On 21/04/07, Tim <user@xxxxxxxxxxxxx> wrote:>>> > -----Message d'origine-----> > De : Dotan Cohen [mailto:dotancohen@xxxxxxxxx]> > Envoyé : samedi 21 avril 2007 03:08> > À : php php> > Objet : Preventing SQL Injection/ Cross Site Scripting> >> > I've got a comments form that I'd like to harden against SQL Injection> > / XSS attacks. The data is stored in UTF-8 in a mysql database. I> > currently parse the data as such:> >> ...> > The first statement doubles up quotes, it's a bit difficult> > to see in the code.> >> > After seeing this:> > http://ha.ckers.org/xss.html> > and another similar one for SQL injection, I'm worried that my filters> > are not enough. What do the pro php programers out there use?>> Sql and xss attacks are two different issues that should each be adressed> accordingly at at the right time...>> XSS attacks should be parsed when the form is "checked", sql should be> adresssed when you are puting the actuall information in the database. The information is inserted into the database right after it is checked.
PHP has several functions that adress sql injection issues for example as> stated: mysql_real_escape_string(); which will "safely" escape any data used> in an sql statement to evade sql injection, thats a good first measure any> ways...
Yes, that is the second to last function that I'm using.
Second, a mesure that i take for both xss and sql is instead of escaping> certain data, i only "allow" certain data, that i consider safe for display> on a web site..
Although I can semicolons and the like, greater than and less thansigns I want to keep as there are some rather witty people from theMathematics faculty who will be using the comments. I'll str_replace()them to > and < however.
I recommend you dig deeper into that xss page you might even find a script> that filters xss.. You might even be able to modify it to suit your needs> and/or to harden/better it...
Obviously I keep missing it. I've reread it twice since you mentionthere is a filter script and can't find it. I've followed most of thelinks as well. I'll keep looking. Dotan Cohen http://what-is-what.com/what_is/blog.htmlhttp://ultu.com
