One guy tried to exploit it using this script
http://www.searchr.us/web-search.phtml?search=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29+String.fromCharCode%28105%29%29;%3C/script%3E
How do i stop it ?
And he also said that it is vulnerable to XSS and LPI...Please help me stop it.
Thanking You,
You need to HTML-encode all user-entered data that you output, including the user's search string.
To be safe, HTML-encode all values that are not explicitly meant to be HTML code.
The quick solution is to:
<?php echo htmlspecialchars($blah); ?>
instead of
<?php echo $blah; ?>
The long solution is to read a book on web site security.
Seeing as how that is a search query string, I'm guessing you're pulling the value directly from the query string and re-displaying it to the user?
Something along the lines of "Your search of 'something' returned 0 results"?
You need to encode any user entered data before displaying it.
Related
I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
<script>hacks< (whatever backslash is)script>
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
So I'm trying to do something extremely simple, and after reading through forums, and researching on google I still can't figure out why this is not working. But this is mostly like because I'm still a very much noobie programmer. I'm trying to send information through a url, and having a script pick it up using the $_GET super global.
Here's the link code, in a file called TESTFORM.php:
<p>
Here's a link:
ID
</p>
This is the TESTGET.php script:
<?php
if (isset($_GET['id']))
echo 'it is set<br />';
else
echo 'it is not set<br />';
?>
This yields in a "It is not set" appearing on the page every time. Any thoughts? Are there ghosts in my computer ruining my code? Thanks for taking the time to read through this! Happy coding!
I'm no PHP programmer, but I do know from HTML that computers (especially file names) don't "like" spaces. Try removing the spaces in the id = 5 code.
Your problem is the extraneous space here around the URL parameters:
ID
That will result in PHP seeing the parameter as $_GET["id_"]. The space gets converted into an underscore.
It's always best to use var_dump($_GET); or var_dump($_REQUEST) when you run into such problems. Secondarily it is sometimes helpful to get rid of isset in such cases. Albeit you have a custom error message in place of the language notices intended just for that.
Have you tried to remove spaces in your link?
ID
Code seems fine at a glance, have you tried removing the spaces in
?id = 5 to ?id=5
I have a form with 2 textareas; the first one allows user to send HTML Code, the second allows to send CSS Code. I have to verify with a PHP function, if the language is correct.
If the language is correct, for security, i have to check that there is not PHP code or SQL Injection or whatever.
What do you think ? Is there a way to do that ?
Where can I find this kind of function ?
Is "HTML Purifier" http://htmlpurifier.org/ a good solution ?
If you have to validate the date to insert them in to database - then you just have to use mysql_real_escape_string() function before inserting them in to db.
//Safe database insertion
mysql_query("INSERT INTO table(column) VALUES(".mysql_real_escape_string($_POST['field']).")");
If you want to output the data to the end user as plain text - then you have to escape all html sensitive chars by htmlspecialchars(). If you want to output it as HTML, the you have to use HTML Purify tool.
//Safe plain text output
echo htmlspecialchars($data, ENT_QUOTES);
//Safe HTML output
$data = purifyHtml($data); //Or how it is spiecified in the purifier documentation
echo $data; //Safe html output
for something primitive you can use regex, BUT it should be noted using a parser to fully-exhaust all possibilities is recommended.
/(<\?(?:php)?(.*)\?>)/i
Example: http://regexr.com?2t3e5 (change the < in the expression back to a < and it will work (for some reason rexepr changes it to html formatting))
EDIT
/(<\?(?:php)?(.*)(?:\?>|$))/i
That's probably better so they can't place php at the end of the document (as PHP doesn't actually require a terminating character)
SHJS syntax highlighter for Javascript have files with regular expressions http://shjs.sourceforge.net/lang/ for languages that highlights — You can check how SHJS parse code.
HTMLPurifier is the recommended tool for cleaning up HTML. And as luck has it, it also incudes CSSTidy and can sanitize CSS as well.
... that there is not PHP code or SQL Injection or whatever.
You are basing your question on a wrong premise. While HTML can be cleaned, this is no safeguard against other exploitabilies. PHP "tags" are most likely to be filtered out. If you are doing something other weird (include-ing or eval-ing the content partially), that's no real help.
And SQL exploits can only be prevented by meticously using the proper database escape functions. There is no magic solution to that.
Yes. htmlpurifier is a good tool to remove malicious scripts and validate your HTML. Don't think it does CSS though. Apparently it works with CSS too. Thanks Briedis.
Ok thanks you all.
actually, i realize that I needed a human validation. Users can post HTML + CSS, I can verify in PHP that the langage & the syntax are correct, but it doesn't avoid people to post iframe, html redirection, or big black div that take all the screen.
:-)
I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.
http://mysite.com/processget.phtml?search=Hacked
I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.
For ex.The user should only be able to enter
http://mysite.com/processget.phtml?search=A123123+*$
So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.
if (!empty($_GET['search'])) {
$search = htmlentities($_GET['search'],ENT_QUOTES,'UTF-8');
echo $search;
}
Now it's safe.
But if you want to limit to specific symbols, then you need to use regular expressions.
You can let a user enter whatever you like; the key is to escape the output. Then the string is displayed as desired, rather than included as HTML.
Use a php function like htmlentities
Strip the tags:
echo strip_tags($_GET['search']);
Actually, you may want htmlspecialchars instead, which escapes the tags instead of removing them so they display as intended:
echo htmlspecialchars($_GET['search']);