Page 1 of 1

Is this secure?

Posted: Tue Jan 25, 2011 11:13 am
by nsx
Heya, I'm basically making a simple forum script integrated with a website. I want to protect myself from sql injection and xss, so I figured I'd use PDO prepared statements and simple strip_tags. I'm still fairly new to php so I don't have the knowledge of all possible ways to protect myself.
The script looks like this:

Code: Select all

$postbody = $_POST['postbody'] ; // I get the message body and NOT process it while writing to database, except checking if it doesn't exceed the allowed size.

// the writing part

$prep = $sql->prepare("INSERT INTO `a_forum_posts` (`created`, `account_id`, `forum_id`, `character`, `parent`, `title`, `body`, `class`)
		VALUES (:created, :acc_id, :fid, :character, :title, :postbody, :class)", array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)) ;
		
		$prep->execute(array(':created' => time(),
							':acc_id' => $account_logged->getId(),
								':fid' => $fid,
									':character' => $poster_info['pname'],
											[b]':postbody' => $postbody,[/b]
												':class' => $poster_info['level'] .' '. myGetVoc($poster_info['voc'], $poster_info['promo']))) ;
Now before I output the result I filter it with a function similar to this:

Code: Select all

function decodePost($str) {
	$search = array('[b]', '[/b]') ; // a lot more of bb code conversion...
	$replace = array('<b>', '</b>') ;
	return str_ireplace($search, $replace, nl2br(strip_tags($str))) ;
}
The question is; is this xss and sql injection safe?

Re: Is this secure?

Posted: Wed Jan 26, 2011 4:23 pm
by social_experiment
(sql) Injection is mostly stopped by using mysql_real_escape_string() but i've looked at some PDO examples (where queries are prepared) and none of them use it, no idea if this is built-in (the escaping of user input). Here's one of the examples i found

Code: Select all

<?php
// Execute the query
$query = $dbh->prepare("SELECT sku, name FROM product ORDER BY name");
$query->execute();
while ($dbh->fetch(PDO_FETCH_ASSOC) as $row) {
$sku = $row['sku'];
$name = $row['name'];
echo "Product: $name ($sku) <br />";
}
?>
You could also take a look at htmlentities() to stop XSS.
Hth

Re: Is this secure?

Posted: Fri Feb 11, 2011 6:42 pm
by Technocrat