Page 1 of 2
I need your opinion regarding 3 security functions...
Posted: Sun Jan 24, 2010 10:54 am
by hexadeximal
Hello, i just signed in and i would apreciate your sophisticated help...
lots of my custom dynamic websites where injected...and i tried to create three funtions in order to call them for input validation so as to avoid injections.
1. prot_txt() = protect string inputs such as username, first name etc...(usuallu post values)
2. numer() = protect numerical data usualy id's used in urls
3. prot_email() = protect email inputs (contact forms) to avoid header injections....
please tell me if any of this is vulnerable....
thank you in advance...
function prot_txt($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("--", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);
$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if(substr_count($str, 'alert') > 0 OR substr_count($str, '</') > 0 OR substr_count($str, '<') > 0 OR substr_count($str, '>') > 0 OR substr_count($str, '\"') > 0 OR substr_count($str, '\'') > 0 OR substr_count($str, '\\') > 0 OR substr_count($str, 'mouseover') > 0 OR substr_count($str, '%') > 0 OR substr_count($str, '(') > 0 OR substr_count($str, ')') > 0)
{
die("No access");
}
else
{
return $str;
}
}
function numer($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace(".", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);
$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if($str <> "")
{
if(is_numeric($str))
{
return $str;
}
else
{
die("No access");
}
}
}
function prot_email($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
//return iconv("ISO-8859-1", "utf-8", $str);
if(strpos($str, "<") === false &&
strpos($str, ">") === false &&
strpos($str, "'") === false &&
strpos($str, '"') === false)
{
$str = htmlspecialchars(addslashes(mysql_real_escape_string($str)));
return $str;
}
else
{
die("No access");
}
}
Re: I need your opinion regarding 3 security functions...
Posted: Sun Jan 24, 2010 11:13 am
by AbraCadaver
That's too much code to look through and I think you have way overcomplicated the issue. Just a quick glance shows that you addslashes() and mysql_real_escape_string() which will give you many slashes. In general, just mysql_real_escape_string() before using in a query and htmlentities() before display. You can also look at the built-in filter_var() for validation/sanitization.
Re: I need your opinion regarding 3 security functions...
Posted: Sun Jan 24, 2010 11:16 am
by Apollo
It's really a bad idea to invent this sort of over-complicated protections yourself.
To avoid injections, simply use
mysql_real_escape_string for strings, or
intval for numeric values, and you're pretty much done.
Re: I need your opinion regarding 3 security functions...
Posted: Sun Jan 24, 2010 11:20 am
by hexadeximal
thank you very much for the quick anwers, i really apreciate it cause i am desperate...
i tried this htmlspecialchars(addlsashes(mysql_real_escape_string($input))) and still injected
i tried acunetix scanner though it found no injection but xss attack vulnerabilty through a contact form...is it possible that my data were injectd throug xss? plz help me....
Re: I need your opinion regarding 3 security functions...
Posted: Sun Jan 24, 2010 12:27 pm
by AbraCadaver
What does your query look like and what data was injected?
Re: I need your opinion regarding 3 security functions...
Posted: Sun Jan 24, 2010 12:32 pm
by hexadeximal
query for selecting product wit my functions
$select_this_prod = "SELECT * FROM products WHERE product_id = '".numer($_REQUEST['id'])."'";
$run_this_prod = mysql_query($select_this_prod) or die (mysql_error());
$row_this_prod = mysql_fetch_assoc($run_this_prod);
---------------------------------------------------------------------------------------
another example selecting category, subcategory and pagination
$select_this_cat = "SELECT * FROM categories WHERE category_id = '".numer($_REQUEST['id'])."'";
$run_this_cat = mysql_query($select_this_cat) or die (mysql_error());
$row_this_cat = mysql_fetch_assoc($run_this_cat);
if($_REQUEST['sub'] <> "")
{
$select_this_sub_cat = "SELECT * FROM sub_categories WHERE sub_category_id = '".numer($_REQUEST['sub'])."'";
$run_this_sub_cat = mysql_query($select_this_sub_cat) or die (mysql_error());
$row_this_sub_cat = mysql_fetch_assoc($run_this_sub_cat);
$_dyna_ = "AND sub_category_id = '".numer($_REQUEST['sub'])."'"; \\\builds query element for later
}
final select to print products
$_REQUEST['page'] = numer($_REQUEST['page']);
$xxx = 0;
$ttt = 0;
$results_per_page = 9;
$start = ($_REQUEST['page'] * $results_per_page) - $results_per_page;
if($_REQUEST['page'] == "") {$_REQUEST['page'] = 1; $start = 0;}
$select_prosfores = "SELECT * FROM products WHERE category_id = '".$row_this_cat['category_id']."' ".$_dyna_." ORDER BY product_order limit ".numer($start).", ".numer($results_per_page)."";
$run_prosfores = mysql_query($select_prosfores) or die (mysql_error());
while($row_prosfores = mysql_fetch_assoc($run_prosfores))
{ ...etc....
acunetix scanner tells me the scripts cannot be injected...but my custom contact form (no connections to db but sends mail to company with few info such as name, email etc.) witch already uses some filtering in vulneradle to xss attacks....
any idea my friend?
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 12:38 am
by flying_circus
It appears that some confusion may exist as far as escaping goes. Personally, I dont filter keywords from my input. It makes no difference if you handle them correctly. This forum, as an example, supports the word "javascript" or allows us to post intentional injection strings things like this without there being a problem.
Code: Select all
<script name="javascript">alert("XSS");</script>
When you receive data, determine wether magic quotes is enabled (get_magic_quotes_gpc()). If it is, then your data has been escaped by php automatically. I dont like it when PHP does this, so I use stripslashes() to get rid of it. Before I store my data in the database (the LAST thing I do before I store my data in the database) is to use mysql_real_escape_string()
As an example:
Code: Select all
//URL Example: http://server/index.php?name=O'malley
$myVar = $_GET['name']; // O\\'malley
if(get_magic_quotes_gpc()) { // It is, in this case
$myVar = stripslashes($myVar); // $myVar now equals O'malley again
}
$query= "SELECT * FROM `products` WHERE `product_id` = '" . mysql_real_escape_string($myVar) . "';";
You can do some validation, like, if your database only accepts a varchar(32), then there is no reason to accept a string longer than 32, it will truncate and cause problems. Likewise, it doesnt make sense to accept an empty string either.
If I am expecting something like an integer, as in a product id, then I cast the value to an int, as an example:
Code: Select all
//URL Example: http://server/index.php?prod_id=XSS
# Cast to integer
$myVar = (int) $_GET['name']; // $myVar equals 0
Email addresses are a bit tricky, and many people have different ideas on how to validate them. Your best bet is to use a reqular expression, or php's built in filter functions, as mentioned earlier.
The only thing left, is to display the data back to the user, safely. Going back to our 1st example, htmlspecialchars fits the bill:
Code: Select all
echo htmlspecialchars('<script name="javascript">alert("XSS");</script>');
You can also use urlencode() if you need to pass data through the url's querystring.
As for my opinion on the posted code. I would gravitate away from it. By adding slashes to a string where slashes have already been added, and then adding them again before storing it in a database, is a surefire way to make your life miserable trying to troubleshoot "bugs" and by bugs I mean voulnerabilities.
As a final note:
I'm kind of an idiot, so I am sure that the guys surfing this site, who are smarter than me, will chime in to add their opinion.
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 4:15 am
by hexadeximal
thank you for ur reply! the thing is that i use so manu functions and checks in order to avoid any kind of injection...
your answer was more than helpuful but i have already tried to avoid advance injections via this way and i failed....there are so many ways and type of injections such as using SQL Injection (CONCAT,CHAR, HEX) characters and i was a victim of it...most of my work and my clients are still in danger even with my 'crazy' functions....probably the best way is to use prepared statements but that would be 2 months for me rewritting many projects...
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 9:10 am
by AbraCadaver
hexadeximal wrote:thank you for ur reply! the thing is that i use so manu functions and checks in order to avoid any kind of injection...
your answer was more than helpuful but i have already tried to avoid advance injections via this way and i failed....there are so many ways and type of injections such as using SQL Injection (CONCAT,CHAR, HEX) characters and i was a victim of it...most of my work and my clients are still in danger even with my 'crazy' functions....probably the best way is to use prepared statements but that would be 2 months for me rewritting many projects...
You still haven't shown a SQL injection of any other type of attack. For your IDs (assuming they are integers) just do (int)$myvar. As for text, using mysql_real_escape_string() should suffice. Your contact form is another matter, do you mean you are getting spam or you are getting javascript or attempted SQL injections? This really isn't that dangerous in an email, but running the posted data through htmlentities() should solve that.
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 1:25 pm
by hexadeximal
You still haven't shown a SQL injection of any other type of attack. For your IDs (assuming they are integers) just do (int)$myvar. As for text, using mysql_real_escape_string() should suffice. Your contact form is another matter, do you mean you are getting spam or you are getting javascript or attempted SQL injections? This really isn't that dangerous in an email, but running the posted data through htmlentities() should solve that.
One of my eshops just got injected again and i have used the exact functions for sting and numerical input, via url or form....is it possible for someone to inject a db through a contact form via xss attack?
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 2:00 pm
by AbraCadaver
hexadeximal wrote:You still haven't shown a SQL injection of any other type of attack. For your IDs (assuming they are integers) just do (int)$myvar. As for text, using mysql_real_escape_string() should suffice. Your contact form is another matter, do you mean you are getting spam or you are getting javascript or attempted SQL injections? This really isn't that dangerous in an email, but running the posted data through htmlentities() should solve that.
One of my eshops just got injected again and i have used the exact functions for sting and numerical input, via url or form....is it possible for someone to inject a db through a contact form via xss attack?
Dunno... You still haven't shown us anything.
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 2:21 pm
by hexadeximal
the eshop has 18 tables, two of them are truncated, table category and table prod...i have scanned the site and no isql injections have been recognized....what exactly do you want to see and i will present it tou you. Thx again!
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 2:33 pm
by AbraCadaver
hexadeximal wrote:the eshop has 18 tables, two of them are truncated, table category and table prod...i have scanned the site and no isql injections have been recognized....what exactly do you want to see and i will present it tou you. Thx again!
OK, so truncated tables then. If you do a search on all of your pages for mysql_query and/or any other query functions that you use, and make sure that ALL variables in ALL queries (insert, update, select, etc..) have been run through mysql_real_escape_string(), then I would feel confident that it isn't a vulnerability in your scripts.
Then you need to look elsewhere. phpmyadmin or control panel is compromised?
Re: I need your opinion regarding 3 security functions...
Posted: Mon Jan 25, 2010 2:38 pm
by hexadeximal
OK, so truncated tables then. If you do a search on all of your pages for mysql_query and/or any other query functions that you use, and make sure that ALL variables in ALL queries (insert, update, select, etc..) have been run through mysql_real_escape_string(), then I would feel confident that it isn't a vulnerability in your scripts.
Then you need to look elsewhere. phpmyadmin or control panel is compromised?
the server admin has ensured me that everything is locked-up, i believe that when u r on the net this hard to say, i am 99% positive that my scripts are ok....last night's injection was done in a simple dynamic web page an i found that one of the db-driven texts shown on the site inlcuded a picture which's img src was something like <img src = '////////////////////////////////////////////////////////////////////////////////////
any ideas?
Re: I need your opinion regarding 3 security functions...
Posted: Sun Feb 07, 2010 6:54 pm
by hexadeximal
till now the tree functions have worled perfectly...i also logged EVERYTHING, every single click, all session, post and request variables and found out that hunderds of attacks are done every day...till now everything seems ok...
Example attack via my logs:
USER Ip: 195.74.246.7 (Forthnet ISP Greece)
Date - Tie: 1265450037 (unixtime) = Sat, 06 Feb 2010 09:53:57 GMT
SQL Injection string via url:
id = -13'union select 1,2,3,4,concat_ws(0x3a,username,password),6,7 from users/*
almost all my websites (mainly clients) have thousands of similar attacks till now...from numerous ips including proxy servers etc...however thank God the websites seem ok!
