There are many good resources out there, and one of my favorites for this type of information is from Chris Shiflett. http://shiflett.org/articles/sql-injection http://shiflett.org/articles/foiling-cross-site-attacks http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss Those are a few articles on the subject, maybe some reader comments have more good links. Also, just as a best-practice, you usually don't want to reassign things into the super globals. Also to note, your filtering may be a bit too aggressive, and not all-inclusive at the same time. Too aggressive because if I want to talk about java in a comment, it will filter out every time I say java. Too lax because you are forgetting all of the HTML onclick, onhover etc... that don't need to have a <script> tag in them to be executed. Any of the preg_replace's with an = in them is redundant because you have already filtered out all of the ='s, but also note that you can have multiple spaces between href and =. You are banking that they will have 0 or 1. If available, you can look into PHP 5.2 which added some filter functions (albeit I myself haven't checked them out). You can also look into OWASP's PHP project, http://www.owasp.org/index.php/Category:OWASP_PHP_Project. That is a pretty good resource in secure coding best-practices. -Logan -----Original Message----- From: Dotan Cohen [mailto:dotancohen@xxxxxxxxx] Sent: Friday, April 20, 2007 9:08 PM To: php php Subject: Preventing SQL Injection/ Cross Site Scripting I've got a comments form that I'd like to harden against SQL Injection / XSS attacks. The data is stored in UTF-8 in a mysql database. I currently parse the data as such: $_POST["commentform"]=str_replace ("'", "''", $_POST["commentform"]); // q->qq $_POST["commentform"]=str_replace ("--", "", $_POST["commentform"]); // -- -> x $_POST["commentform"]=str_replace (";", "", $_POST["commentform"]); // ; -> x $_POST["commentform"]=str_replace ("=", "''", $_POST["commentform"]); // = -> x $_POST["commentform"]=preg_replace ("/java/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/script/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/src=/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/src =/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/iframe/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/rel=/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/rel =/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/href=/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/href =/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("//i", "''", $_POST["commentform"]); $_POST["commentform"]=htmlspecialchars( mysql_real_escape_string ($_POST["commentform"]) ); The first statement doubles up quotes, it's a bit difficult to see in the code. After seeing this: http://ha.ckers.org/xss.html and another similar one for SQL injection, I'm worried that my filters are not enough. What do the pro php programers out there use? Thanks in advance. Dotan Cohen http://lyricslist.com/ http://what-is-what.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
