Jump to content

Injections help


music_fan01

Recommended Posts

I am trying to protect my guestbook entries from injections such as html, xss, and mysql injections. My php knowledge is very little. If possible, can I have some help please with protecting my entries. I have a few bits and pieces of code to protect my guestbook from injections that  I got from some tutorials that I was reading. 

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- 
Author: Reality Software 
Website: http://www.realitysoftware.ca 
Note: This is a free template released under the Creative Commons Attribution 3.0 license,  
which means you can use it in any way you want provided you keep the link to the author intact. 
--> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title></title> 
<link href="style.css" rel="stylesheet" type="text/css" /></head> 
<body> 


    <!-- header --> 
    <div id="header"> 
        <div id="logo"><a href="index.html">Header</a></div> 
        <div id="menu"> 
            <ul> 
            <li><a href="index.html">Home</a></li> 
            <li><a href="">Link 1</a></li> 
            <li><a href="">Link 2</a></li> 
            <li><a href="">Link 3</a></li> 
            <li><a href="">Contact</a></li> 
        <li><a href="guestbook.php">Guestbook</a></li> 
                  </ul>    
  </div> 
</div>
<div id="icon"><a href="twitter.com/"> 
<img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> 
</a></div> 

    <!--end header --> 
    <!-- main --> 
    <div id="main"> 
    <div id="content">   
  
  
<div id="text"> 
                <h1><strong>Guestbook</strong></h1> 
</div> 

<?php   


$input = is_numeric($input) ? intval($input) : mysql_real_escape_string($input);function sanitizeString($string) { 
    return htmlentities( (string) $string, ENT_COMPAT, "UTF-8" ); 
} 

$preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name');

$preparedStatement->execute(array(':name' => $name));

$rows = $preparedStatement->fetchAll();



$mysql_host = "localhost";
$mysql_database = "a7560006_guest";
$mysql_user = "a7560006_host";
$mysql_password = "mypassword";

// Connect to server and select database.
mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server");
mysql_select_db("$mysql_database") or die("cannot select DB");

$tbl_name="guestbook"; // Table name 

$name = ($_POST['name']); 
$comment = ($_POST['comment']); 
  
$comment  = stripslashes($comment);   
$name = stripslashes($name);   
$comment = str_replace("<","<",$comment);   
$name = str_replace("<","<",$name);   

$datetime=date("M-d-Y h:i:s A"); //date time   
$verif_box = ($_POST['verif_box']);   
  
if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> 
<table width="400" border="0" align="center">    
<tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr>      
</table>  
        
</div>  
     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 
     
</body> 
</html> 

<? 
exit;  
} 

if(empty($name) || empty($comment)) { ?>    
  <table width="400" border="0" align="center">    
  <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>      
  </table>    
<?      
} else {    

$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')";   
$result=mysql_query($sql);   

//check if query successful   
if($result) { ?>  
<table width="400" border="0" align="center">    
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>      
</table>    
<?   
echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>";  // link to view guestbook page   
} else {   
echo "ERROR";   
}   

mysql_close();  
}  
?> 

</div>  

     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 

</body> 
</html>

Link to comment
Share on other sites

You used a prepared statement at the top.  This is a good way to prevent sql injections -- use that technique in all your queries.

 

Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string

 

For xss, i'd suggest using htmlentities().  That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes. 

Link to comment
Share on other sites

You used a prepared statement at the top.  This is a good way to prevent sql injections -- use that technique in all your queries.

 

Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string

 

For xss, i'd suggest using htmlentities().  That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes.

 

actually if you use prepared statement you don't need at all to use stripslashed or mysql_rea_escape_string or others functions. prepared statement allow you to define what is the value and what is not==>no sql injection

Link to comment
Share on other sites

Just make sure that I am coding my prepared statements correctly.  :D

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- 
Author: Reality Software 
Website: http://www.realitysoftware.ca 
Note: This is a free template released under the Creative Commons Attribution 3.0 license,  
which means you can use it in any way you want provided you keep the link to the author intact. 
--> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title></title> 
<link href="style.css" rel="stylesheet" type="text/css" /></head> 
<body> 


    <!-- header --> 
    <div id="header"> 
        <div id="logo"><a href="index.html">Header</a></div> 
        <div id="menu"> 
            <ul> 
            <li><a href="index.html">Home</a></li> 
            <li><a href="">Link 1</a></li> 
            <li><a href="">Link 2</a></li> 
            <li><a href="">Link 3</a></li> 
            <li><a href="">Contact</a></li> 
        <li><a href="guestbook.php">Guestbook</a></li> 
                  </ul>    
  </div> 
</div>
<div id="icon"><a href="twitter.com/"> 
<img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> 
</a></div> 

    <!--end header --> 
    <!-- main --> 
    <div id="main"> 
    <div id="content">   
  
  
<div id="text"> 
                <h1><strong>Guestbook</strong></h1> 
</div> 

<?php   
$preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name');
$preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE comment = :comment');
$preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE verif_box = :verif_box');

$preparedStatement->execute(array(':name' => $name));
$preparedStatement->execute(array(':comment' => $comment));
$preparedStatement->execute(array(':verif_box' => $verif_box));

$rows = $preparedStatement->fetchAll();



$mysql_host = "localhost";
$mysql_database = "a7560006_guest";
$mysql_user = "a7560006_host";
$mysql_password = "mypassword";

// Connect to server and select database.
mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server");
mysql_select_db("$mysql_database") or die("cannot select DB");

$tbl_name="guestbook"; // Table name 

$name = ($_POST['name']); 
$comment = ($_POST['comment']); 

$datetime=date("M-d-Y h:i:s A"); //date time   
$verif_box = ($_POST['verif_box']);   
  
if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> 
<table width="400" border="0" align="center">    
<tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr>      
</table>  
        
</div>  
     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 
     
</body> 
</html> 

<? 
exit;  
} 

if(empty($name) || empty($comment)) { ?>    
  <table width="400" border="0" align="center">    
  <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>      
  </table>    
<?      
} else {    

$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')";   
$result=mysql_query($sql);   

//check if query successful   
if($result) { ?>  
<table width="400" border="0" align="center">    
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>      
</table>    
<?   
echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>";  // link to view guestbook page   
} else {   
echo "ERROR";   
}   

mysql_close();  
}  
?> 

</div>  

     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 

</body> 
</html>

Link to comment
Share on other sites

wrong!!

first you have to open the connection, then you have to to prepare/execute one query at a time so your snippet would be:

 

$db = new mysqli("localhost", "user", "pass", "db");
$preparedStatement1 = $db->prepare('SELECT * FROM guestbook WHERE name = ?'); 
$preparedStatement1 ->bind_param("s", $name);
$preparedStatement1 ->execute();
$prerapedStatement1->bind_result($attr1,$attr2,.........);
$preparedStatement1->store();

$preparedStatement2 = $db->prepare('SELECT * FROM guestbook WHERE verif_box = ?'); 
$preparedStatement2 ->bind_param("s", $box);
$preparedStatement2 ->execute();
$prerapedStatement2->bind_result($attr1,$attr2,.........);
$preparedStatement2->store();

while($preparedStatement1->fetch()){
  .................
}

Link to comment
Share on other sites

You used a prepared statement at the top.  This is a good way to prevent sql injections -- use that technique in all your queries.

 

Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string

 

For xss, i'd suggest using htmlentities().  That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes.

 

actually if you use prepared statement you don't need at all to use stripslashed or mysql_rea_escape_string or others functions. prepared statement allow you to define what is the value and what is not==>no sql injection

And that value has come from a form, hence it does require filtering.

Link to comment
Share on other sites

You used a prepared statement at the top.  This is a good way to prevent sql injections -- use that technique in all your queries.

 

Don't use stripslashes -- you are using mysq. Use mysql_real_escape_string

 

For xss, i'd suggest using htmlentities().  That just changes everything that could be html tags that would cause code to be run, to be turned into harmless html entity codes.

 

actually if you use prepared statement you don't need at all to use stripslashed or mysql_rea_escape_string or others functions. prepared statement allow you to define what is the value and what is not==>no sql injection

And that value has come from a form, hence it does require filtering.

 

So do use stripslashes and htmlentities() as well?

Link to comment
Share on other sites

Now I think I may go it. Also, do I need to add a prepared statement for where my guest have to leave a comment?

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- 
Author: Reality Software 
Website: http://www.realitysoftware.ca 
Note: This is a free template released under the Creative Commons Attribution 3.0 license,  
which means you can use it in any way you want provided you keep the link to the author intact. 
--> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title></title> 
<link href="style.css" rel="stylesheet" type="text/css" /></head> 
<body> 


    <!-- header --> 
    <div id="header"> 
        <div id="logo"><a href="index.html">Header</a></div> 
        <div id="menu"> 
            <ul> 
            <li><a href="index.html">Home</a></li> 
            <li><a href="">Link 1</a></li> 
            <li><a href="">Link 2</a></li> 
            <li><a href="">Link 3</a></li> 
            <li><a href="">Contact</a></li> 
        <li><a href="guestbook.php">Guestbook</a></li> 
                  </ul>    
  </div> 
</div>
<div id="icon"><a href="twitter.com/"> 
<img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> 
</a></div> 

    <!--end header --> 
    <!-- main --> 
    <div id="main"> 
    <div id="content">   
  
  
<div id="text"> 
                <h1><strong>Guestbook</strong></h1> 
</div> 

<?php   
$db = new mysqli("localhost", "a7560006_host", "mypassword", "a7560006_guest");
$preparedStatement1 = $db->prepare('SELECT * FROM guestbook WHERE name = ?'); 
$preparedStatement1 ->bind_param("s", $name);
$preparedStatement1 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement1->store();

$preparedStatement2 = $db->prepare('SELECT * FROM guestbook WHERE verif_box = ?'); 
$preparedStatement2 ->bind_param("s", $verif_box);
$preparedStatement2 ->execute();
$prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
$preparedStatement2->store();

while($preparedStatement1->fetch()){

$mysql_host = "localhost";
$mysql_database = "a7560006_guest";
$mysql_user = "a7560006_host";
$mysql_password = "mypassword";

// Connect to server and select database.
mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server");
mysql_select_db("$mysql_database") or die("cannot select DB");

$tbl_name="guestbook"; // Table name 

$name = ($_POST['name']); 
$comment = ($_POST['comment']); 

$datetime=date("M-d-Y h:i:s A"); //date time   
$verif_box = ($_POST['verif_box']);   
  
if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> 
<table width="400" border="0" align="center">    
<tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr>      
</table>  
        
</div>  
     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 
     
</body> 
</html> 

<? 
exit;  
} 

if(empty($name) || empty($comment)) { ?>    
  <table width="400" border="0" align="center">    
  <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>      
  </table>    
<?      
} else {    

$sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')";   
$result=mysql_query($sql);   

//check if query successful   
if($result) { ?>  
<table width="400" border="0" align="center">    
<tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>      
</table>    
<?   
echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>";  // link to view guestbook page   
} else {   
echo "ERROR";   
}   

mysql_close();  
}  
?> 

</div>  

     <!-- footer --> 
    <div id="footer"> 
    <div id="left_footer">© Copyright 2011<strong> Author </strong></div> 
    <div id="right_footer"> 

<!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> 

    </div> 
    </div> 
    <!-- end footer --> 
    </div>           
    <!-- end main --> 

</body> 
</html>

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.