spikeon Posted March 7, 2008 Share Posted March 7, 2008 ok guys, i have a site that has alot of text inputs. what do i need to to to make sure that noone posts anything that can hurt the site or steal information? for instance $stuff = what_other_functions_do_i_put_here(strip_tags($stuff)); Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/ Share on other sites More sharing options...
deadonarrival Posted March 7, 2008 Share Posted March 7, 2008 I use a function called clean() I won't give you mine, because it's quite bloated, but it basically follows the idea of <?php function clean($var) { /* * Use preg_replace to replace things such as javascript: and any other nasties you can think of. This is the bloated bit. * Done because things like javascript: aren't caught by strip_tags. I also remove certain javascript functions for good measure */ //Take out any slashes, in case php is set to add them $var = stripslashes($var); //Now add in our own slashes $var = mysql_real_escape_string($var); //Strip any html tags $var = strip_tags($var); //Convert any special chars $var = htmlspecialchars($var); } ?> Between these it's safe to use in html and mysql queries. I don't think there are any others you'd need. Just use it by calling $username = clean($_POST['username']); You could even extend it by having a switch to get the variable from post/get/session/cookie superglobals, and use the function as $username = clean($username,"post"); I'll send an example of that if you want to take a look. I use it since it's a little cleaner and less error prone. Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486539 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 well, using that heres what i'm doing, to clean EVERYTHING foreach($_GET as $key => $stuff){ $_GET[$key] = htmlspecialchars(strip_tags(mysql_real_escape_string(stripslashes($stuff)))); } foreach($_POST as $key => $stuff){ $_POST[$key] = htmlspecialchars(strip_tags(mysql_real_escape_string(stripslashes($stuff)))); } Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486551 Share on other sites More sharing options...
uniflare Posted March 7, 2008 Share Posted March 7, 2008 depends on howyou use the variables inside your script; Using RAW User Data to Echo on a page htmlentities($userdata); Protect against: Javascript XSS/HiJack Etc Using RAW User Data in a MySQL Query mysql_escape_string($userdata); Protect against: Mysql Injection Using RAW User Data in a fopen function or similar // Dont use RAW User data in predefined functions whenever possible, validate with preg_match etc if you have to Switch($_POST['file']){ Case "1": $file = "file1.db"; Break; Case "2": $file = "file2.db"; Break; Case "3": $file = "file3.db"; Break; default: $file = "file.db"; break; } fopen($file,"r+"); // SAME FOR INCLUDE/_ONCE / REQUIRE/_ONCE / FSOCKOPEN / FGETS + more include($file,$r+); Protect against: native php XSS/User Defined Procedure Injection (i believe most hosts have url fopen turned off in php.ini by default) fyi what i mean by user defined procedure injection is if you are pulling php code from a db to execute with exec() then someone could hijack the exec command and exec whatever they want, though this would be impossible anyway if you added the full domain url/path before using fopen/include etc functions hope this helps, edit-- well, using that heres what i'm doing, to clean EVERYTHING foreach($_GET as $key => $stuff){ $_GET[$key] = htmlspecialchars(strip_tags(mysql_real_escape_string(stripslashes($stuff)))); } foreach($_POST as $key => $stuff){ $_POST[$key] = htmlspecialchars(strip_tags(mysql_real_escape_string(stripslashes($stuff)))); } For some reason reassigning the $_GET variable failed for me on several occasions, personally i would assign it to a different array name to be php compatible with the example. Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486558 Share on other sites More sharing options...
deadonarrival Posted March 7, 2008 Share Posted March 7, 2008 Would do the job, apart from getting rid of javascript: and a few other nasties. Try the function above and preg_replace "javascript:" in $var with "javascript ". Then you can even clean up your code with it. <?php function clean($var) { /* * Use preg_replace to replace things such as javascript: and any other nasties you can think of. This is the bloated bit. * Done because things like javascript: aren't caught by strip_tags. I also remove certain javascript functions for good measure */ //Take out any slashes, in case php is set to add them $var = stripslashes($var); //Now add in our own slashes $var = mysql_real_escape_string($var); //Strip any html tags $var = strip_tags($var); //Convert any special chars $var = htmlspecialchars($var); } foreach($_GET as $key => $stuff){ $_GET[$key] = clean($stuff); } foreach($_POST as $key => $stuff){ $_POST[$key] = clean($stuff); } ?> And if you ever want to add more functions, or remove some, or change the order, you just do it in one nice neat place. Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486560 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 except it dosen't work.... it cleared everything from the get... what'd i do wrong? Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486561 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 what surprises me is that you can assign a NEW $_GET but is it possible that you can't edit an EXISTING get? Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486563 Share on other sites More sharing options...
uniflare Posted March 7, 2008 Share Posted March 7, 2008 personally on my php installation is i can MODIFY _GET Variables, not sure about _POST. deadonarriavles code does not work because mysql_escape_string requires an active mysql connection. Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486566 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 it fixed itself when i used correct syntax: $_GET['$key'] Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486569 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 well, i DO have an active connection... i think ' i open it at the beginning of the page Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486573 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 and, $_POST still dosen't work, $_GET did however, Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486575 Share on other sites More sharing options...
deadonarrival Posted March 7, 2008 Share Posted March 7, 2008 Did it work before? Why not assign it to a new array $get and $post instead of $_GET and $_POST You can use it in in the same way, in the same places - but nicely cleaned. Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486584 Share on other sites More sharing options...
spikeon Posted March 7, 2008 Author Share Posted March 7, 2008 hmmm, perhaps u see, i have this damn code spread over 20 files... perhaps i have something that will find-replace in all of them Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486586 Share on other sites More sharing options...
deadonarrival Posted March 8, 2008 Share Posted March 8, 2008 www.context.cx Just open the directory with the files in, then open them all (or a sub-directory at a time) Find->replace and select "all files" Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486590 Share on other sites More sharing options...
spikeon Posted March 8, 2008 Author Share Posted March 8, 2008 ah, i did that and now its not working...... Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486591 Share on other sites More sharing options...
spikeon Posted March 8, 2008 Author Share Posted March 8, 2008 now, the question is: why does GET work and POST not work? foreach($_GET as $key => $stuff){ $_GET['$key'] = clean($stuff); } foreach($_POST as $key => $stuff){ $_POST['$key'] = clean($stuff); } Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486601 Share on other sites More sharing options...
deadonarrival Posted March 8, 2008 Share Posted March 8, 2008 Because you can't set $_POST values, they have to be passed from a form. Link to comment https://forums.phpfreaks.com/topic/94981-what-exactly-do-i-need-to-do-to-stop-cross-site-scripting/#findComment-486906 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.