1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

form protection

Discussion in 'PHP' started by roice, Oct 7, 2010.

  1. SamT

    SamT Peon

    Messages:
    43
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #21
    addslashes/stripslashes are functions people will often use to escape stuff for the database. You wont be using that because they still carry the possibility for unsafe data. What you think and what your users do are two very different things. You need to assume the user is out to destroy your website and protect it accordingly. You shouldn't have any issues with slashes, I don't know why we are still on this subject.

    strip_tags has been known to let things go that shouldn't. htmlspecialchars has less of a reputation, so use that.

    As far as the code block you posted, it works the same, but what I am saying is don't take that approach of trying to sanitize every bit of data contained in $_POST, $_GET, and $_COOKIE. It creates unnecessary processing on the script side.

    If you are posting two variables to a page, say 'username' and 'password', then do this:
    
    $username = htmlspecialchars($_POST['username']);
    $password = htmlspecialchars($_POST['password']);
    
    $username = mysql_real_escape_string($username);
    $sql = "SELECT * FROM users WHERE username = '$username'";
    $result = mysql_query($sql);
    $row = mysql_fetch_assoc($result);
    // ...
    PHP:
    Run htmlspecialchars() on each input variable as you input them one at a time. Only if you end up using it in a query, then go ahead and run mysql_real_escape_string() on it.
     
    SamT, Oct 24, 2010 IP
  2. scriptinstaller

    scriptinstaller Peon

    Messages:
    109
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #22
    no, not a replacement... only to just remove it.. but to be safe, leave the htmlspecialchars() as well..

    htmlspecialchars(strip_tags($output)); // no need to output nasties, and be sure not to output nasties in nasty form, but htmlspecialchars should be efficient enough

    strip_tags only works on say <p> but wouldnt be good on something like <p style="<nasty java stuphs here>"> or something to that effect, sorry i'm not a hacker, but they can pass stuff inside like that as strip_tags is not a remove all tag function
     
    scriptinstaller, Oct 24, 2010 IP
  3. scriptinstaller

    scriptinstaller Peon

    Messages:
    109
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #23

    No, not practical or helpful. Your manipulating data that you may need in its raw form..
    Only escape data going into a database query, and don't write a function for your query to do this.. do it when you assign it and sanitize it right away.
    I always waste some memory on form input

    if its a string for a db query..
    $moo = mysql_real_escape_string($_POST['moo']);
    if i know its suppose to be a integer, no sense escaping, make sure it's an int :D
    $int = intval($_POST['int']);

    // then i sanitize for whats acceptable for these fields
    such as check valid characters, if not certain characters error back
    checking string length
    yada yada yada

    if error
    echo htmlspecialchars($moo);

    if not
    db_query("select `moo` from `do` where `field` = '?' AND field2 = $int LIMIT 1;", $moo);
     
    scriptinstaller, Oct 24, 2010 IP
  4. roice

    roice Peon

    Messages:
    200
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #24
    Thanks scriptinstaller
    -------------------------------------------------------------------------


    If I understood you right, in your example you used "htmlspecialchars" while you don't need to, because you are not printing the variable to the screen...
    You only need "mysql_real_escape_string" (like you used).
     
    roice, Oct 24, 2010 IP
  5. roice

    roice Peon

    Messages:
    200
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #25
    And if I'm nott?
    should I still use "mysql_real_escape_string" for "$page" before pulling date from the DB?
     
    roice, Oct 24, 2010 IP
  6. roice

    roice Peon

    Messages:
    200
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #26
    just to be sure-
    If I have this code:
    $query = mysql_query("SELECT`choice`,`name`  FROM `survey`  ");
    while($index = mysql_fetch_array($query))
    {
    $choice= $index['choice'];
    $name= $index['name'];
    echo $choice;
    }
    PHP:
    Than I need to add "htmlspecialchars" here:
    $choice= htmlspecialchars($index['choice']);
    echo $choice;

    (variable "choise" was add into the DB by some user with some form)
    Right?

    if yes - can I don't do htmlspecialchars($index) and than - $choice= $index['choice'];
    ?
     
    Last edited: Oct 24, 2010
    roice, Oct 24, 2010 IP
  7. SamT

    SamT Peon

    Messages:
    43
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #27
    I always htmlspecialchars() my input because you never know if you are going to want to display it to the string, plus, what goes into the database will come out of the database eventually.

    Let's say someone set's their username as "<script>alert('xss here');</script>", and you didn't use htmlspecialchars() on it.
    You can mysql_real_escape_string() that value and it will be safe for the database. If the user is just signing up for that name, it will insert it into the database as is. When you go back to display the username, you will have XSS.

    Now, lets say you do use htmlspecialchars on the registration, their username is now be "&lt;script&gt;alert('xss here')&lt;/script&gt;" in the database. After that, you are now logging them in with a different script and you do not use htmlspecialchars() on your input. Although you are not outputting directly what they said to the screen, you still have to compare it to the stored value of the database, and the two strings do not match. That's why, to be safe and consistent, I always use htmlspecialchars on every string value I take into my scripts.
     
    SamT, Oct 24, 2010 IP
  8. roice

    roice Peon

    Messages:
    200
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #28
    OK, gotch you...

    Can you please take a look at my two other question above?
     
    roice, Oct 24, 2010 IP
  9. roice

    roice Peon

    Messages:
    200
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #29
    If I have this code:
    $query = mysql_query("SELECT`choice`,`name`  FROM `survey`  ");
    while($index = mysql_fetch_array($query))
    {
    $choice= $index['choice'];
    $name= $index['name'];
    echo $choice;
    }
    PHP:
    Than I need to add "htmlspecialchars" here:
    $choice= htmlspecialchars($index['choice']);
    echo $choice;

    (variable "choise" was add into the DB by some user with some form)
    Right?

    if yes - can I do htmlspecialchars($index) and than - $choice= $index['choice'];
    ?
     
    roice, Oct 26, 2010 IP