Is this secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nsx
Forum Newbie
Posts: 1
Joined: Tue Jan 25, 2011 11:04 am

Is this secure?

Post by nsx »

Heya, I'm basically making a simple forum script integrated with a website. I want to protect myself from sql injection and xss, so I figured I'd use PDO prepared statements and simple strip_tags. I'm still fairly new to php so I don't have the knowledge of all possible ways to protect myself.
The script looks like this:

Code: Select all

$postbody = $_POST['postbody'] ; // I get the message body and NOT process it while writing to database, except checking if it doesn't exceed the allowed size.

// the writing part

$prep = $sql->prepare("INSERT INTO `a_forum_posts` (`created`, `account_id`, `forum_id`, `character`, `parent`, `title`, `body`, `class`)
		VALUES (:created, :acc_id, :fid, :character, :title, :postbody, :class)", array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)) ;
		
		$prep->execute(array(':created' => time(),
							':acc_id' => $account_logged->getId(),
								':fid' => $fid,
									':character' => $poster_info['pname'],
											[b]':postbody' => $postbody,[/b]
												':class' => $poster_info['level'] .' '. myGetVoc($poster_info['voc'], $poster_info['promo']))) ;
Now before I output the result I filter it with a function similar to this:

Code: Select all

function decodePost($str) {
	$search = array('[b]', '[/b]') ; // a lot more of bb code conversion...
	$replace = array('<b>', '</b>') ;
	return str_ireplace($search, $replace, nl2br(strip_tags($str))) ;
}
The question is; is this xss and sql injection safe?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Is this secure?

Post by social_experiment »

(sql) Injection is mostly stopped by using mysql_real_escape_string() but i've looked at some PDO examples (where queries are prepared) and none of them use it, no idea if this is built-in (the escaping of user input). Here's one of the examples i found

Code: Select all

<?php
// Execute the query
$query = $dbh->prepare("SELECT sku, name FROM product ORDER BY name");
$query->execute();
while ($dbh->fetch(PDO_FETCH_ASSOC) as $row) {
$sku = $row['sku'];
$name = $row['name'];
echo "Product: $name ($sku) <br />";
}
?>
You could also take a look at htmlentities() to stop XSS.
Hth
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Technocrat
Forum Contributor
Posts: 127
Joined: Thu Oct 20, 2005 7:01 pm

Re: Is this secure?

Post by Technocrat »

Post Reply