Re: Preventing SQL Injection/ Cross Site Scripting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dotan,

Why not use mysql_escape_string()?

On 4/20/07, Dotan Cohen <dotancohen@xxxxxxxxx> wrote:

I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:

$_POST["commentform"]=str_replace ("'", "''", $_POST["commentform"]);
  //    q->qq
$_POST["commentform"]=str_replace ("--", "", $_POST["commentform"]);
 //    -- -> x
$_POST["commentform"]=str_replace (";", "", $_POST["commentform"]);
//    ; -> x
$_POST["commentform"]=str_replace ("=", "''", $_POST["commentform"]);
  //    = -> x
$_POST["commentform"]=preg_replace ("/java/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/script/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/iframe/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("//i", "''", $_POST["commentform"]);
$_POST["commentform"]=htmlspecialchars( mysql_real_escape_string
($_POST["commentform"]) );

The first statement doubles up quotes, it's a bit difficult to see in the code.

After seeing this:
http://ha.ckers.org/xss.html
and another similar one for SQL injection, I'm worried that my filters
are not enough. What do the pro php programers out there use?

Thanks in advance.

Dotan Cohen

http://lyricslist.com/
http://what-is-what.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
Leonard Burton, N9URK
http://www.jiffyslides.com
service@xxxxxxxxxxxxxxx
leonardburton@xxxxxxxxx

"The prolonged evacuation would have dramatically affected the
survivability of the occupants."

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux