[SOLVED] Breaking out of quotes

[Azu]

I know I can use stuff like \ in front of " so that it can't break out of a "" and start doing bad things, but it seems there are other situations where, E.G., if the string is hex for " then it has the same effect, and stuff like that, and it gets tricky escaping it all, so I'm wandering, is there some kind of option I can enable or extension I can install that just simply prevents objects/variables/arrays from breaking out of single/double quotes and also for mysql queries? And also for html so E.G. echo"<img src='$asdf'>"; can't be exploited to do other things? I don't care if it isn't free as long as it works good and isn't to expensive..

 

Pleeeeeease? Cause every way I can think of either returns false positives or false negatives and I have spent a lot of time on this =/

 

BTW I use apache 2.2.4 64bit and php 5.2.1 64bit

[monk.e.boy]

mysql_escape_string

htmlspecialchars

htmlentities

 

try those, write some simple scripts to test them so you are happy with how they work.

 

monk.e.boy

[Azu]

Thanks I've already tried every combination of those I can think of though.  ???

They don't help at all with the problem of strings that mean ' or " in hex, and alter the data stored in mysql tables, E.G. turning &&&& into &&&& so that you can't log in with &&&& and a whole slew of other problems the list goes on =/

 

So ya those functions don't work for this thanks anyways though

[monk.e.boy]

Not sure if I understand your problem. These functions work for everyone else, how come your problem is different?

 

monk.e.boy

[kenrbnsn]

Please post the code you've tried and examples of input that causes it to fail.

 

Ken

[Azu]

Here are some that I have tried, the rest I deleted a long time ago

function noinjection($value){
if(is_array($value))return array_map("noinjection",$value);
else{if(is_numeric($value))$value=intval($value);
$value=trim(mysql_real_escape_string($value));
$test=hex_str($value);
if(strrpos($test,"'"))die("ERROR1-$test-".str_hex($test));
if(strrpos($test,'"'))die("ERROR2-$test-".str_hex($test));
return $value;}}
function anticross($value){
if(is_array($value))return array_map("anticross",$value);
else{if(is_numeric($value))$value=intval($value);
else $value=htmlentities($value,ENT_QUOTES);
return trim($value);}}

 

noinjection returns false positives and has no way to just escape the hex quotes so it randomly errors out when it shouldn't

anticross doesn't check for hex quotes and thus returns false negatives

and encodes stuff with htmlentities to try to stop html escaping, but there are ways around it, and it messes up the data if I want to use it for anything besides html

 

So ya, basically, they don't work very good, but these are the best solutions I have been able to come up with. And they still suck.

 

So I really need some kind of good alternative please.

 

 

To make noinjection fail just put in a single or double quote in hex, or put in a double or single quote to make it fail with html.

To make anticross fail use single or double quote in hex and put in non alpha-numeric characters so that it messes them up if used in anything but html

 

Basically they aren't very good at all and I need something good to replace them with.

Something that can effectively sanitize variables/arrays etc without loopholes in php or mysql or html.

[monk.e.boy]

No, post some code that breaks:

 

mysql_escape_string

htmlspecialchars

htmlentities

 

or post the dodgy input and what you want it to be translated to, e.g. ' -> &quote;, & -> £

 

monk.e.boy

[obsidian]

Basically they aren't very good at all and I need something good to replace them with.

Something that can effectively sanitize variables/arrays etc without loopholes in php or mysql or html.

 

When handled appropriately, the functions mentioned above are the best way to protect against injection. Keep in mind that when something is passed through the URL as a hex value, it will be interpreted as text when the server picks it up (the URL is decoded). So, using something like htmlentities() with the ENT_QUOTES flag will take care of quotes and all HTML that people try to enter as well. If you want an extra level of protection against XSS or other HTML injection attacks, use strip_tags() to remove all HTML from the entry first.

[Azu]

Well I guess I just don't know how to handle it properly sorry. I've already tried everything I can think of.

Could you please post the function that will sanatize variables/arrays for php/mysql/html? It would probally save me a few weeks trying to get this to work..

[obsidian]

Could you please post the function that will sanatize variables/arrays for php/mysql/html? It would probally save me a few weeks trying to get this to work..

 

Therein may be your problem. IMHO, you're going to handle variables differently when you sanitize them for the different usages. For instance, I would never recommend someone run nl2br() or htmlentities() or any other function that generates markup on variables to be inserted into SQL; rather, you run those functions on the variables as you prepare them for use in your markup. So, I would recommend coming up with two separate functions: one to sanitize for SQL insertion and one to sanitize for HTML display:

<?php
function cleanForSql($string, $allowHtml = false) {
  $string = trim($string);
  if (!$allowHtml) $string = strip_tags($string);
  $string = mysql_real_escape_string($string);
  return $string;
}

function cleanForMarkup($string, $doLineBreaks = true) {
  $string = trim($string);
  $string = htmlentities($string, ENT_QUOTES);
  if ($doLineBreaks) $string = nl2br($string);
  return $string;
}
?>

 

Both of these functions accept an optional boolean value as a second parameter. In the case of SQL sanitation, you can provide a TRUE if you wish to allow HTML to remain within your string. In the case of the markup sanitation, you can provide a FALSE if you do not wish the line breaks in the string to be reflected in the markup itself.

 

This is simply one method of handling variables. How you use functions like this is far more important. That is where the real key lies. Take nothing for granted on any pages where you allow parameters to be passed through your URL. Clean each one and test it against a list of available options, if there is one. Practices like this are much more effective than the functions alone.

 

Hope this helps give you some help.