I watched a php login tutorial on a commercial platform where it is advised to use htmlentities() on a password string which is given via POST-Method.
As the password is never displayed isn't it wrong to use this function as it alters the password which was entered by the user? I know that this will only affect html codes but is it really non-safe to not use the function as the password is never displayed?
The one and only time you use htmlentities for anything is if and when you're outputting data into HTML, right then and there. E.g.:
<p><?php echo htmlentities($data); ?></p>
In any other context HTML entities are generally useless* and will only garble/change/destroy your data. Indeed, using it on a password, probably nowhere near any HTML context, is highly suspect.
* Yes, you can probably find some specialised use case somewhere…
Related
I'm using PHPMailer to send emails.
Now, we all know we need to always check user input.
But how about the subject and body of emails? (so i do not mean the emailadress)
What does need to be sanitized and how to do it? What are the (major) vulnerability's?
Should i'll use something like HTMLPurifier for this? Because i want the user to be able to markup there emails. Or should i'll use/write a BB-code function what can be used?
Update:
For mail body:
I now use htmlspecialchars with ent_quotes flag on. After this ill run a BB-code (jBBCode) parser over the message. This one looks safe now.
For subject:
I do not use any validation/sanitizing/etc. (exept min and max strlen) on the subject field.
Tested with some javascript but it looks like it's all okay.
Can i assume this is safe now? (P.s. the code does not get printed anywhere else than in the email.)
Yes, you need to clean user input before sending. HTMLPurifier and HTMLawed make a fair job of sanitising, but need to be tuned to not block out useful stuff - both err on the side of caution. BBCode or markdown do make things much easier to filter, so long as you don't need to do intricate layouts.
You can use
<?php
filter_var($body, FILTER_SANITIZE_FULL_SPECIAL_CHARS)
to help protect against special characters also you can use RAW such as
<?php
filter_var($body, FILTER_SANITIZE_RAW, FILTER_FLAG_ENCODE_HIGH)
Full details can be found here -> https://secure.php.net/manual/en/function.filter-var.php
I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
<script>hacks< (whatever backslash is)script>
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>
I have a form with 2 textareas; the first one allows user to send HTML Code, the second allows to send CSS Code. I have to verify with a PHP function, if the language is correct.
If the language is correct, for security, i have to check that there is not PHP code or SQL Injection or whatever.
What do you think ? Is there a way to do that ?
Where can I find this kind of function ?
Is "HTML Purifier" http://htmlpurifier.org/ a good solution ?
If you have to validate the date to insert them in to database - then you just have to use mysql_real_escape_string() function before inserting them in to db.
//Safe database insertion
mysql_query("INSERT INTO table(column) VALUES(".mysql_real_escape_string($_POST['field']).")");
If you want to output the data to the end user as plain text - then you have to escape all html sensitive chars by htmlspecialchars(). If you want to output it as HTML, the you have to use HTML Purify tool.
//Safe plain text output
echo htmlspecialchars($data, ENT_QUOTES);
//Safe HTML output
$data = purifyHtml($data); //Or how it is spiecified in the purifier documentation
echo $data; //Safe html output
for something primitive you can use regex, BUT it should be noted using a parser to fully-exhaust all possibilities is recommended.
/(<\?(?:php)?(.*)\?>)/i
Example: http://regexr.com?2t3e5 (change the < in the expression back to a < and it will work (for some reason rexepr changes it to html formatting))
EDIT
/(<\?(?:php)?(.*)(?:\?>|$))/i
That's probably better so they can't place php at the end of the document (as PHP doesn't actually require a terminating character)
SHJS syntax highlighter for Javascript have files with regular expressions http://shjs.sourceforge.net/lang/ for languages that highlights — You can check how SHJS parse code.
HTMLPurifier is the recommended tool for cleaning up HTML. And as luck has it, it also incudes CSSTidy and can sanitize CSS as well.
... that there is not PHP code or SQL Injection or whatever.
You are basing your question on a wrong premise. While HTML can be cleaned, this is no safeguard against other exploitabilies. PHP "tags" are most likely to be filtered out. If you are doing something other weird (include-ing or eval-ing the content partially), that's no real help.
And SQL exploits can only be prevented by meticously using the proper database escape functions. There is no magic solution to that.
Yes. htmlpurifier is a good tool to remove malicious scripts and validate your HTML. Don't think it does CSS though. Apparently it works with CSS too. Thanks Briedis.
Ok thanks you all.
actually, i realize that I needed a human validation. Users can post HTML + CSS, I can verify in PHP that the langage & the syntax are correct, but it doesn't avoid people to post iframe, html redirection, or big black div that take all the screen.
:-)
I've a problem of character encoding in php, so this's the php code:
n_event=$_GET['ndlann'];
$nom_complet=htmlentities(stripslashes($_POST['nom']));
$email_comment=htmlentities(stripslashes($_POST['email']));
$titre_comment=htmlentities(stripslashes($_POST['titre']));
$texte_comment=htmlentities(stripslashes(nl2br($_POST['commentaire'])));
$pays_comment=$_POST['pays'];
$date_ajout=date('Y/m/d');
Data will be added in a database table , you see that this data comes from a comments form,
so when the user enters some comments with orient languages carachters (arabic,hebrew...etc), the input data will change to something like :
Ø´Ù�را عÙ�Ù� اÙ�Ù�Ù�ضÙ�Ø
I tried to delete the htmlentities method and that works fine , but does start another problem of comments form security (js scripts will be executed)
What can I do with this situation?
and thanks
Do not use htmlentities() ever.
This function has been obsoleted long time ago.
Use htmlspecialchars() instead.
you have also bunch of nonsense in your code
doing htmlentities(nl2br(*)) has no sense.
make stripslashes conditional, only if magic quotes are set on.
there is a possible problem with pays field.
I am also afraid that you're taking htmlentities as some sort of SQL escaing function. Am I right?
In my opinion, and according to the PHP doc, the accepted answer is not correct.
Nowhere it is written that this function has been deprecated.
If you set correctly the third argument of the function, called $encoding, it will solve your problem.
I hope this helps.
One guy tried to exploit it using this script
http://www.searchr.us/web-search.phtml?search=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29+String.fromCharCode%28105%29%29;%3C/script%3E
How do i stop it ?
And he also said that it is vulnerable to XSS and LPI...Please help me stop it.
Thanking You,
You need to HTML-encode all user-entered data that you output, including the user's search string.
To be safe, HTML-encode all values that are not explicitly meant to be HTML code.
The quick solution is to:
<?php echo htmlspecialchars($blah); ?>
instead of
<?php echo $blah; ?>
The long solution is to read a book on web site security.
Seeing as how that is a search query string, I'm guessing you're pulling the value directly from the query string and re-displaying it to the user?
Something along the lines of "Your search of 'something' returned 0 results"?
You need to encode any user entered data before displaying it.