need help with XSS issues

[chiefrokka]

I'm a php newbie and I put my code in the beta test section and apparently I have a bunch of vulnerabilities with my code.  Can someone help me fix these and explain how you even come up with these.  what code do you have to put in (and where) to find these issues out? 

 

These are for my football scripts "php Squares" and "php Pickems"... they are found at my demo's page at www.phpPicks.com and work perfectly as I've been using them for most of the NFL season but now would like to sell them so I'm working out any bugs like these.

 

Should I paste some code and someone tell me what I have to do to fix it?  This is the first time I've even heard of XSS as these are my very first PHP scripts ever. 

 

below is a pasted reply from that thread:

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Pickems/Admin.php if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Pickems/Admin.php if the drop down menus contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/MySquares.php if the drop down menu contains </select>code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/Print_Squares.php if the drop down menu contains </select>code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/Price_I_Owe.php if the drop down menu contains </select>code.

 

Drop Down Menu:

If you edit the drop down menus on http://www.phppicks.com/Demo_Pickems/Admin.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menu on http://www.phppicks.com/Demo_Squares/MySquares.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menu on http://www.phppicks.com/Demo_Squares/MySquares.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menu on http://www.phppicks.com/Demo_Squares/Price_I_Owe.php you can submit arbitrary values.

 

Maximum Length:

If you edit the input boxes on http://www.phppicks.com/Demo_Pickems/Admin.php you can submit arbitrary values.

[phpSensei]

use strip_tags and htmlentities, but the best way to do it is preg_replace();

[chiefrokka]

can you give me some examples of what I should do to stop this?  Let's just look at this code

"Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/Price_I_Owe.php if the drop down menu contains </select>code

How and where do you even put in code to get the Cross Site Scripting??  do you put it in the address bar or something?  I need to know how to do XSS before I can figure out how to test for it.  lol.  I need an example I guess.

 

 

[phpSensei]

just use http://quickwired.com/smallprojects/php_xss_filter_function.php

[chiefrokka]

just use http://quickwired.com/smallprojects/php_xss_filter_function.php

nice site thanks.  little over my head so let me see if I understand what to do.  seems like you just add that function to your #include file.  then call that function for every form variable you have right? 

 

so for my site.  http://www.phppicks.com/Demo_Squares/Price_I_Owe.php

all I have is 2 variables basically I store from the form...

- the drop down box called "$Which_User"

- the submit button called "$Show_Me"

 

so is this all I have to do now to solve the XSS?

 

if (isset($Show_Me) )

{

RemoveXSS($Which_User);

        // do rest of the code

}

 

 

[phpSensei]

 

 

<?php
include("root/function.php");

$Show_Me = $_GET['value'];

if(isset($Show_Me)){
  
   $Show_Me = RemoveXSS($Show_Me);


}
?>

[chiefrokka]

 

 

<?php
include("root/function.php");

$Show_Me = $_GET['value'];

if(isset($Show_Me)){
  
   $Show_Me = RemoveXSS($Show_Me);


}
?>

 

oh ya.  oops.  so that's it huh?  then I can continue doing my business with that variable.  cool. 

 

so this goes for every variable you use in a form huh, except the submit button variables.

 

i'll update all my code to use this soon and have people test it out again to see if they can XSS it. 

appreciate it!

[helraizer]

If you're using GET or POST just use

 

$Which_user = htmlspecialchars($_POST['which_user'];

 

What Agentsteal meant about the '</select> code' is they make a form on their PC, host it and make it submit to your site. So if they change the value of your drop down box it can be damaging. So in your code, you could use something along the lines of:

 

if (stristr($Which_user, "</select>")) {
//create an error message
} else {
//code for if it's anything genuine
}

[chiefrokka]

gotcha.  so will this function solve that </select> thing they can do or does this function take care of everything meaning no need to do that

$Which_user = htmlspecialchars($_POST['which_user'];

or should I still do that on top of running each variable though the function?  I do use Post and Request to get everything

[helraizer]

gotcha.  so will this function solve that </select> thing they can do or does this function take care of everything meaning no need to do that

$Which_user = htmlspecialchars($_POST['which_user'];

or should I still do that on top of running each variable though the function?  I do use Post and Request to get everything

 

If you're using $_REQUEST then definately use htmlspecialchars - it will change </select> into </select> thus rendering it useless. It won't do any harm.

 

Sam

[chiefrokka]

ok, I added "htmlspecialchars" to all my _Post

I also ran each variable through that "RemoveXXS" function after I did the htmlspecialchars.

 

I did two pages like this and have noticed that if you run the "submit" button variable through these then the script automatically runs the code even though it should wait for the isset(button pressed).  Is that supposed to happen?  Do you have to run the submit button variable through these or not?

 

Here's an example of it when i do run the submit button through those

http://www.phppicks.com/Demo_Squares/Price_I_Owe.php

 

 

 

[chiefrokka]

also, what about if your just grabbing variables from your database like:

$Current_Week = $row['Week'];

 

do you need to remove any XSS with those?  their not form variables just database variables I need to grab first

 

 

[helraizer]

also, what about if your just grabbing variables from your database like:

$Current_Week = $row['Week'];

 

do you need to remove any XSS with those?  their not form variables just database variables I need to grab first

 

When you put your POST variables into the database (I know you said you don't but still), use mysql_real_escape_string(), so no input can damage your database; also you should still use htmlspecialchars_decode so

 

$example = htmlspecialchars($_POST['which_user']);

//rest of code

$test = htmlspecialchars_decode($row['which_user']);

 

Step by step:

 

Say $example is a user submitted variable, like <marquee>vunerable</marquee> - that code on its own will be launched on your page. htmlspecialchars will change that to <marquee>vunerable</marquee> - which will not launch itself but looks untidy.

 

Now say $test is a user submitted variable that is stored in your database. When you pull it from the database on its own it will be <marquee>vunerable</marquee> again. Which as we said before looks untidy  and unprofessional.

htmlspecialchars_decode will change < and > back into < and > so it will turn again into <marquee>vunerable</marquee> but it will not be launched on your page.

 

but relating to your problem, if the Week field is a value you have submitted in the database and is only that then no, you do not need to protect it, because unless someone has direct access to database, to change it, it will not be a threat.

 

Sam

[chiefrokka]

thanks Sam for the great explanation.  I grab variables from database all the time to use in the script, but I also have bunch of pages the user has to make a selection and I grab those variables and then submit them to my database under their name. 

Let me see if I understand it all correctly from this whole thread.

 

- use htmlspecialchars for every _post and _get and _request...

- run every variable that your grabbing above through the "RemoveXSS" function. 

http://quickwired.com/smallprojects/php_xss_filter_function.php .... Won't this function remove all of XSS so I don't have to do this _decode stuff your talking about?  If I still should use this _decode then read on.

 

- whenever I grab a variable from the database that was previously set and I'm just using it to echo it to the screen (such as "Current Week) I DON'T have to use the htmlspecialchars_decode ??

- If the user is signing up with their Name, Pass, and the League ID... do I still need to use this _decode that your talking about since I already used htmlspecialchar and RemoveXSS?  if so how would it look for this:

 

mysql_query("INSERT INTO Users (Name, Password, Email) VALUES('$Add_Name', '$Add_Password', '$Add_Email') ")

or die(mysql_error());

[helraizer]

thanks Sam for the great explanation.  I grab variables from database all the time to use in the script, but I also have bunch of pages the user has to make a selection and I grab those variables and then submit them to my database under their name. 

Let me see if I understand it all correctly from this whole thread.

 

- use htmlspecialchars for every _post and _get and _request...

- run every variable that your grabbing above through the "RemoveXSS" function. 

http://quickwired.com/smallprojects/php_xss_filter_function.php .... Won't this function remove all of XSS so I don't have to do this _decode stuff your talking about?  If I still should use this _decode then read on.

 

- whenever I grab a variable from the database that was previously set and I'm just using it to echo it to the screen (such as "Current Week) I DON'T have to use the htmlspecialchars_decode ??

- If the user is signing up with their Name, Pass, and the League ID... do I still need to use this _decode that your talking about since I already used htmlspecialchar and RemoveXSS?  if so

 

how would it look for this:

 

mysql_query("INSERT INTO Users (Name, Password, Email) VALUES('$Add_Name', '$Add_Password', '$Add_Email') ")

or die(mysql_error());

 

From what I can tell, all that RemoveXSS function is remove any hex and such from the code. As for the specialchars and _decode, that takes away the effect of <script> or <marquee> but it would be ugly on your page if it were <script> or <marquee> - the _decode just changes those < > to < > (respectively).

 

Your query is alright, so long as, to protect your database, you use

$Add_Name = mysql_real_escape_string($_POST['username']);
$Add_Password = md5(mysql_real_escape_string($_POST['pass'])); // md5 should render any quotes or slashes harmless but it's best to make sure
$_Add_Email = mysql_real_escape_string($_POST['email']); 

 

That way the database is protected; the md5 hashes mean absolutely nothing to man nor beast, so no one can see other passwords. So I would still use _decode to make it look tidier, but only when pulling from the database; if you do it before you insert it, there's no point

 

Sam

[chiefrokka]

Here's a function I found to do this.  let me know if this would cover it.  source is found here:
[url]http://www.w3schools.com/php/func_mysql_real_escape_string.asp[/url]

Example 3
The correct way to do it to prevent database attack:

<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
       $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
       $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}



// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

?>

 

 

 

[dprichard]

Sorry to has this up if it is an old subject, but I am just learning about cross site scripting and want to make sure I have this down. 

 

So....  If I am inserting data into a database I need to use mysql_real_escape_string.  Do I also need to filter this for XSS exploits or if it is only going into a database am I okay with mysql_real_escape_string? 

 

To check for XSS do I need to use the function at quickwired and htmlspecialchars or just one or the other.