I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.
http://mysite.com/processget.phtml?search=Hacked
I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.
For ex.The user should only be able to enter
http://mysite.com/processget.phtml?search=A123123+*$
So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.
if (!empty($_GET['search'])) {
$search = htmlentities($_GET['search'],ENT_QUOTES,'UTF-8');
echo $search;
}
Now it's safe.
But if you want to limit to specific symbols, then you need to use regular expressions.
You can let a user enter whatever you like; the key is to escape the output. Then the string is displayed as desired, rather than included as HTML.
Use a php function like htmlentities
Strip the tags:
echo strip_tags($_GET['search']);
Actually, you may want htmlspecialchars instead, which escapes the tags instead of removing them so they display as intended:
echo htmlspecialchars($_GET['search']);
Related
I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
<script>hacks< (whatever backslash is)script>
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>
If you were not using a database with your application, but you do 'echo' or use a $_POST or $_GET variable in your code, do we need to escape them?
Like:
if(isset($_GET['test']){
echo $_GET['test'];
}
or
function math(){
if(isset($_GET['number'],$_GET['numberr']){
return $_GET['number']*$_GET['numberr'];
}
return null;
}
Even if you use a database you need to escape or sanitize them before printing. Someone could sneak in stray HTML like <b> that will make your whole page bold, or <script>alert('hello');</script> that will run Javascript.
echo htmlspecialchars($_GET['test']);
This will replace all your < with < and > with > so that the HTML will be treated as text rather than HTML and will not mess up your page.
You should escape them. Also you should use regual expressions to limit the variable content, and to prevent "unintended" characters.
EDIT: Sry to post this as an answer, i am currently not allowed to comment to questions.
I have an input which allows users to enter text, which is then sent using PHP to another page, where it is stored in a database. I have done some simple validation ( checking if the input wasn't empty), and that works pretty well. However, I found out that I can type in HTML tags, such as
<p>
and it bypasses that validation and also messes up the input.
How can I check if the input contained HTML tags, and if so, return an error?
You can simply use htmlspecialchars, or strip_tags before inserting into database.
You can also use mysqli_real_escape_string or PDO::quote to secure strings
To check try this:
if( preg_match('#^<.>.+</.>$#', $your_value) ){
echo "NOT GOOD"; // and some error too
}
You could do this:
<input type='text' pattern='[a-zA-Z0-9]+'>
That ensures only letters and numbers can go in and wont submit if anything else is inside the input.
However, this is only good client side and will only work for IE9+
This is also not the best method for validation if someone knows what they're doing. All they have to do is go into the source code to take out the pattern attribute, but for those who don't know, it will be fine.
For the PHP, you can use strip_tags(). Found here
In my register form, if user disable javacript validation for registeration form and try to insert value <script>alert("hacked")</script> then this value is inserting to in my database table.
Can you please assist me how can I secure my application from that type problem?
Thanks.
When you display data that has been provided by the user, you should use htmlentities() to ensure that any HTML tags get display literally, rather than being rendered by the browser.
Well mysql have REPLACE() function for this.
But in your case you can use strip_tags which will escape all the html tags.
$name = strip_tags($_REQUEST['name']);
If you dont want any special character to be inserted
echo strip_tags(str_replace(array('"','/','(','*',':','=','^','#',';'),'',$name);
This will treat all the remaining as string.
For reference see Manual
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>