> <? } else { $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')"; $result=mysql_query($sql); //check if query successful if($result) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr> </table> <? echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view guestbook page } else { echo "ERROR"; } mysql_close(); } ?> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1289435 Share on other sites More sharing options...
MasterACE14 Posted November 20, 2011 Share Posted November 20, 2011 Now I think I may go it. Also, do I need to add a prepared statement for where my guest have to leave a comment? Yes. Any kind of user input must be validated and filtered. Always assume people will be on your website to do nasty things to it. Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1289711 Share on other sites More sharing options...
music_fan01 Posted November 22, 2011 Author Share Posted November 22, 2011 Now I think I may go it. Also, do I need to add a prepared statement for where my guest have to leave a comment? Yes. Any kind of user input must be validated and filtered. Always assume people will be on your website to do nasty things to it. Thanks for the help! Quote Link to comment https://forums.phpfreaks.com/topic/251286-injections-help/#findComment-1290255 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.