This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 7 years ago.
I know this type of question is not generally allowed, but I cannot find an answer anywhere.
Is SQL injection protection necessary even if you're not using databases/MySQL?
If I have a basic mail form in PHP that sends things to my email do I need to protect that form?
If you're not using a database then no, you don't need to protect against attacks that exploit database queries. Emails have a whole set of exploits of their own and I recommend using a library such as phpmailer or swiftmailer which will help with this. Either way, you should always verify that the data submitted from the form is in the format you expect it to be.
You need XSS protection for mail forms. You don't want a user being able to inject javascript and such into an email. A simple way to prevent XSS is to use htmlentities() to disallow HTML tags such as <script>..</script> in the user input. htmlentities converts a tag like <script> to <script>
Related
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 2 years ago.
I need to implement a logic where the user sends some content (it can be just a string but also can be part of HTML markup), we store that info to a database, and at some period of time, we replace the base email template placeholder with that data and sending that email.
And there is a chance that data sent by the user can contain some HTML/XSS injections. How can we efficiently validate the data before storing it to the database???
Against XSS injection you can use htmlspecialchars in general, however, we know that you intend to allow HTML to be sent, so your validation will have to check against the presence of <script. If that's present in your input, then you should render it invalid. Now, there is another way of providing Javascript in HTML, that is, inline Javascript, being the values of onclick, onhover and so on. I would advise to make sure that, if such an event handler is present between the < and > of a tag, then simply render the input invalid.
Now, you have also mentioned HTML injection, that is, some HTML is injected which causes undesirable behavior. However, due to the fact that you welcome HTML in the input, distinguishing between "bad HTML injection" and "good HTML injection" can be decided by:
checking the validity of the html you get
checking against any problems that the HTML might cause in your application
The first criteria is easy to determine, read the link, the second criteria depends on business logic. That HTML might ruin your design, for example, if there are some expectations for it, so you need to lay down the foundations of what you expect in terms of HTML.
And also, since we are speaking about security, make sure you protect your database against SQL injection as well.
This question already has answers here:
How to output HTML but prevent XSS attacks
(2 answers)
Closed 4 years ago.
I have comment system based on the forms and PHP catching POST. I'm trying to make some sort of formatting (bold, underscrores, italic...) but I'm using XSS protection: htmlspecialchars().
How to tell PHP not to parse and other tags? Is any JS editor which can edit text and send it as textarea?
Probably the safest way is to settle for something like markdown for the simple formatting and then convert that to HTML at the point of output.
If you want to use actual HTML, I would go for a whitelist approach of tags that you want to keep and using strip_tags with that whitelist as a first approach to it. Although using another format like markdown is probably the safer variant.
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Sanitizing HTML input
(5 answers)
Closed 9 years ago.
I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.
This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?
Are there any libraries (preferably in PHP) that already do this?
PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as #webarto states, there are libraries that do this better.
From the PHP Manual.
Your can use
strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;
If your using SQL too use
mysql_real_escape_string($data);
This is really all you need to not get injected. Do keep in mind, when using mySQL real escape you need to use strip slashes to remove them when you echo them out.
Here are the docs for strip tags and the docs for mysql escape.
If you wish to allow some (X)HTML and restrict only tags viewed as unsafe, you can use something like KSES. Wordpress uses a solution like this.
http://sourceforge.net/projects/kses/
In addendum to Whymarrh's post, suggestion is to have the code work take place in a subfolder of your site, and auto-alter any code that has "..", or "http://" or any mysql commands.
My PHP scripts recieves information (from a user submitted form) and sends it (almost) straight away as an email. What kind of sainitization should I do on the data?
I want to know exactly which PHP function to use to sanitize the data.
You need to read up on email injection. Take a look here:
http://www.damonkohler.com/2008/12/email-injection.html
Have a look at PHP Data Filtering. There are a lots of built in php functions which can be used for data validation and sanitization.
You'll want to:
validate the email address
sanitize (or not) HTML tags to avoid XSS attacks
sanitize the e-mail contents to avoid e-mail header injections
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
What are the best practices for avoid xss attacks in a PHP site
I need to prevent XSS attacks in PHP code, is there nay good and easy library for this?
Security is not a product. It's a process.
If you rely on a library for security you're doomed to being attacked one time or another.
Anyway, you could sanitize your inputs with standard php functions (i.e. htmlspecialchars())
There are lots of PHP functions that can assist you in preventing XSS attacks. Take a look at these:
strip_tags
http://php.net/manual/en/function.strip-tags.php
htmlspecialchars
http://php.net/manual/en/function.htmlspecialchars.php
Theres alot of good answers on google, first one I found; http://codeassembly.com/How-to-sanitize-your-php-input/
My main advice would be to consider every input as a direct attack.
So convert to html characters. Add slashes.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
htmlspecialchars()