strip out the s**t

[jaymc]

Looks like someone has created a script to test for flaws on my site

 

They are using the database to insert malicious code, html and javascript aswell as mysql statements in an attempt to interact with my own code

 

I want to make a function that everything must pass through before entering my database, assuming this is the best way to go around it?

 

I was thinking of things like

 

strip_tags()

htmlspecialchars()

addslashes()

 

What interigation should user input pass through before entering the database to ensure when inserted/pulled out injection or malicous activity cant take place

 

For example anyone inputting this type of stuff

 

Hi I 3> you

 

When the > is read it chops off any text after it because the browser things its closing a tag

 

Thanks!

[trq]

Do you want users to be able to submit html at all? strip_tags and mysql_real_escape_string are probably two good places to start. You might also search for some XSS classes.

[haku]

I use this code to submit data into my database:

 

	//prepares data for entry into the database
function mysql_prep( $value )
	{
		$magic_quotes_active = get_magic_quotes_gpc();
		$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
		if( $new_enough_php )
			{ // PHP v4.3.0 or higher
			  // undo any magic quote effects so mysql_real_escape_string can do the work
				if( $magic_quotes_active )
					{
						$value = stripslashes( $value );
					}
			$value = mysql_real_escape_string( $value );
			}
		else
			{ // before PHP v4.3.0
			  // if magic quotes aren't already on then add slashes manually
				if(!$magic_quotes_active)
					{
						$value = addslashes($value);
					}
			// if magic quotes are active, then the slashes already exist
			}
		return $value;
	}

 

It works, although I've never had anyone try to break it. If anyone sees anything that its lacking, please let me know.

 

 

[jaymc]

html is not allowed in any case

 

ASwell as weird chars that produce symbols etc, although not to fussed, just that I noticed anyone adding < or > causes problems with the html

 

I just want someonething solid to work from so I know Im protecting as best as I can from custom injection etc

[aschk]

For some reason or another i can't write a reply. Thus this is a test and my reply will follow.

[aschk]

Post some entries of the sort of things you are getting.

Basically it looks like you're escaping your input (instead of filtering it)

and not escaping your output...

[jaymc]

I have deleted all the entries now

 

But the main issue was them pitting in javascript

 

<script>blah blah

 

That was causing issues with my html because of the  < >

They tried OR = '' etc but I have magic quotes enabled in php ini so save me from quite a bit

 

But obviously not strong enough

[deansatch]

strip_tags() should work ok.

[jaymc]

Anything else to protect, or does mysql real escape string pretty much secure anything going in

[jaymc]

Ok I think I have enough from this

 

However

 

Is there a way to forcefull set mysql_real_escape_string in php.ini

 

So that it does it automatically, that way I can turn off magic quotes and deply that?

[revraz]

Check out this function

 

function RemoveXSS($val) { 
   // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed 
   // this prevents some character re-spacing such as <java\0script> 
   // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs 
   $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); 
    
   // straight replacements, the user should never need these since they're normal characters 
   // this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29> 
   $search = 'abcdefghijklmnopqrstuvwxyz'; 
   $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
   $search .= '1234567890!@#$%^&*()'; 
   $search .= '~`";:?+/={}[]-_|\'\\'; 
   for ($i = 0; $i < strlen($search); $i++) { 
      // ;? matches the ;, which is optional 
      // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 
    
      // &#x0040 @ search for the hex values 
      $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; 
      // &#00064 @ 0{0,7} matches '0' zero to seven times 
      $val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; 
   } 
    
   // now the only remaining whitespace attacks are \t, \n, and \r 
   $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); 
   $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); 
   $ra = array_merge($ra1, $ra2); 
    
   $found = true; // keep replacing as long as the previous round replaced something 
   while ($found == true) { 
      $val_before = $val; 
      for ($i = 0; $i < sizeof($ra); $i++) { 
         $pattern = '/'; 
         for ($j = 0; $j < strlen($ra[$i]); $j++) { 
            if ($j > 0) { 
               $pattern .= '('; 
               $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; 
               $pattern .= '|(&#0{0,8}([9][10][13]);?)?'; 
               $pattern .= ')?'; 
            } 
            $pattern .= $ra[$i][$j]; 
         } 
         $pattern .= '/i'; 
         $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag 
         $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags 
         if ($val_before == $val) { 
            // no replacements were made, so exit the loop 
            $found = false; 
         } 
      } 
   } 
   return $val; 
}