steelerman99 Posted September 9, 2007 Share Posted September 9, 2007 I've made a simple function that i pass all my variables through when i process them with php code: function makesafe(&$var) { strip_tags($var); addslashes($var); trim($var); } Would this be enough to prevent most hackers from altering my form input from the previous page and injecting malicious code? What would you add to this function? Thanks!! Quote Link to comment https://forums.phpfreaks.com/topic/68553-security-question/ Share on other sites More sharing options...
darkfreaks Posted September 9, 2007 Share Posted September 9, 2007 <?php strip_tags($var); ///strips out all PHP and HTML addslashes($var);/// removes all --------------->///// trim($var);/// removes whitespace ?> to clear things up not a bad start Quote Link to comment https://forums.phpfreaks.com/topic/68553-security-question/#findComment-344621 Share on other sites More sharing options...
darkfreaks Posted September 9, 2007 Share Posted September 9, 2007 This function searches all XSS patterns and removes them : <?php function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/68553-security-question/#findComment-344623 Share on other sites More sharing options...
d22552000 Posted September 9, 2007 Share Posted September 9, 2007 your one is a good program but it will be really slow (reply on top of mine) the preg and regular expression libraries are loaded every time it is requested and per funciton, expect it to take about a second to parse 3 variables (not a problem but if its a big form or with lots of people it might lag) Quote Link to comment https://forums.phpfreaks.com/topic/68553-security-question/#findComment-344625 Share on other sites More sharing options...
steelerman99 Posted September 10, 2007 Author Share Posted September 10, 2007 This function searches all XSS patterns and removes them : darkfreaks, your function looks incredibly thurough. does this function have a chance of messing any regular input up that has characters that are not alphanumeric? Quote Link to comment https://forums.phpfreaks.com/topic/68553-security-question/#findComment-345158 Share on other sites More sharing options...
darkfreaks Posted September 10, 2007 Share Posted September 10, 2007 i havent tested it personally but i wouldnt think so? ??? Quote Link to comment https://forums.phpfreaks.com/topic/68553-security-question/#findComment-345160 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.