I need your opinion regarding 3 security functions...
Moderator: General Moderators
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
I need your opinion regarding 3 security functions...
Hello, i just signed in and i would apreciate your sophisticated help...
lots of my custom dynamic websites where injected...and i tried to create three funtions in order to call them for input validation so as to avoid injections.
1. prot_txt() = protect string inputs such as username, first name etc...(usuallu post values)
2. numer() = protect numerical data usualy id's used in urls
3. prot_email() = protect email inputs (contact forms) to avoid header injections....
please tell me if any of this is vulnerable....
thank you in advance...
function prot_txt($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("--", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);
$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if(substr_count($str, 'alert') > 0 OR substr_count($str, '</') > 0 OR substr_count($str, '<') > 0 OR substr_count($str, '>') > 0 OR substr_count($str, '\"') > 0 OR substr_count($str, '\'') > 0 OR substr_count($str, '\\') > 0 OR substr_count($str, 'mouseover') > 0 OR substr_count($str, '%') > 0 OR substr_count($str, '(') > 0 OR substr_count($str, ')') > 0)
{
die("No access");
}
else
{
return $str;
}
}
function numer($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace(".", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);
$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if($str <> "")
{
if(is_numeric($str))
{
return $str;
}
else
{
die("No access");
}
}
}
function prot_email($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
//return iconv("ISO-8859-1", "utf-8", $str);
if(strpos($str, "<") === false &&
strpos($str, ">") === false &&
strpos($str, "'") === false &&
strpos($str, '"') === false)
{
$str = htmlspecialchars(addslashes(mysql_real_escape_string($str)));
return $str;
}
else
{
die("No access");
}
}
lots of my custom dynamic websites where injected...and i tried to create three funtions in order to call them for input validation so as to avoid injections.
1. prot_txt() = protect string inputs such as username, first name etc...(usuallu post values)
2. numer() = protect numerical data usualy id's used in urls
3. prot_email() = protect email inputs (contact forms) to avoid header injections....
please tell me if any of this is vulnerable....
thank you in advance...
function prot_txt($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("--", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);
$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if(substr_count($str, 'alert') > 0 OR substr_count($str, '</') > 0 OR substr_count($str, '<') > 0 OR substr_count($str, '>') > 0 OR substr_count($str, '\"') > 0 OR substr_count($str, '\'') > 0 OR substr_count($str, '\\') > 0 OR substr_count($str, 'mouseover') > 0 OR substr_count($str, '%') > 0 OR substr_count($str, '(') > 0 OR substr_count($str, ')') > 0)
{
die("No access");
}
else
{
return $str;
}
}
function numer($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace(".", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);
$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if($str <> "")
{
if(is_numeric($str))
{
return $str;
}
else
{
die("No access");
}
}
}
function prot_email($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
//return iconv("ISO-8859-1", "utf-8", $str);
if(strpos($str, "<") === false &&
strpos($str, ">") === false &&
strpos($str, "'") === false &&
strpos($str, '"') === false)
{
$str = htmlspecialchars(addslashes(mysql_real_escape_string($str)));
return $str;
}
else
{
die("No access");
}
}
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: I need your opinion regarding 3 security functions...
That's too much code to look through and I think you have way overcomplicated the issue. Just a quick glance shows that you addslashes() and mysql_real_escape_string() which will give you many slashes. In general, just mysql_real_escape_string() before using in a query and htmlentities() before display. You can also look at the built-in filter_var() for validation/sanitization.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: I need your opinion regarding 3 security functions...
It's really a bad idea to invent this sort of over-complicated protections yourself.
To avoid injections, simply use mysql_real_escape_string for strings, or intval for numeric values, and you're pretty much done.
To avoid injections, simply use mysql_real_escape_string for strings, or intval for numeric values, and you're pretty much done.
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
thank you very much for the quick anwers, i really apreciate it cause i am desperate...
i tried this htmlspecialchars(addlsashes(mysql_real_escape_string($input))) and still injected
i tried acunetix scanner though it found no injection but xss attack vulnerabilty through a contact form...is it possible that my data were injectd throug xss? plz help me....
i tried this htmlspecialchars(addlsashes(mysql_real_escape_string($input))) and still injected
i tried acunetix scanner though it found no injection but xss attack vulnerabilty through a contact form...is it possible that my data were injectd throug xss? plz help me....
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: I need your opinion regarding 3 security functions...
What does your query look like and what data was injected?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
query for selecting product wit my functions
$select_this_prod = "SELECT * FROM products WHERE product_id = '".numer($_REQUEST['id'])."'";
$run_this_prod = mysql_query($select_this_prod) or die (mysql_error());
$row_this_prod = mysql_fetch_assoc($run_this_prod);
---------------------------------------------------------------------------------------
another example selecting category, subcategory and pagination
$select_this_cat = "SELECT * FROM categories WHERE category_id = '".numer($_REQUEST['id'])."'";
$run_this_cat = mysql_query($select_this_cat) or die (mysql_error());
$row_this_cat = mysql_fetch_assoc($run_this_cat);
if($_REQUEST['sub'] <> "")
{
$select_this_sub_cat = "SELECT * FROM sub_categories WHERE sub_category_id = '".numer($_REQUEST['sub'])."'";
$run_this_sub_cat = mysql_query($select_this_sub_cat) or die (mysql_error());
$row_this_sub_cat = mysql_fetch_assoc($run_this_sub_cat);
$_dyna_ = "AND sub_category_id = '".numer($_REQUEST['sub'])."'"; \\\builds query element for later
}
final select to print products
$_REQUEST['page'] = numer($_REQUEST['page']);
$xxx = 0;
$ttt = 0;
$results_per_page = 9;
$start = ($_REQUEST['page'] * $results_per_page) - $results_per_page;
if($_REQUEST['page'] == "") {$_REQUEST['page'] = 1; $start = 0;}
$select_prosfores = "SELECT * FROM products WHERE category_id = '".$row_this_cat['category_id']."' ".$_dyna_." ORDER BY product_order limit ".numer($start).", ".numer($results_per_page)."";
$run_prosfores = mysql_query($select_prosfores) or die (mysql_error());
while($row_prosfores = mysql_fetch_assoc($run_prosfores))
{ ...etc....
acunetix scanner tells me the scripts cannot be injected...but my custom contact form (no connections to db but sends mail to company with few info such as name, email etc.) witch already uses some filtering in vulneradle to xss attacks....
any idea my friend?
$select_this_prod = "SELECT * FROM products WHERE product_id = '".numer($_REQUEST['id'])."'";
$run_this_prod = mysql_query($select_this_prod) or die (mysql_error());
$row_this_prod = mysql_fetch_assoc($run_this_prod);
---------------------------------------------------------------------------------------
another example selecting category, subcategory and pagination
$select_this_cat = "SELECT * FROM categories WHERE category_id = '".numer($_REQUEST['id'])."'";
$run_this_cat = mysql_query($select_this_cat) or die (mysql_error());
$row_this_cat = mysql_fetch_assoc($run_this_cat);
if($_REQUEST['sub'] <> "")
{
$select_this_sub_cat = "SELECT * FROM sub_categories WHERE sub_category_id = '".numer($_REQUEST['sub'])."'";
$run_this_sub_cat = mysql_query($select_this_sub_cat) or die (mysql_error());
$row_this_sub_cat = mysql_fetch_assoc($run_this_sub_cat);
$_dyna_ = "AND sub_category_id = '".numer($_REQUEST['sub'])."'"; \\\builds query element for later
}
final select to print products
$_REQUEST['page'] = numer($_REQUEST['page']);
$xxx = 0;
$ttt = 0;
$results_per_page = 9;
$start = ($_REQUEST['page'] * $results_per_page) - $results_per_page;
if($_REQUEST['page'] == "") {$_REQUEST['page'] = 1; $start = 0;}
$select_prosfores = "SELECT * FROM products WHERE category_id = '".$row_this_cat['category_id']."' ".$_dyna_." ORDER BY product_order limit ".numer($start).", ".numer($results_per_page)."";
$run_prosfores = mysql_query($select_prosfores) or die (mysql_error());
while($row_prosfores = mysql_fetch_assoc($run_prosfores))
{ ...etc....
acunetix scanner tells me the scripts cannot be injected...but my custom contact form (no connections to db but sends mail to company with few info such as name, email etc.) witch already uses some filtering in vulneradle to xss attacks....
any idea my friend?
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: I need your opinion regarding 3 security functions...
It appears that some confusion may exist as far as escaping goes. Personally, I dont filter keywords from my input. It makes no difference if you handle them correctly. This forum, as an example, supports the word "javascript" or allows us to post intentional injection strings things like this without there being a problem.
When you receive data, determine wether magic quotes is enabled (get_magic_quotes_gpc()). If it is, then your data has been escaped by php automatically. I dont like it when PHP does this, so I use stripslashes() to get rid of it. Before I store my data in the database (the LAST thing I do before I store my data in the database) is to use mysql_real_escape_string()
As an example:
You can do some validation, like, if your database only accepts a varchar(32), then there is no reason to accept a string longer than 32, it will truncate and cause problems. Likewise, it doesnt make sense to accept an empty string either.
If I am expecting something like an integer, as in a product id, then I cast the value to an int, as an example:
Email addresses are a bit tricky, and many people have different ideas on how to validate them. Your best bet is to use a reqular expression, or php's built in filter functions, as mentioned earlier.
The only thing left, is to display the data back to the user, safely. Going back to our 1st example, htmlspecialchars fits the bill:
You can also use urlencode() if you need to pass data through the url's querystring.
As for my opinion on the posted code. I would gravitate away from it. By adding slashes to a string where slashes have already been added, and then adding them again before storing it in a database, is a surefire way to make your life miserable trying to troubleshoot "bugs" and by bugs I mean voulnerabilities.
As a final note: I'm kind of an idiot, so I am sure that the guys surfing this site, who are smarter than me, will chime in to add their opinion.
Code: Select all
<script name="javascript">alert("XSS");</script>As an example:
Code: Select all
//URL Example: http://server/index.php?name=O'malley
$myVar = $_GET['name']; // O\\'malley
if(get_magic_quotes_gpc()) { // It is, in this case
$myVar = stripslashes($myVar); // $myVar now equals O'malley again
}
$query= "SELECT * FROM `products` WHERE `product_id` = '" . mysql_real_escape_string($myVar) . "';";If I am expecting something like an integer, as in a product id, then I cast the value to an int, as an example:
Code: Select all
//URL Example: http://server/index.php?prod_id=XSS
# Cast to integer
$myVar = (int) $_GET['name']; // $myVar equals 0The only thing left, is to display the data back to the user, safely. Going back to our 1st example, htmlspecialchars fits the bill:
Code: Select all
echo htmlspecialchars('<script name="javascript">alert("XSS");</script>');As for my opinion on the posted code. I would gravitate away from it. By adding slashes to a string where slashes have already been added, and then adding them again before storing it in a database, is a surefire way to make your life miserable trying to troubleshoot "bugs" and by bugs I mean voulnerabilities.
As a final note: I'm kind of an idiot, so I am sure that the guys surfing this site, who are smarter than me, will chime in to add their opinion.
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
thank you for ur reply! the thing is that i use so manu functions and checks in order to avoid any kind of injection...
your answer was more than helpuful but i have already tried to avoid advance injections via this way and i failed....there are so many ways and type of injections such as using SQL Injection (CONCAT,CHAR, HEX) characters and i was a victim of it...most of my work and my clients are still in danger even with my 'crazy' functions....probably the best way is to use prepared statements but that would be 2 months for me rewritting many projects...
your answer was more than helpuful but i have already tried to avoid advance injections via this way and i failed....there are so many ways and type of injections such as using SQL Injection (CONCAT,CHAR, HEX) characters and i was a victim of it...most of my work and my clients are still in danger even with my 'crazy' functions....probably the best way is to use prepared statements but that would be 2 months for me rewritting many projects...
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: I need your opinion regarding 3 security functions...
You still haven't shown a SQL injection of any other type of attack. For your IDs (assuming they are integers) just do (int)$myvar. As for text, using mysql_real_escape_string() should suffice. Your contact form is another matter, do you mean you are getting spam or you are getting javascript or attempted SQL injections? This really isn't that dangerous in an email, but running the posted data through htmlentities() should solve that.hexadeximal wrote:thank you for ur reply! the thing is that i use so manu functions and checks in order to avoid any kind of injection...
your answer was more than helpuful but i have already tried to avoid advance injections via this way and i failed....there are so many ways and type of injections such as using SQL Injection (CONCAT,CHAR, HEX) characters and i was a victim of it...most of my work and my clients are still in danger even with my 'crazy' functions....probably the best way is to use prepared statements but that would be 2 months for me rewritting many projects...
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
One of my eshops just got injected again and i have used the exact functions for sting and numerical input, via url or form....is it possible for someone to inject a db through a contact form via xss attack?You still haven't shown a SQL injection of any other type of attack. For your IDs (assuming they are integers) just do (int)$myvar. As for text, using mysql_real_escape_string() should suffice. Your contact form is another matter, do you mean you are getting spam or you are getting javascript or attempted SQL injections? This really isn't that dangerous in an email, but running the posted data through htmlentities() should solve that.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: I need your opinion regarding 3 security functions...
Dunno... You still haven't shown us anything.hexadeximal wrote:One of my eshops just got injected again and i have used the exact functions for sting and numerical input, via url or form....is it possible for someone to inject a db through a contact form via xss attack?You still haven't shown a SQL injection of any other type of attack. For your IDs (assuming they are integers) just do (int)$myvar. As for text, using mysql_real_escape_string() should suffice. Your contact form is another matter, do you mean you are getting spam or you are getting javascript or attempted SQL injections? This really isn't that dangerous in an email, but running the posted data through htmlentities() should solve that.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
the eshop has 18 tables, two of them are truncated, table category and table prod...i have scanned the site and no isql injections have been recognized....what exactly do you want to see and i will present it tou you. Thx again!
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: I need your opinion regarding 3 security functions...
OK, so truncated tables then. If you do a search on all of your pages for mysql_query and/or any other query functions that you use, and make sure that ALL variables in ALL queries (insert, update, select, etc..) have been run through mysql_real_escape_string(), then I would feel confident that it isn't a vulnerability in your scripts.hexadeximal wrote:the eshop has 18 tables, two of them are truncated, table category and table prod...i have scanned the site and no isql injections have been recognized....what exactly do you want to see and i will present it tou you. Thx again!
Then you need to look elsewhere. phpmyadmin or control panel is compromised?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
the server admin has ensured me that everything is locked-up, i believe that when u r on the net this hard to say, i am 99% positive that my scripts are ok....last night's injection was done in a simple dynamic web page an i found that one of the db-driven texts shown on the site inlcuded a picture which's img src was something like <img src = '////////////////////////////////////////////////////////////////////////////////////OK, so truncated tables then. If you do a search on all of your pages for mysql_query and/or any other query functions that you use, and make sure that ALL variables in ALL queries (insert, update, select, etc..) have been run through mysql_real_escape_string(), then I would feel confident that it isn't a vulnerability in your scripts.
Then you need to look elsewhere. phpmyadmin or control panel is compromised?
any ideas?
-
hexadeximal
- Forum Newbie
- Posts: 8
- Joined: Sun Jan 24, 2010 10:46 am
Re: I need your opinion regarding 3 security functions...
till now the tree functions have worled perfectly...i also logged EVERYTHING, every single click, all session, post and request variables and found out that hunderds of attacks are done every day...till now everything seems ok...
Example attack via my logs:
USER Ip: 195.74.246.7 (Forthnet ISP Greece)
Date - Tie: 1265450037 (unixtime) = Sat, 06 Feb 2010 09:53:57 GMT
SQL Injection string via url: id = -13'union select 1,2,3,4,concat_ws(0x3a,username,password),6,7 from users/*
almost all my websites (mainly clients) have thousands of similar attacks till now...from numerous ips including proxy servers etc...however thank God the websites seem ok!
Example attack via my logs:
USER Ip: 195.74.246.7 (Forthnet ISP Greece)
Date - Tie: 1265450037 (unixtime) = Sat, 06 Feb 2010 09:53:57 GMT
SQL Injection string via url: id = -13'union select 1,2,3,4,concat_ws(0x3a,username,password),6,7 from users/*
almost all my websites (mainly clients) have thousands of similar attacks till now...from numerous ips including proxy servers etc...however thank God the websites seem ok!