We Keep Coding

Formatting comments PHP with XSS security [duplicate]

This question already has answers here:
How to output HTML but prevent XSS attacks
(2 answers)
Closed 4 years ago.
I have comment system based on the forms and PHP catching POST. I'm trying to make some sort of formatting (bold, underscrores, italic...) but I'm using XSS protection: htmlspecialchars().
How to tell PHP not to parse and other tags? Is any JS editor which can edit text and send it as textarea?

Probably the safest way is to settle for something like markdown for the simple formatting and then convert that to HTML at the point of output.
If you want to use actual HTML, I would go for a whitelist approach of tags that you want to keep and using strip_tags with that whitelist as a first approach to it. Although using another format like markdown is probably the safer variant.

What protection is needed for PHP mail scripts? [duplicate]

This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 7 years ago.
I know this type of question is not generally allowed, but I cannot find an answer anywhere.
Is SQL injection protection necessary even if you're not using databases/MySQL?
If I have a basic mail form in PHP that sends things to my email do I need to protect that form?

If you're not using a database then no, you don't need to protect against attacks that exploit database queries. Emails have a whole set of exploits of their own and I recommend using a library such as phpmailer or swiftmailer which will help with this. Either way, you should always verify that the data submitted from the form is in the format you expect it to be.

You need XSS protection for mail forms. You don't want a user being able to inject javascript and such into an email. A simple way to prevent XSS is to use htmlentities() to disallow HTML tags such as <script>..</script> in the user input. htmlentities converts a tag like <script> to <script>

Validate Form Data With PHP - w3schools

Hy!
So I'm learning PHP on w3schools and I came across this site: http://www.w3schools.com/php/php_form_validation.asp
At the end of the page there's a 2. point that says you should
"Remove backslashes () from the user input data (with the PHP
stripslashes() function)"
I don't understand what's the purpose of that. May somebody please explain?
Thank you in advance!

The benefit to removing quotations and backslashes is to prevent either deliberate or unintended SQL injection.
Not sure what mySQL injection is?
http://php.net/manual/en/security.database.sql-injection.php

How do I filter out Dangerous HTML like SO does? [duplicate]

This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Sanitizing HTML input
(5 answers)
Closed 9 years ago.
I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.
This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?
Are there any libraries (preferably in PHP) that already do this?

PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as #webarto states, there are libraries that do this better.
From the PHP Manual.

Your can use
strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;
If your using SQL too use
mysql_real_escape_string($data);
This is really all you need to not get injected. Do keep in mind, when using mySQL real escape you need to use strip slashes to remove them when you echo them out.
Here are the docs for strip tags and the docs for mysql escape.

If you wish to allow some (X)HTML and restrict only tags viewed as unsafe, you can use something like KSES. Wordpress uses a solution like this.
http://sourceforge.net/projects/kses/

In addendum to Whymarrh's post, suggestion is to have the code work take place in a subfolder of your site, and auto-alter any code that has "..", or "http://" or any mysql commands.

Sanitizing Form Input for administrators

In my site's administration area, I have been using mysqli_real_escape_string when retrieving form input that goes into the database. It works fine but I realize that it does not prevent script injections. I mean I can pass through scripts like:
<script>alert('hello');</script>
What do I use in addition to this to prevent a malicious admin from injecting some nasty stuff?
htmlentities()?
strip_tags()?
htmlspecialchars()?
What is the proper way to sanitize form input in back-end forms where html is not required for input data? I am confused?

htmlentities() and htmlspecialchars() are used when you're outputting data. Encoding and escaping are different.
If you don't want HTML, my recommendation would be to use strip_tags() to clean it of any HTML tags and use html* when you're outputting the content.
Also, you might consider switching to MySQL PDO. This is a much more preferred and secure way of running your queries.

The term you are looking for is Cross Site Scripting or XSS for short. Searching for that should give you plenty of resources, such as this question right here on StackOverflow.

The proper answer is highly dependent on your application.
Many administration systems need a way for admins to manipulate HTML. But some HTML is more dangerous than others.
As JohnP said, strip_tags() can be handy, since the second parameter allows you to explicitly allow certain, harmless tags (like or ), while stripping out anything else (like or )
If you need more sophistication than that, you'll need to do a more careful analysis and come up with a solution tailored to your needs. (Hint: If that solution involves using regular expressions to match HTML tags, you probably want to take a step back)

You should use htmlentities() .

You can use magic_quotes function to sanitize if you're using php 4 or less php 5.2 or less.