Security Questions

[Dan]

I've never really worried much about security, but I'm going to start doing it a lot more.

I don't think I will really have a problem because of how I am working the site, but if they really want to hack it, it's possible. (With no security, it would still be hard.)

Users are going to be submitting sites to www.css.la and I want to make sure no SQL injection is used.

It has an admin panel where submissions are sent, so if they mess with queries, only I would see it until I accept or decline it.

I've seen people say to stripslashes(mysql_real_escape_string($string)) the data and a bunch of other ways.

How do you think I should censor the data?

 

[Tree]

This is what I use

/**
 * @return unknown
 * @param unknown $value
 * @desc Sanitizes input fields
    Thanks to: SecondVersion (Eric) from NamePros.com
*/
function sanitize($value)
{
  $value = (!get_magic_quotes_gpc()) ? trim(addslashes(strip_tags($value))) : trim(strip_tags($value));
  $search = array('@<script[^>]*?>.*?</script>@si',
                  '@<applet[^>]*?>.*?</applet>@si',
                  '@<object[^>]*?>.*?</object>@si',
                  '@<iframe[^>]*?>.*?</iframe>@si',
                  '@<style[^>]*?>.*?</style>@si',
                  '@<form[^>]*?>.*?</form>@si',
                  '@<[\/\!]*?[^<>]*?>@si',
                  '@([\r\n])[\s]+@',
                  '@&(amp|#38);@i',
                  '@&(lt|#60);@i',
                  '@&(gt|#62);@i'
                 );
  $replace = array('','','','','','','','','','','');
  $value = preg_replace($search, $replace, $value);
  return $value;
}

SV wrote it, so you know it's good

But from what I've heard, MySQL is pretty injection-proof all by itself, as it doesn't allow "stacked queries."

 

[Dan]

http://us3.php.net/preg_replace .. SV almost wrote it. :0

I'm mainly looking for ways to stop MySQL injection (so things with quotes), as users never see what someone submits until I accept it. Even if they do something, and mess up the admin panel, I can delete it from phpMyAdmin.

If they really wanted to do something, they could do stuff with the emails I am going to make it send. But that would take a long time and I don't think it would even be worth it. (If I just use the cPanel password protect folders, I don't think they could do anything, ever.)

 

[lpxxfaintxx]

You shouldn't only worry about MySQL Injections--there are still other ways of getting hacked... like Cross Site Scripting.

 

[Dan]

I know what that is and have already built a hidden input field to stop it.

<input type="hidden" id="hidden" />

I use JS to mod that with a name and value, so looking at my source code doesn't make it obvious that you need another value. It might confuse someone looking to try and do it.

 

[stscac]

http://us3.php.net/preg_replace .. SV almost wrote it. :0

I'm mainly looking for ways to stop MySQL injection (so things with quotes), as users never see what someone submits until I accept it. Even if they do something, and mess up the admin panel, I can delete it from phpMyAdmin.

If they really wanted to do something, they could do stuff with the emails I am going to make it send. But that would take a long time and I don't think it would even be worth it. (If I just use the cPanel password protect folders, I don't think they could do anything, ever.)

MySQL injections can also be in the form of dropping your tables. If you get your tables dropped, your information is lost.

:o

I'm recommending the code above.

-Steve

 

[Eric]

http://us3.php.net/preg_replace .. SV almost wrote it. :0

I'm mainly looking for ways to stop MySQL injection (so things with quotes), as users never see what someone submits until I accept it. Even if they do something, and mess up the admin panel, I can delete it from phpMyAdmin.

If they really wanted to do something, they could do stuff with the emails I am going to make it send. But that would take a long time and I don't think it would even be worth it. (If I just use the cPanel password protect folders, I don't think they could do anything, ever.)

Umm.. actually, I did write it

An updated version of that would be:

/*
@param  string  Data to be cleaned
@param  bool    Strip \r\n ?
@return string
*/
function sanitize($data, $strip_clrf = true)
{
    $search = array('@<script[^>]*?>.*?</script>@si',
        '@<applet[^>]*?>.*?</applet>@si',
        '@<object[^>]*?>.*?</object>@si',
        '@<iframe[^>]*?>.*?</iframe>@si',
        '@<style[^>]*?>.*?</style>@si',
        '@<form[^>]*?>.*?</form>@si',
        '@<[\/\!]*?[^<>]*?>@si',
        '@&(lt|#60);@i',
        '@&(gt|#62);@i'
    );
    
    if ($strip_clrf)
    {
        $search[] = '@([\r\n])[\s]+@';
    }
    
    return preg_replace($search, '', strip_tags($data));
}

You have my MySQL class (atleast I think I showed it to you?) if not, there's also this:

/*
@param  string  Data to be sanitized
@return string
*/
function prep($data)
{
    $data = trim(stripslashes($data));

    if (function_exists('mysql_real_escape_string'))
    {
        $data = mysql_real_escape_string($data);
    }
    else
    {
        $data = addslashes($data);
    }

    return $data;
}

 

[Tree]

Here's another code I found on PHP.net. Should work good.

<?php
// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
   OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           quote_smart($_POST['username']),
           quote_smart($_POST['password']));

mysql_query($query);
?>

 

[Dan]

I've made a couple versions of my own MySQL class.

I know slashes are bad for a text file as they aren't automatically converted back. They are from MySQL, though, right? :X

XSS won't happen.

 

[Noobie]

if you have access to PEAR :: DB there's some built in features to sanitize your queries.

 

[wackyjoe]

this function does the job for me:

function cleanall()
{
foreach($_POST as $key => $val)
{
$_POST[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
foreach($_GET as $key => $val)
{
$_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
$$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
}
}

also i would suggest gettinh hold of a vBulletin file and viewing the class_core.php file...has some neat functions that will help you. I use alot of my security functions from vB and it helps me alot .

 

[cwnt]

I simply use htmlentities(addslashes($string)), then to display the string again, use stripslashes($string). It's worked so far for me.

 

[hanz]

I simply use htmlentities(addslashes($string)), then to display the string again, use stripslashes($string). It's worked so far for me.

Actually you shouldn't do that. When magic quotes are on that just adds double slashes and there is not need to use stripslashes() when getting something out of database.

Here is function I use

function escape_string($string) {
    if (get_magic_quotes_gpc()) {
          $string = stripslashes($string);
    }
    if (function_exists("mysql_real_escape_string")) {
          $string = mysql_real_escape_string($string);
    } else {
          $string = addslashes($string);
    }
    return $string;
}

 

[Peter]

Actually you shouldn't do that. When magic quotes are on that just adds double slashes and there is not need to use stripslashes() when getting something out of database.

He is correct. before using stripslashes or addslashes you should check if magic_globals is enabled or not otherwise you could be adding/stripping slashes when not needed.

The best way is to just use something like mysql_real_escape_string (there are functions for quite a few database engines).

I know what that is and have already built a hidden input field to stop it.

<input type="hidden" id="hidden" />

I use JS to mod that with a name and value, so looking at my source code doesn't make it obvious that you need another value. It might confuse someone looking to try and do it.

That is 1 of the weakest ways to try and protect a site. what would be there to stop me writing my own version of the form or turning javascript off. Anything to do with security should be done SERVER side. It is ok to do security check client side but ALWAYS check the same thing server side.

 

[Noobie]

That is 1 of the weakest ways to try and protect a site. what would be there to stop me writing my own version of the form or turning javascript off. Anything to do with security should be done SERVER side. It is ok to do security check client side but ALWAYS check the same thing server side.

^^

I've been racking my brain on this but how exactly does the hidden field stop xss? At least in theory

 

[Dan]

I didn't mean the form would stop XSS, but that I would have the site do it. :/

Also, I'm not sure why you think XSS is a big deal.. it's not like one line of PHP could stop it or anything..

I'm most likely going to be combining some of the functions that have been posted.

 

[Peter]

it can't stop xss but is possible to help stop automatic submissions althoughany decent tool that auto submits forms would check the form for hidden form fields.

 

[Dan]

filth, no bot would be able to submit my form.. unless you made it just to do it.

<input id="hidden" type="hidden" /> would not be submitted with PHP (at least I don't think so..). It has no name and no value.

 

[Noobie]

ahh ok...

I was going nuts trying to figure out the hidden field thing.

For auto-submission:
I personally like/use Captcha images.
XSS:
I like/use htmlspecialchars() and set register_globals = OFF
SQL Injection:
Alot of whats mentioned above is great.

 

[Dan]

The hidden field turned into:
<input type="hidden" id="hidden" name="js" value="submit" />

I will remove that and use Captcha images and most likely the functions SV posted with a little added from other posts and some taken out.