Page 1 of 1
prevent injection attacks
Posted: Tue Nov 17, 2009 2:33 am
by nga
Hello everyone, i've seen a lot of scripting attacks/cross site attacks. Is there any way that can effectively prevent those attacks? I'm talking about if user type in <script>...</script> or <iframe...>...</frame> etc on post and we can effectively echo the code onto the website without actually running the code.
i've used htmlentities to echo the textpost as text. However, characters such as ' which i replaced with ’ doesnt get rendered as a quotation...
Re: prevent injection attacks
Posted: Tue Nov 17, 2009 3:27 am
by cpetercarter
If you don't want your users to be able to incorporate html or php into whatever they submit to your site, then use strip_tags() to remove the tags. There is an optional parameter for strip_tags() which allows you to specify some permitted tags - you might wish for example to permit <b> or <i> tags.
If you have stripped out the tags, htmlentities() does not add to the security of the site. But you need to html-encode text before you send it to the user's browser, otherwise your web page may not validate.
Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.
I am sure that others will have further tips to add.
Re: prevent injection attacks
Posted: Tue Nov 17, 2009 3:35 am
by nga
cpetercarter wrote:
Before putting any user-generated material anywhere near your database, it is important to 'escape' it with mysql_real_escape_string() in order to reduce the risks of sql injection.
I am sure that others will have further tips to add.
i use mysql_real_escape_string() for all input data. is that enough to prevent sql injection?
how to ensure the form submitted come from my website and not another which uses my processform.php to process it? If can ensure that, do i still need extra checking for valid _POST info (if uses javascript to check field if it empty)... you know what i mean...
Re: prevent injection attacks
Posted: Tue Nov 17, 2009 3:43 am
by alex.barylski
An OK solution is to strip all tags (strip_tags)...better yet use an HTML library like Purifier to fully cleanze your code before output or input to the database
Re: prevent injection attacks
Posted: Tue Nov 17, 2009 5:47 am
by kaisellgren
cpetercarter wrote:There is an optional parameter for strip_tags() which allows you to specify some permitted tags - you might wish for example to permit <b> or <i> tags.
strip_tags() with the second parameter specified is fatal in terms of security. Even if you just specify a "b" -tag, you are vulnerable to XSS. Don't do it.
+1 for HTML Purifier.
nga wrote:i use mysql_real_escape_string() for all input data. is that enough to prevent sql injection?
Maybe the best idea is to first read this:
http://en.wikipedia.org/wiki/Sql_injection and after that, ask here if there's anything unclear.
nga wrote:how to ensure the form submitted come from my website and not another which uses my processform.php to process it? If can ensure that, do i still need extra checking for valid _POST info (if uses javascript to check field if it empty)... you know what i mean...
Although you may not know, it's often necessary to make sure the data came from your form (and nowhere else). This prevents CSRF attacks (
http://en.wikipedia.org/wiki/Csrf). You need to generate a random token and place it on your form.
As for Javascript validation, it's useless in terms of security. You need to do the validation server-side, with PHP. Any validation running on the client-side is controllable by intruders.
Re: prevent injection attacks
Posted: Wed Dec 09, 2009 12:44 am
by nga
Code: Select all
$db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute();
so you use the above code to escape sql injection? what about mysql_real_escape_string
and seriously, how do you ensure data is submitted from your form? checking HTTP_REFERER isnt enough. I tried to read about generate random session key and store it in cookie and hidden field. Is this the way?
Re: prevent injection attacks
Posted: Wed Dec 09, 2009 4:23 am
by timWebUK
nga, the way I have implemented mine is by running an AJAX script on the body load, which calls a PHP script that generates a random token and stores it in a session. This then gets hard coded into the form and a comparison is made before I process/save any POST DATA.
Re: prevent injection attacks
Posted: Wed Dec 09, 2009 5:01 am
by jackpf
What about users with javascript turned off?
Re: prevent injection attacks
Posted: Wed Dec 09, 2009 8:03 am
by timWebUK
I just catch the error at the moment and tell the form requires Javascript. The majority of users browse with Javascript enabled these days, and if they don't, a huge amount of sites lose most of their functionality.
Once I've finished tweaking it, I'll write a non-javascript form token method, which will be invoked if a user has Javascript disabled.
Re: prevent injection attacks
Posted: Sat Dec 12, 2009 2:01 pm
by kaisellgren
@nga: PDO will take care of the escaping routine.