clanstyles Posted June 29, 2007 Share Posted June 29, 2007 Hey guys, Ive done some php in the past but not with security. I need some securty help anti-cross site scripting ect... I have forms right now but people can input HTML . I want to denty this and block/remove it. How? Magic_quotes or somthing I saw somewhere helps.. Thank You Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/ Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 The function strip_tags() will remove HTML. Also, ANYTHING you insert into the database, you should first use mysql_real_escape_string() on it. Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286023 Share on other sites More sharing options...
chocopi Posted June 29, 2007 Share Posted June 29, 2007 well there is quite a few, here is just some Strip-Tags mysql_real_escape_string htmlentities Add-Slashes Thats all I can think of, off the top of my head ~ Chocopi Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286029 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Thanks a lot please guys can I get an example so I don't mess this up? Once I put that in I would like to have somebody test it Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286032 Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 <?php //Say this is what the user just submitted $string = "<b>This is going to be bold...unless you strip the bold tags away</b>"; //Strip all HTML tags away $string = strip_tags($string); echo $string; ?> Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286033 Share on other sites More sharing options...
chocopi Posted June 29, 2007 Share Posted June 29, 2007 you just need to put them around your $_POST's and $_GET's eg // this for like usernames and stuff going in to database $username = mysql_real_escape_string($_POST['username']); // i use this for stuff to be in message boards $original = $_POST['message']; $original = strip_tags($original); $original = htmlentities($original, ENT_QUOTES); etc There is also html-special-chars ~ Chocopi EDIT: Beaten to it, twice Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286035 Share on other sites More sharing options...
cluce Posted June 29, 2007 Share Posted June 29, 2007 I use this for my login form. //trims and strips tags and escapes fields $checkuser = trim(strip_tags($_POST['username'])); $checkpassword = trim(strip_tags($_POST['password'])); mysqli_real_escape_string($mysqli,$checkuser); $_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword); Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286039 Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 you just need to put them around your $_POST's and $_GET's eg // this for like usernames and stuff going in to database $username = mysql_real_escape_string($_POST['username']); // i use this for stuff to be in message boards $original = $_POST['message']; $original = strip_tags($original); $original = htmlentities($original, ENT_QUOTES); etc There is also html-special-chars ~ Chocopi EDIT: Beaten to it, twice What is the point of having this line? $original = htmlentities($original, ENT_QUOTES); The function htmlentities() is for when you want to convert the HTML characters to HTML entities. There is no point of doing that when you have just stripped all the HTML tags away...it would have nothing to convert. I think clanstyles is looking to strip all the tags away, not convert them to entities. clanstyles - If you want to store what the user's input into the database, and don't want it to contain HTML, just use this: <?php $input = mysql_real_escape_string(strip_tags($_POST['input'])); ?> Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286042 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Okay im trying to make a funtion to just pass all this through so its faster. Right now I have: function cleanStr($str) { $str = mysql_real_escape_string(strip_tags($str)); return $str; } What else? Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286044 Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 You might as well add trim() in there. function cleanStr($str) { $str = mysql_real_escape_string(strip_tags(trim($str))); return $str; } Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286045 Share on other sites More sharing options...
chocopi Posted June 29, 2007 Share Posted June 29, 2007 What is the point of having this line? $original = htmlentities($original, ENT_QUOTES); The function htmlentities() is for when you want to convert the HTML characters to HTML entities. There is no point of doing that when you have just stripped all the HTML tags away...it would have nothing to convert. yea but strip tags wont stop < > on there own which could be used for evil things. Anway i use it to change ' and " and whatever others there are ~ Chocopi Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286047 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Well what else is used for more security, there has got to be more than this.. Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286051 Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 Well, it all depends on what your trying to secure against.... Here are a list of websites that will help you: http://www.developer.com/lang/article.php/918141 http://www.onlamp.com/pub/a/php/2003/07/31/php_foundations.html http://www.linuxjournal.com/article/6061 Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286058 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Thanks a lot guys Last thing since I have a thread opened.. $searchstr = $_POST['search']; $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')"); $i=0; echo "<table width=\"100%\">"; echo "<tr bgcolor=\"EEEEEE\">"; echo "<td>Address</td>"; echo "<td>State</td>"; echo "<td>City</td>"; echo "</tr>"; while($r = mysql_fetch_array($result)) { echo ($i % 2) ? "<tr bgcolor=\"EEEEEE\">" : "<tr bgcolor=\"F9F7ED\">"; echo "<td>".$r['address']."</td>"; echo "<td>".$r['state']."</td>"; echo "<td>".$r['city']."</td>"; echo "<td><a href=\"?page=buy&view=".$r['id']."\">View</a></td>"; echo "</tr>"; $i++; } echo "</table>"; This is returning Address State City Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/index.php on line 266 Why and what usually causes this? Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286061 Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 Try catching the error: $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')")or die(mysql_error()); If you get an error, post it here and we can go from there Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286062 Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')") OR DIE(mysql_error()); Change that line out, there is a sql error. Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286065 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Can't find FULLTEXT index matching the column list Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286066 Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 You need to add the fulltext index to address, state, city, zip and footage via phpmyadmin or manual sql. Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286070 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 I dont get it heres my layout for my tables thoguh CREATE TABLE `houses` ( `id` int(11) NOT NULL auto_increment, `name` varchar(255) default NULL, `email` varchar(255) default NULL, `address` varchar(255) default NULL, `state` varchar(255) default NULL, `city` varchar(255) default NULL, `zip` int(11) default NULL, `type` varchar(255) default NULL, `footage` varchar(255) NOT NULL, `image` varchar(255) NOT NULL, `enabled` tinyint(1) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=22 DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ; Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286074 Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 CREATE TABLE `houses` ( `id` int(11) NOT NULL auto_increment, `name` varchar(255) default NULL, `email` varchar(255) default NULL, `address` varchar(255) default NULL, `state` varchar(255) default NULL, `city` varchar(255) default NULL, `zip` int(11) default NULL, `type` varchar(255) default NULL, `footage` varchar(255) NOT NULL, `image` varchar(255) NOT NULL, `enabled` tinyint(1) NOT NULL, PRIMARY KEY (`id`), fulltext (address,state,city,zip,footage) ) ENGINE=MyISAM AUTO_INCREMENT=22 DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ; http://dev.mysql.com/doc/refman/5.0/en/fulltext-search.html You can only use fulltext search on columns that have been indexed as full text. Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286077 Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 I stlil don't get what fulltext is and is there another way to make a seach without it? Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286082 Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 http://en.wikipedia.org/wiki/Fulltext_search Read up. To create a search without you need to the use the LIKE keyword with the wildcard (%) sign. and probably the OR keyword too. Since you do not know what you are doing read a tutorial http://www.designplace.org/scripts.php?page=1&c_id=25 Link to comment https://forums.phpfreaks.com/topic/57764-solved-php-security-help/#findComment-286085 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.