clanstyles Posted June 29, 2007 Share Posted June 29, 2007 Hey guys, Ive done some php in the past but not with security. I need some securty help anti-cross site scripting ect... I have forms right now but people can input HTML . I want to denty this and block/remove it. How? Magic_quotes or somthing I saw somewhere helps.. Thank You Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 The function strip_tags() will remove HTML. Also, ANYTHING you insert into the database, you should first use mysql_real_escape_string() on it. Quote Link to comment Share on other sites More sharing options...
chocopi Posted June 29, 2007 Share Posted June 29, 2007 well there is quite a few, here is just some Strip-Tags mysql_real_escape_string htmlentities Add-Slashes Thats all I can think of, off the top of my head ~ Chocopi Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Thanks a lot please guys can I get an example so I don't mess this up? Once I put that in I would like to have somebody test it Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 <?php //Say this is what the user just submitted $string = "<b>This is going to be bold...unless you strip the bold tags away</b>"; //Strip all HTML tags away $string = strip_tags($string); echo $string; ?> Quote Link to comment Share on other sites More sharing options...
chocopi Posted June 29, 2007 Share Posted June 29, 2007 you just need to put them around your $_POST's and $_GET's eg // this for like usernames and stuff going in to database $username = mysql_real_escape_string($_POST['username']); // i use this for stuff to be in message boards $original = $_POST['message']; $original = strip_tags($original); $original = htmlentities($original, ENT_QUOTES); etc There is also html-special-chars ~ Chocopi EDIT: Beaten to it, twice Quote Link to comment Share on other sites More sharing options...
cluce Posted June 29, 2007 Share Posted June 29, 2007 I use this for my login form. //trims and strips tags and escapes fields $checkuser = trim(strip_tags($_POST['username'])); $checkpassword = trim(strip_tags($_POST['password'])); mysqli_real_escape_string($mysqli,$checkuser); $_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword); Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 you just need to put them around your $_POST's and $_GET's eg // this for like usernames and stuff going in to database $username = mysql_real_escape_string($_POST['username']); // i use this for stuff to be in message boards $original = $_POST['message']; $original = strip_tags($original); $original = htmlentities($original, ENT_QUOTES); etc There is also html-special-chars ~ Chocopi EDIT: Beaten to it, twice What is the point of having this line? $original = htmlentities($original, ENT_QUOTES); The function htmlentities() is for when you want to convert the HTML characters to HTML entities. There is no point of doing that when you have just stripped all the HTML tags away...it would have nothing to convert. I think clanstyles is looking to strip all the tags away, not convert them to entities. clanstyles - If you want to store what the user's input into the database, and don't want it to contain HTML, just use this: <?php $input = mysql_real_escape_string(strip_tags($_POST['input'])); ?> Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Okay im trying to make a funtion to just pass all this through so its faster. Right now I have: function cleanStr($str) { $str = mysql_real_escape_string(strip_tags($str)); return $str; } What else? Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 You might as well add trim() in there. function cleanStr($str) { $str = mysql_real_escape_string(strip_tags(trim($str))); return $str; } Quote Link to comment Share on other sites More sharing options...
chocopi Posted June 29, 2007 Share Posted June 29, 2007 What is the point of having this line? $original = htmlentities($original, ENT_QUOTES); The function htmlentities() is for when you want to convert the HTML characters to HTML entities. There is no point of doing that when you have just stripped all the HTML tags away...it would have nothing to convert. yea but strip tags wont stop < > on there own which could be used for evil things. Anway i use it to change ' and " and whatever others there are ~ Chocopi Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Well what else is used for more security, there has got to be more than this.. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 Well, it all depends on what your trying to secure against.... Here are a list of websites that will help you: http://www.developer.com/lang/article.php/918141 http://www.onlamp.com/pub/a/php/2003/07/31/php_foundations.html http://www.linuxjournal.com/article/6061 Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Thanks a lot guys Last thing since I have a thread opened.. $searchstr = $_POST['search']; $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')"); $i=0; echo "<table width=\"100%\">"; echo "<tr bgcolor=\"EEEEEE\">"; echo "<td>Address</td>"; echo "<td>State</td>"; echo "<td>City</td>"; echo "</tr>"; while($r = mysql_fetch_array($result)) { echo ($i % 2) ? "<tr bgcolor=\"EEEEEE\">" : "<tr bgcolor=\"F9F7ED\">"; echo "<td>".$r['address']."</td>"; echo "<td>".$r['state']."</td>"; echo "<td>".$r['city']."</td>"; echo "<td><a href=\"?page=buy&view=".$r['id']."\">View</a></td>"; echo "</tr>"; $i++; } echo "</table>"; This is returning Address State City Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/index.php on line 266 Why and what usually causes this? Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 Try catching the error: $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')")or die(mysql_error()); If you get an error, post it here and we can go from there Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')") OR DIE(mysql_error()); Change that line out, there is a sql error. Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 Can't find FULLTEXT index matching the column list Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 You need to add the fulltext index to address, state, city, zip and footage via phpmyadmin or manual sql. Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 I dont get it heres my layout for my tables thoguh CREATE TABLE `houses` ( `id` int(11) NOT NULL auto_increment, `name` varchar(255) default NULL, `email` varchar(255) default NULL, `address` varchar(255) default NULL, `state` varchar(255) default NULL, `city` varchar(255) default NULL, `zip` int(11) default NULL, `type` varchar(255) default NULL, `footage` varchar(255) NOT NULL, `image` varchar(255) NOT NULL, `enabled` tinyint(1) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=22 DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ; Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 CREATE TABLE `houses` ( `id` int(11) NOT NULL auto_increment, `name` varchar(255) default NULL, `email` varchar(255) default NULL, `address` varchar(255) default NULL, `state` varchar(255) default NULL, `city` varchar(255) default NULL, `zip` int(11) default NULL, `type` varchar(255) default NULL, `footage` varchar(255) NOT NULL, `image` varchar(255) NOT NULL, `enabled` tinyint(1) NOT NULL, PRIMARY KEY (`id`), fulltext (address,state,city,zip,footage) ) ENGINE=MyISAM AUTO_INCREMENT=22 DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ; http://dev.mysql.com/doc/refman/5.0/en/fulltext-search.html You can only use fulltext search on columns that have been indexed as full text. Quote Link to comment Share on other sites More sharing options...
clanstyles Posted June 29, 2007 Author Share Posted June 29, 2007 I stlil don't get what fulltext is and is there another way to make a seach without it? Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 http://en.wikipedia.org/wiki/Fulltext_search Read up. To create a search without you need to the use the LIKE keyword with the wildcard (%) sign. and probably the OR keyword too. Since you do not know what you are doing read a tutorial http://www.designplace.org/scripts.php?page=1&c_id=25 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.