superdezign wrote:
In all honesty, when cleaning data, all you really need is
mysql_real_escape_string for MySQL queries and
htmlspecialchars for HTML data. If you are going to print user data (and don't want to allow HTML formatting or you already filter the HTML in the data), use htmlspecialchars(). If you don't use them, then you need to filter more specifically.
2> You should never use htmlentities or htmlspecialchars as these are encodings for a specific document format. You could not do searching or matching on that data and displaying it in any other document format would take extra code, and could not be done directly from the database.
In the thread relating SQL Injection Prevention the above point was stated and was agreed with by most of the senior members of the forum
I have done prevention from sql injection and need to prevent the data against xss attacks in this process most of the guides including Shiflett's recommend the use of htmlentities(), striptags()
If i use the
htmlentities() on the output from the database and then display. Is it safe enough against xss attacks?
The AIM
I just want to send the data in form field subject, story and titletext
without any html tags to database. So i think if i use htmlentities() on the input to db would it make any problem to search? I database i just want SIMPLE TEXT but maybe some ' or " as user will submit stories.
Another thing is that i got the following code as recommended by Shiflett
Code: Select all
<?php
// +----------------------------------------------------------------------+
// | popoon |
// +----------------------------------------------------------------------+
// | Copyright (c) 2001-2006 Bitflux GmbH |
// +----------------------------------------------------------------------+
// | Licensed under the Apache License, Version 2.0 (the "License"); |
// | you may not use this file except in compliance with the License. |
// | You may obtain a copy of the License at |
// | http://www.apache.org/licenses/LICENSE-2.0 |
// | Unless required by applicable law or agreed to in writing, software |
// | distributed under the License is distributed on an "AS IS" BASIS, |
// | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
// | implied. See the License for the specific language governing |
// | permissions and limitations under the License. |
// +----------------------------------------------------------------------+
// | Author: Christian Stocker <chregu@bitflux.ch> |
// +----------------------------------------------------------------------+
//
// $Id$
class popoon_classes_externalinput {
// this basic clean should clean html code from
// lot of possible malicious code for Cross Site Scripting
// use it whereever you get external input
static function basicClean($string) {
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
$string = str_replace(array("&","<",">"),array("&","<",">",),$string);
// fix &entitiy\n;
$string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"$1;",$string);
$string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"$1$2;",$string);
$string = html_entity_decode($string, ENT_COMPAT, "UTF-8");
// remove any attribute starting with "on" or xmlns
$string = preg_replace('#(<[^>]+[\x00-\x20"\'])(on|xmlns)[^>]*>#iUu',"$1>",$string);
// remove javascript: and vbscript: protocol
$string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'"]*)[\\x00-\x20]*j'. '[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]'. '*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu','$1=$2nojavascript...',$string);
$string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b'. '[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]'. '*p[\x00-\x20]*t[\x00-\x20]*:#iUu','$1=$2novbscript...',$string);
$string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#Uu','$1=$2nomozbinding...',$string);
//<span style="width: expression(alert('Ping!'));"></span>
// only works in ie...
$string = preg_replace('#(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*'. '([\`\'"]*).*expression[\x00-\x20]*\([^>]*>#iU',"$1>",$string);
$string = preg_replace('#(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*'. '([\`\'"]*).*behaviour[\x00-\x20]*\([^>]*>#iU',"$1>",$string);
$string = preg_replace('#(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*'. '([\`\'"]*).*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*'. 'p[\x00-\x20]*t[\x00-\x20]*:*[^>]*>#iUu',"$1>",$string);
//remove namespaced elements (we do not need them...)
$string = preg_replace('#</*\w+:\w[^>]*>#i',"",$string);
//remove really unwanted tags
do {
$oldstring = $string;
$string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|'. 'iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);
} while ($oldstring != $string);
return $string;
}
static function removeMagicQuotes($data) {
if (get_magic_quotes_gpc()) {
$newdata = array();
foreach ($data as $name => $value) {
$name = stripslashes($name);
if (is_array($value)) {
$newdata[$name] = self::removeMagicQuotes($value);
} else {
$newdata[$name] = stripslashes($value);
}
}
return $newdata;
}
return $data;
}
}
If i have a variable as $subject=$_POST['subject'] then how do i use the above code to clean the variable. I mean how to call the class written above to return the clean subject?