Hy!
So I'm learning PHP on w3schools and I came across this site: http://www.w3schools.com/php/php_form_validation.asp
At the end of the page there's a 2. point that says you should
"Remove backslashes () from the user input data (with the PHP
stripslashes() function)"
I don't understand what's the purpose of that. May somebody please explain?
Thank you in advance!
The benefit to removing quotations and backslashes is to prevent either deliberate or unintended SQL injection.
Not sure what mySQL injection is?
http://php.net/manual/en/security.database.sql-injection.php
Related
Hi on my php project The user send the name of the theme (it's a telegram desktop theme maker) via form input.
(The project is hosted on github Github Project)
The problem is:
I use this in the theme name the user could potentially access any folder on the serve.
I tried to correct it with this commit : Github commit
$theme_name = str_replace("/", "_badyou_", $_GET["name"]); //contains the good themename
I need the just the name so I thought that eliminating the "/" is enough.
But I need the opinion of someone who actually knows php better than me.
P.S sorry for my bad english.
Thank you in advance.
Well, it seems you are trying to protect your code against code injection attacks. Code injection allows the attacker to force execution of malicious code. This can be done by passing malicious code in the url. See this link for more information: https://www.owasp.org/index.php/Code_Injection. See also this link: http://www.derby-web-design-agency.co.uk/blog-post/what-is-and-how-to-prevent-url-injections-in-php/11/
To prevent code injection, the developer should validate all input sent to the application. Php provide several functions for validating and sanitizing data. For example: trim(), strip_tags(), htmlentities() and mysqli_real_escape_string()
In the past days I saw that using the following code is enough.
$theme_name = str_replace("/", "_badyou_", $_GET["name"]); //contains the good themename
$theme_name is used for creation of the file like /dir_to_folder/$theme_name/$theme_name.tdesktop-theme
Someone already tried to attack my file system and they failed because the function is changing the "/" character with "badyou" making it inoffensive. That is possible also because I don't use a database.
I hope that this will help someone.
In my site's administration area, I have been using mysqli_real_escape_string when retrieving form input that goes into the database. It works fine but I realize that it does not prevent script injections. I mean I can pass through scripts like:
<script>alert('hello');</script>
What do I use in addition to this to prevent a malicious admin from injecting some nasty stuff?
htmlentities()?
strip_tags()?
htmlspecialchars()?
What is the proper way to sanitize form input in back-end forms where html is not required for input data? I am confused?
htmlentities() and htmlspecialchars() are used when you're outputting data. Encoding and escaping are different.
If you don't want HTML, my recommendation would be to use strip_tags() to clean it of any HTML tags and use html* when you're outputting the content.
Also, you might consider switching to MySQL PDO. This is a much more preferred and secure way of running your queries.
The term you are looking for is Cross Site Scripting or XSS for short. Searching for that should give you plenty of resources, such as this question right here on StackOverflow.
The proper answer is highly dependent on your application.
Many administration systems need a way for admins to manipulate HTML. But some HTML is more dangerous than others.
As JohnP said, strip_tags() can be handy, since the second parameter allows you to explicitly allow certain, harmless tags (like or ), while stripping out anything else (like or )
If you need more sophistication than that, you'll need to do a more careful analysis and come up with a solution tailored to your needs. (Hint: If that solution involves using regular expressions to match HTML tags, you probably want to take a step back)
You should use htmlentities() .
You can use magic_quotes function to sanitize if you're using php 4 or less php 5.2 or less.
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
What are the best practices for avoid xss attacks in a PHP site
I need to prevent XSS attacks in PHP code, is there nay good and easy library for this?
Security is not a product. It's a process.
If you rely on a library for security you're doomed to being attacked one time or another.
Anyway, you could sanitize your inputs with standard php functions (i.e. htmlspecialchars())
There are lots of PHP functions that can assist you in preventing XSS attacks. Take a look at these:
strip_tags
http://php.net/manual/en/function.strip-tags.php
htmlspecialchars
http://php.net/manual/en/function.htmlspecialchars.php
Theres alot of good answers on google, first one I found; http://codeassembly.com/How-to-sanitize-your-php-input/
My main advice would be to consider every input as a direct attack.
So convert to html characters. Add slashes.
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
htmlspecialchars()
I run a website (sorta like a social network) that I wrote myself. I allow the members to send comments to each other. In the comment; i take the comment and then call this line before saving it in db..
$com = htmlentities($com);
When I want to display it; I call this piece of code..
$com = html_entity_decode($com);
This works out well most of the time. It allows the users to copy/paste youtube/imeem embed code and send each other videos and songs. It also allows them to upload images to photobucket and copy/paste the embed code to send picture comments.
The problem I have is that some people are basically putting in javascript code there as well that tends to do nasty stuff such as open up alert boxes, change location of webpage and things like that.. I am trying to find a good solution to solving this problem once and for all.. How do other sites allow this kind of functionality?
Thanks for your feedback
First: htmlentities or just htmlspecialchars should be used for escaping strings that you embed into HTML. You shouldn't use it for escaping string when you insert them into a SQL query - Use mysql_real_escape_string (For MySql) or better yet - use prepared statements, which have bound parameters. Make sure that magic_quotes are turned off or disabled otherwise, when you manually escape strings.
Second: You don't unescape strings when you pull them out again. Eg. there is no mysql_real_unescape_string. And you shouldn't use stripslashes either - If you find that you need, then you probably have magic_quotes turned on - turn them off instead, and fix the data in the database before proceeding.
Third: What you're doing with html_entity_decode completely nullifies the intended use of htmlentities. Right now, you have absolutely no protection against a malicious user injecting code into your site (You're vulnerable to cross site scripting aka. XSS). Strings that you embed into a HTML context, should be escaped with htmlspecialchars (or htmlentities). If you absolutely have to embed HTML into your page, you have to run it through a cleaning-solution first. strip_tags does this - in theory - but in practise it's very inadequate. The best solution I currently know of, is HtmlPurifier. However, whatever you do, it is always a risk to let random user embed code into your site. If at all possible, try to design your application such that it isn't needed.
I so hope you are scrubbing the data before you send it to the database. It sounds like you are a prime target for a SQl injection attack. I know this is not your question, but it is something that you need to be aware of.
Yes, this is a problem. A lot of sites solve it by only allowing their own custom markup in user fields.
But if you really want to allow HTML, you'll need to scrub out all "script" tags. I believe there are libraries available that do this. But that should be sufficient to prevent JS execution in user-entered code.
This is how Stackoverflow does it, I think, over at RefacterMyCode.
You may want to consider Zend Filter, it offers a lot more than strip_tags and you do not have to include the entire Zend Framework to use it.