Jump to content

[SOLVED] PHP Security Help


clanstyles

Recommended Posts

Hey guys, Ive done some php in the past but not with security. I need some securty help anti-cross site scripting ect... :P I have forms right now but people can input HTML . I want to denty this and block/remove it. How? Magic_quotes or somthing I saw somewhere helps..

 

Thank You

Link to comment
Share on other sites

you just need to put them around your $_POST's and $_GET's

 

eg

 

// this for like usernames and stuff going in to database

$username = mysql_real_escape_string($_POST['username']);

 

// i use this for stuff to be in message boards

$original = $_POST['message'];

$original = strip_tags($original);

$original = htmlentities($original, ENT_QUOTES);

 

etc

 

There is also

 

html-special-chars

 

~ Chocopi

 

EDIT: Beaten to it, twice :(

Link to comment
Share on other sites

I use this for my login form.

 

//trims and strips tags and escapes fields

$checkuser = trim(strip_tags($_POST['username']));

$checkpassword = trim(strip_tags($_POST['password']));

mysqli_real_escape_string($mysqli,$checkuser);

$_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword);

Link to comment
Share on other sites

you just need to put them around your $_POST's and $_GET's

 

eg

 

// this for like usernames and stuff going in to database

$username = mysql_real_escape_string($_POST['username']);

 

// i use this for stuff to be in message boards

$original = $_POST['message'];

$original = strip_tags($original);

$original = htmlentities($original, ENT_QUOTES);

 

etc

 

There is also

 

html-special-chars

 

~ Chocopi

 

EDIT: Beaten to it, twice :(

 

What is the point of having this line?

$original = htmlentities($original, ENT_QUOTES);

 

The function htmlentities() is for when you want to convert the HTML characters to HTML entities. There is no point of doing that when you have just stripped all the HTML tags away...it would have nothing to convert.

 

I think clanstyles is looking to strip all the tags away, not convert them to entities.

 

 

clanstyles - If you want to store what the user's input into the database, and don't want it to contain HTML, just use this:

 

<?php

$input = mysql_real_escape_string(strip_tags($_POST['input']));

?>

 

Link to comment
Share on other sites

Okay im trying to make a funtion to just pass all this through so its faster. Right now I have:

 

function cleanStr($str)
                            {
                            	$str = mysql_real_escape_string(strip_tags($str));
                            	return $str;
                            }

What else?

Link to comment
Share on other sites

You might as well add trim() in there.

 

function cleanStr($str)
                            {
                            	$str = mysql_real_escape_string(strip_tags(trim($str)));
                            	return $str;
                            }

Link to comment
Share on other sites

 

What is the point of having this line?

$original = htmlentities($original, ENT_QUOTES);

 

The function htmlentities() is for when you want to convert the HTML characters to HTML entities. There is no point of doing that when you have just stripped all the HTML tags away...it would have nothing to convert.

 

yea but strip tags wont stop < > on there own which could be used for evil things. Anway i use it to change ' and " and whatever others there are

 

~ Chocopi

Link to comment
Share on other sites

Thanks a lot guys :)

 

Last thing since I have a thread opened..

 

$searchstr = $_POST['search'];

                            $result = mysql_query("SELECT * FROM `houses` WHERE MATCH(address, state, city, zip, footage) AGAINST ('$searchstr')");

                                $i=0;

                            echo "<table width=\"100%\">";

                            echo "<tr bgcolor=\"EEEEEE\">";

                            echo "<td>Address</td>";

                            echo "<td>State</td>";

                            echo "<td>City</td>";

                            echo "</tr>";

                            while($r = mysql_fetch_array($result))

                            {

                           

                            echo ($i % 2) ? "<tr bgcolor=\"EEEEEE\">" : "<tr bgcolor=\"F9F7ED\">";

                            echo "<td>".$r['address']."</td>";

                            echo "<td>".$r['state']."</td>";

                            echo "<td>".$r['city']."</td>";

                            echo "<td><a href=\"?page=buy&view=".$r['id']."\">View</a></td>";

                            echo "</tr>";

                           

                            $i++;

                            }

                            echo "</table>";

 

This is returning

 

Address State City

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/index.php on line 266

 

Why and what usually causes this?

Link to comment
Share on other sites

I dont get it heres my layout for my tables thoguh

CREATE TABLE `houses` (

  `id` int(11) NOT NULL auto_increment,

  `name` varchar(255) default NULL,

  `email` varchar(255) default NULL,

  `address` varchar(255) default NULL,

  `state` varchar(255) default NULL,

  `city` varchar(255) default NULL,

  `zip` int(11) default NULL,

  `type` varchar(255) default NULL,

  `footage` varchar(255) NOT NULL,

  `image` varchar(255) NOT NULL,

  `enabled` tinyint(1) NOT NULL,

  PRIMARY KEY  (`id`)

) ENGINE=MyISAM AUTO_INCREMENT=22 DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ;

Link to comment
Share on other sites

CREATE TABLE `houses` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(255) default NULL,
  `email` varchar(255) default NULL,
  `address` varchar(255) default NULL,
  `state` varchar(255) default NULL,
  `city` varchar(255) default NULL,
  `zip` int(11) default NULL,
  `type` varchar(255) default NULL,
  `footage` varchar(255) NOT NULL,
  `image` varchar(255) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  PRIMARY KEY  (`id`),
  fulltext (address,state,city,zip,footage)
) ENGINE=MyISAM AUTO_INCREMENT=22 DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ;

 

http://dev.mysql.com/doc/refman/5.0/en/fulltext-search.html

 

You can only use fulltext search on columns that have been indexed as full text.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.