Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

XSS Problem

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

XSS Problem

Postby LORDTEK » Thu Jul 28, 2011 3:42 am

Hello there,

The security guys said me that "Encode ', ", -, +, (, ), &, %, #, <, > sings when you get datas."

But I think different... The user can enter every bad content without SQL Injection. Then the system would encode them when pulling the datas to show the user.

What do you think?
LORDTEK
New php-forum User
New php-forum User
 
Posts: 1
Joined: Thu Jul 28, 2011 3:33 am

Re: XSS Problem

Postby TheProdigyGuy » Sat Jan 21, 2012 3:36 pm

Of course it depends on situation(in ex: of vulnerability)
But i think if you encode that characters: in ex: htmlentities($data)
& will become &amp
< will become as &lt; > &gt; etc.
It depends on you how your script pulls it back to user.(if it is htmlentiti'ed) it is safe from XSS and user browser will not render it as it displayed on user browser:
In ex:
Code: Select all
<?php
$data=htmlentities('<script>alert(document.cookie);</script>');
echo $data;
//&lt;script&gt;alert(document.cookie);&lt;/script&gt;
?>

It is safe for now: &lt;script&gt;alert(document.cookie);&lt;/script&gt;

WIth SQL iinjections:
Here is my custom function:D

Code: Select all
<?php
error_reporting('OFF');
define ("INTERNAL","antisqlinjectionmodule");
function sanitize(&$string,$die=1)
{
$dummy=$string;
$blacklisted=array("%","'","$","--","/*","*","union","select","-",
"order",",","0x","/",
"where","concat","concat_ws","group_concat",
"information_schema","tables","columns",
"hex","table_name","column_name","distinct",
"/*!","*/","into","load_file",
"outfile","truncate","drop",
"delete",";","+","substr","update",
"schemata","mysql","convert","using","char","?","$","`","|",
"\\","=","and","(","from",")",
".","null","table","dumpfile","php",
"<",">","eval","script","alert",'"','javascript','char','latin1','benchmark');

if (empty($string))@header("Location: index.php");
foreach ($blacklisted as $black)
{if ($die==0){
if(strlen(str_ireplace($black,'',$string)) !==strlen($dummy) || strlen($string)==0)@header("Location: " . "/index.php");
}
else
{
$string=str_ireplace($black,'',$string); //sanitization
$badcharsdetected=str_ireplace($string,'',$dummy);
}
}
unset($black);
}


pass your string to this function by refenrence and that all it will sanitize it to you)
[/code]
And it is a bit safer than using preg_* functions (theris a minimal chance to bypass that filtering)
Also use mysql_real_escape_string() when you are going to deal with MYSQL QUERIES.
If you expect to get int force it to be int
like:
This is a just example.
Code: Select all
<?php
$maycomefromhacker='-999+Un/**/IoN+sEL/**/ECT+1,2,user,4,5,6+Fr/!*Om*/+mYsql.UsEr--';
$maycomefromhacker=(int)$maycomefromhacker;
echo $maycomefromhacker;
?>


Output: -999 (We prevented that malicious request using this way)
I would like to say again it depends on situation how to handle and secure your application.
Never Trust To CLient Side! Thats all)
TheProdigyGuy
New php-forum User
New php-forum User
 
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 2 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.