jaymc Posted February 27, 2008 Share Posted February 27, 2008 Looks like someone has created a script to test for flaws on my site They are using the database to insert malicious code, html and javascript aswell as mysql statements in an attempt to interact with my own code I want to make a function that everything must pass through before entering my database, assuming this is the best way to go around it? I was thinking of things like strip_tags() htmlspecialchars() addslashes() What interigation should user input pass through before entering the database to ensure when inserted/pulled out injection or malicous activity cant take place For example anyone inputting this type of stuff Hi I 3> you When the > is read it chops off any text after it because the browser things its closing a tag Thanks! Quote Link to comment Share on other sites More sharing options...
trq Posted February 27, 2008 Share Posted February 27, 2008 Do you want users to be able to submit html at all? strip_tags and mysql_real_escape_string are probably two good places to start. You might also search for some XSS classes. Quote Link to comment Share on other sites More sharing options...
haku Posted February 27, 2008 Share Posted February 27, 2008 I use this code to submit data into my database: //prepares data for entry into the database function mysql_prep( $value ) { $magic_quotes_active = get_magic_quotes_gpc(); $new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0 if( $new_enough_php ) { // PHP v4.3.0 or higher // undo any magic quote effects so mysql_real_escape_string can do the work if( $magic_quotes_active ) { $value = stripslashes( $value ); } $value = mysql_real_escape_string( $value ); } else { // before PHP v4.3.0 // if magic quotes aren't already on then add slashes manually if(!$magic_quotes_active) { $value = addslashes($value); } // if magic quotes are active, then the slashes already exist } return $value; } It works, although I've never had anyone try to break it. If anyone sees anything that its lacking, please let me know. Quote Link to comment Share on other sites More sharing options...
jaymc Posted February 27, 2008 Author Share Posted February 27, 2008 html is not allowed in any case ASwell as weird chars that produce symbols etc, although not to fussed, just that I noticed anyone adding < or > causes problems with the html I just want someonething solid to work from so I know Im protecting as best as I can from custom injection etc Quote Link to comment Share on other sites More sharing options...
aschk Posted February 27, 2008 Share Posted February 27, 2008 For some reason or another i can't write a reply. Thus this is a test and my reply will follow. Quote Link to comment Share on other sites More sharing options...
aschk Posted February 27, 2008 Share Posted February 27, 2008 Post some entries of the sort of things you are getting. Basically it looks like you're escaping your input (instead of filtering it) and not escaping your output... Quote Link to comment Share on other sites More sharing options...
jaymc Posted February 27, 2008 Author Share Posted February 27, 2008 I have deleted all the entries now But the main issue was them pitting in javascript <script>blah blah That was causing issues with my html because of the < > They tried OR = '' etc but I have magic quotes enabled in php ini so save me from quite a bit But obviously not strong enough Quote Link to comment Share on other sites More sharing options...
deansatch Posted February 27, 2008 Share Posted February 27, 2008 strip_tags() should work ok. Quote Link to comment Share on other sites More sharing options...
jaymc Posted February 27, 2008 Author Share Posted February 27, 2008 Anything else to protect, or does mysql real escape string pretty much secure anything going in Quote Link to comment Share on other sites More sharing options...
jaymc Posted February 27, 2008 Author Share Posted February 27, 2008 Ok I think I have enough from this However Is there a way to forcefull set mysql_real_escape_string in php.ini So that it does it automatically, that way I can turn off magic quotes and deply that? Quote Link to comment Share on other sites More sharing options...
revraz Posted February 27, 2008 Share Posted February 27, 2008 Check out this function function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.