2007. 04. 21, szombat keltezéssel 13.20-kor Dotan Cohen ezt írta: > On 21/04/07, Tim <user@xxxxxxxxxxxxx> wrote: > > > > > > > -----Message d'origine----- > > > De : Dotan Cohen [mailto:dotancohen@xxxxxxxxx] > > > Envoyé : samedi 21 avril 2007 03:08 > > > À : php php > > > Objet : Preventing SQL Injection/ Cross Site Scripting > > > > > > I've got a comments form that I'd like to harden against SQL Injection > > > / XSS attacks. The data is stored in UTF-8 in a mysql database. I > > > currently parse the data as such: > > > > > ... > > > The first statement doubles up quotes, it's a bit difficult > > > to see in the code. > > > > > > After seeing this: > > > http://ha.ckers.org/xss.html > > > and another similar one for SQL injection, I'm worried that my filters > > > are not enough. What do the pro php programers out there use? > > > > Sql and xss attacks are two different issues that should each be adressed > > accordingly at at the right time... > > > > XSS attacks should be parsed when the form is "checked", sql should be > > adresssed when you are puting the actuall information in the database. > > The information is inserted into the database right after it is checked. > > > PHP has several functions that adress sql injection issues for example as > > stated: mysql_real_escape_string(); which will "safely" escape any data used > > in an sql statement to evade sql injection, thats a good first measure any > > ways... > > Yes, that is the second to last function that I'm using. > > > Second, a mesure that i take for both xss and sql is instead of escaping > > certain data, i only "allow" certain data, that i consider safe for display > > on a web site.. > > Although I can semicolons and the like, greater than and less than > signs I want to keep as there are some rather witty people from the > Mathematics faculty who will be using the comments. I'll str_replace() > them to > and < however. what about htmlentities()? http://php.net/htmlentities greets Zoltán Németh > > > I recommend you dig deeper into that xss page you might even find a script > > that filters xss.. You might even be able to modify it to suit your needs > > and/or to harden/better it... > > Obviously I keep missing it. I've reread it twice since you mention > there is a filter script and can't find it. I've followed most of the > links as well. I'll keep looking. > > Dotan Cohen > > http://what-is-what.com/what_is/blog.html > http://ultu.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
