I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
$_POST["commentform"]=str_replace ("'", "''", $_POST["commentform"]);
// q->qq
$_POST["commentform"]=str_replace ("--", "", $_POST["commentform"]);
// -- -> x
$_POST["commentform"]=str_replace (";", "", $_POST["commentform"]);
// ; -> x
$_POST["commentform"]=str_replace ("=", "''", $_POST["commentform"]);
// = -> x
$_POST["commentform"]=preg_replace ("/java/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/script/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/iframe/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("//i", "''", $_POST["commentform"]);
$_POST["commentform"]=htmlspecialchars( mysql_real_escape_string
($_POST["commentform"]) );
The first statement doubles up quotes, it's a bit difficult to see in the code.
After seeing this:
http://ha.ckers.org/xss.html
and another similar one for SQL injection, I'm worried that my filters
are not enough. What do the pro php programers out there use?
Thanks in advance.
Dotan Cohen
http://lyricslist.com/
http://what-is-what.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
