prevent injection attacks
Moderator: General Moderators
prevent injection attacks
Hello everyone, i've seen a lot of scripting attacks/cross site attacks. Is there any way that can effectively prevent those attacks? I'm talking about if user type in <script>...</script> or <iframe...>...</frame> etc on post and we can effectively echo the code onto the website without actually running the code.
i've used htmlentities to echo the textpost as text. However, characters such as ' which i replaced with ’ doesnt get rendered as a quotation...
i've used htmlentities to echo the textpost as text. However, characters such as ' which i replaced with ’ doesnt get rendered as a quotation...
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: prevent injection attacks
If you don't want your users to be able to incorporate html or php into whatever they submit to your site, then use strip_tags() to remove the tags. There is an optional parameter for strip_tags() which allows you to specify some permitted tags - you might wish for example to permit <b> or <i> tags.
If you have stripped out the tags, htmlentities() does not add to the security of the site. But you need to html-encode text before you send it to the user's browser, otherwise your web page may not validate.
Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.
I am sure that others will have further tips to add.
If you have stripped out the tags, htmlentities() does not add to the security of the site. But you need to html-encode text before you send it to the user's browser, otherwise your web page may not validate.
Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.
I am sure that others will have further tips to add.
Re: prevent injection attacks
i use mysql_real_escape_string() for all input data. is that enough to prevent sql injection?cpetercarter wrote: Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.
I am sure that others will have further tips to add.
how to ensure the form submitted come from my website and not another which uses my processform.php to process it? If can ensure that, do i still need extra checking for valid _POST info (if uses javascript to check field if it empty)... you know what i mean...
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: prevent injection attacks
An OK solution is to strip all tags (strip_tags)...better yet use an HTML library like Purifier to fully cleanze your code before output or input to the database
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: prevent injection attacks
strip_tags() with the second parameter specified is fatal in terms of security. Even if you just specify a "b" -tag, you are vulnerable to XSS. Don't do it.cpetercarter wrote:There is an optional parameter for strip_tags() which allows you to specify some permitted tags - you might wish for example to permit <b> or <i> tags.
+1 for HTML Purifier.
Maybe the best idea is to first read this: http://en.wikipedia.org/wiki/Sql_injection and after that, ask here if there's anything unclear.nga wrote:i use mysql_real_escape_string() for all input data. is that enough to prevent sql injection?
Although you may not know, it's often necessary to make sure the data came from your form (and nowhere else). This prevents CSRF attacks (http://en.wikipedia.org/wiki/Csrf). You need to generate a random token and place it on your form.nga wrote:how to ensure the form submitted come from my website and not another which uses my processform.php to process it? If can ensure that, do i still need extra checking for valid _POST info (if uses javascript to check field if it empty)... you know what i mean...
As for Javascript validation, it's useless in terms of security. You need to do the validation server-side, with PHP. Any validation running on the client-side is controllable by intruders.
Re: prevent injection attacks
Code: Select all
$db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute();
and seriously, how do you ensure data is submitted from your form? checking HTTP_REFERER isnt enough. I tried to read about generate random session key and store it in cookie and hidden field. Is this the way?
Re: prevent injection attacks
nga, the way I have implemented mine is by running an AJAX script on the body load, which calls a PHP script that generates a random token and stores it in a session. This then gets hard coded into the form and a comparison is made before I process/save any POST DATA.
Re: prevent injection attacks
What about users with javascript turned off?
Re: prevent injection attacks
I just catch the error at the moment and tell the form requires Javascript. The majority of users browse with Javascript enabled these days, and if they don't, a huge amount of sites lose most of their functionality.
Once I've finished tweaking it, I'll write a non-javascript form token method, which will be invoked if a user has Javascript disabled.
Once I've finished tweaking it, I'll write a non-javascript form token method, which will be invoked if a user has Javascript disabled.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: prevent injection attacks
@nga: PDO will take care of the escaping routine.