I understand about mysql_real_escape_string and such, But what about when i am just sending an email?
So I have form, and a textbox, is there any vulnerabilities in just directly emailing the $_POST data to a user? I guess they wouldnt be able to execute any PHP.. or can they if they run it from a web address? I am not sure.
If it is being sent directly to an email then it will be fine. If it is being stored in a database to be displayed on an administrator page such as a helpdesk, etc. then it will need to be escaped for both html output and mysql. You can escape mysql using a number of functions:
If using PDO then use prepare statement :
http://php.net/manual/en/pdo.prepare.php
Otherwise I would use :
http://php.net/manual/en/mysqli.real-escape-string.php
That said because Emails can contain HTML, if you don't want to receive emails that people have put bogus HTML in such as <blink> (Which is really annoying) then you can use htmlspecialchars() : http://php.net/manual/en/function.htmlspecialchars.php
If you are worried about Javascript in emails then using htmlspecialchars() noted above will escape this also.
The problem is don't trust a user input. The biggest problem is, when you set the Email adress or BCC from your POST variable. That any email address can be set over the Request.
But its possible to send links or something else to user over your form. For this you should implement a captcha. That a bot cannot send your form with defined values to anyone.
A last solution is a hidden text field in your form. You can hide them with CSS. When the field is not empty you know that a bot has filled them.
But i think its good when you escape your POST vars with htmlspecialchars()
So there are a lot of possibilities to secure a form. You should use not only one of them and trust the user.
Related
I created a php form that uses strip_tags to send mail to the client. The form is not connected to any database.
What are the potential risks of malicious use?
The function strip_tags is used to filter out tags that might otherwise render something on the screen.
So it prevents the use of images, iframes, tables, layout.
This is probably not what you want.
You can however add a second parameter to the function with a list of tags that are allowed so you can still keep the tags you need.
I don't think this is really handy if only you send the emails. If people using your website have the ability to send emails then it might be of help
I have a script that registers users based on their user input. This uses prepared statements plus whitelists to prevent sql injection. But I am struggling to understand the prevention of XSS.
From what I understand, you only need to prevent XSS if you are outputting HTML onto the page? What does this mean???
Im guessing that with this register page it doesn't apply because I am not outputting HTML to the web page? Is that right?
If I was to prevent XSS, do I use htmlspecialchars?
Generally correct, if you are having any returned values show up on the page, or if you are inserting information into the database for later retrieval and display (like user profile information) you will want to use htmlspecialchars.
For me, when I do my user registration, if they fail to enter a correct value in an input field, I redisplay the page with the values they entered. In this case, I have it encoded with htmlspecialchars.
If at any point ever, you plan on redisplaying the information from the DB into a webpage (as mentioned with profiles and the like) you should use htmlspecialchars.
Better safe than sorry I always say - never trust user input
Basically, XSS happens when you are taking the user's input un-sanitized and display in your webpage.
For example: A user inputs
<script>alert('hello you are hacked');</script>
In a text box, and you show this in your webpage after it is registered like
Hello, $username
This suddenly gets turned into
Hello, <script>alert('hello you are hacked');</script>
This is one of the form of XSS
One of a effiecient way to prevent XSS is like this
echo htmlspecialchars($varname, ENT_QUOTES, 'UTF-8');
From what I understand, you only need to prevent XSS if you are
outputting HTML onto the page? What does this mean???
XSS is an attack carried out by the server outputting HTML (in practice, Javascript) to the client when it did not mean to do so (and obviously when that HTML was specially crafted and supplied by a hostile user).
Im guessing that with this register page it doesn't apply because I am
not outputting HTML to the web page? Is that right?
If you are not outputting anything that comes from user input you are safe.
If I was to prevent XSS, do I use htmlspecialchars?
Yes, that is sufficient.
I am trying to create a PHP page for users to send emails to other users in HTML.
On my page (email.php) there is a textarea for user to input their message.
Since I send the email from my server I don't want the user to write malicious code/message content (html, links, php, bad words etc) that will result in my servers email IP getting banned as spam.
I know I can validate by using functions like str_replace() htmlentities() strip_tags() etc
How can I stop the user from entering tags, links etc in textarea so the email is clean when sent. Is there some function to just filter the whole message string if it matches an email body format or a way to convert the message string to just clear text so any malicious links/tags will just show to the user as a href='/link'>malicious link not 'malicous link' and instead of html tags running they just show as the tag itself?
Like gumtree for instance when you send email you get form with textarea for message
thanks for any suggestions
Could you clarify a bit?
From what you've described, strip_tags() then htmlentities() seems sufficient, unless I misunderstand what you are asking. Both functions are not for validation, but filtering.
strip_tags() removes PHP and HTML tags, and htmlentities() will ensure applicable characters are converted to their HTML entity equivalents.
I'd recommend a third-party library like HTML Purifier that uses a white-list approach.
You cannot stop users to insert html tags, not even with javascript. Since almost all browsers have development tools and any html element from any website can be altered after the page is loaded.
You can develop an javascript validation just for eye view, but php validation is a MUST since you cannot limit an user.
Even headers can be modified ... so you need those php filters, as you mentioned above.
My PHP scripts recieves information (from a user submitted form) and sends it (almost) straight away as an email. What kind of sainitization should I do on the data?
I want to know exactly which PHP function to use to sanitize the data.
You need to read up on email injection. Take a look here:
http://www.damonkohler.com/2008/12/email-injection.html
Have a look at PHP Data Filtering. There are a lots of built in php functions which can be used for data validation and sanitization.
You'll want to:
validate the email address
sanitize (or not) HTML tags to avoid XSS attacks
sanitize the e-mail contents to avoid e-mail header injections
What's a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that's not part of the mysql_function() family of functions.)
I take the data, sanitize it, print it back to the user and send it in an email to a preset address.
EDIT:
I'm just sending the email to our email address so we can send out a mailing to the address in the email.
Have you looked at the filter functions
e.g http://www.php.net/manual/en/function.filter-var.php
Since you're printing it back to the user, you need to escape any HTML content.
strip_tags()
and
html_special_chars() are quite useful in filtering the message content, especially if you're using html messages.
See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you're using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.
Sanitizing for an e-mail would be equivalent to sanitizing for HTML output. I see some suggestions on SO for HTML Purifier.