prevent injection attacks

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

prevent injection attacks

Post by nga »

Hello everyone, i've seen a lot of scripting attacks/cross site attacks. Is there any way that can effectively prevent those attacks? I'm talking about if user type in <script>...</script> or <iframe...>...</frame> etc on post and we can effectively echo the code onto the website without actually running the code.

i've used htmlentities to echo the textpost as text. However, characters such as ' which i replaced with &rsquo; doesnt get rendered as a quotation...
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: prevent injection attacks

Post by cpetercarter »

If you don't want your users to be able to incorporate html or php into whatever they submit to your site, then use strip_tags() to remove the tags. There is an optional parameter for strip_tags() which allows you to specify some permitted tags - you might wish for example to permit <b> or <i> tags.

If you have stripped out the tags, htmlentities() does not add to the security of the site. But you need to html-encode text before you send it to the user's browser, otherwise your web page may not validate.

Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.

I am sure that others will have further tips to add.
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

Re: prevent injection attacks

Post by nga »

cpetercarter wrote: Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.

I am sure that others will have further tips to add.
i use mysql_real_escape_string() for all input data. is that enough to prevent sql injection?

how to ensure the form submitted come from my website and not another which uses my processform.php to process it? If can ensure that, do i still need extra checking for valid _POST info (if uses javascript to check field if it empty)... you know what i mean...
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: prevent injection attacks

Post by alex.barylski »

An OK solution is to strip all tags (strip_tags)...better yet use an HTML library like Purifier to fully cleanze your code before output or input to the database
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: prevent injection attacks

Post by kaisellgren »

cpetercarter wrote:There is an optional parameter for strip_tags() which allows you to specify some permitted tags - you might wish for example to permit <b> or <i> tags.
strip_tags() with the second parameter specified is fatal in terms of security. Even if you just specify a "b" -tag, you are vulnerable to XSS. Don't do it.

+1 for HTML Purifier.
nga wrote:i use mysql_real_escape_string() for all input data. is that enough to prevent sql injection?
Maybe the best idea is to first read this: http://en.wikipedia.org/wiki/Sql_injection and after that, ask here if there's anything unclear.
nga wrote:how to ensure the form submitted come from my website and not another which uses my processform.php to process it? If can ensure that, do i still need extra checking for valid _POST info (if uses javascript to check field if it empty)... you know what i mean...
Although you may not know, it's often necessary to make sure the data came from your form (and nowhere else). This prevents CSRF attacks (http://en.wikipedia.org/wiki/Csrf). You need to generate a random token and place it on your form.

As for Javascript validation, it's useless in terms of security. You need to do the validation server-side, with PHP. Any validation running on the client-side is controllable by intruders.
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

Re: prevent injection attacks

Post by nga »

Code: Select all

$db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute();
 
so you use the above code to escape sql injection? what about mysql_real_escape_string

and seriously, how do you ensure data is submitted from your form? checking HTTP_REFERER isnt enough. I tried to read about generate random session key and store it in cookie and hidden field. Is this the way?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: prevent injection attacks

Post by timWebUK »

nga, the way I have implemented mine is by running an AJAX script on the body load, which calls a PHP script that generates a random token and stores it in a session. This then gets hard coded into the form and a comparison is made before I process/save any POST DATA.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: prevent injection attacks

Post by jackpf »

What about users with javascript turned off?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: prevent injection attacks

Post by timWebUK »

I just catch the error at the moment and tell the form requires Javascript. The majority of users browse with Javascript enabled these days, and if they don't, a huge amount of sites lose most of their functionality.

Once I've finished tweaking it, I'll write a non-javascript form token method, which will be invoked if a user has Javascript disabled.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: prevent injection attacks

Post by kaisellgren »

@nga: PDO will take care of the escaping routine.
Post Reply