[rpgmaker]

Hello i have paid someone to make me a pm script but i have noticed i have sent me self a pm with the messege saying
" <script>alert("XSS")</script> "
when i read the message a message box pops up.
I have had a look at the code and there are way the coder has tried to stop sql injection.
Is there any way to stop script tags ? or tags all together ?

Here is the pm script

<?php
			  $user = $_SESSION['username'];
$message = $_POST['forward2'];
 if (isset($_POST['submit']))
{


	if ( !isset ( $_POST['message'] ) ) { return false; }; // Has user sent a username?

	$message = preg_match("/([A-Za-z0-9-_\ ])/", $_POST['message']); // Is it a valid string?


	if ( !$message )
	{
		die("Prevented SQL Injection.");
	}

	$message = strip_tags( addSlashes( $_POST['message'] ) ); // Remove any nasties
	
	
// if the form has been submitted, this inserts it into the Database 
;
 $to_user = mysql_real_escape_string($_POST['to_user']);
  $from_user = mysql_real_escape_string($_SESSION['username']);
  $message = mysql_real_escape_string($_POST['message']);

  mysql_query("INSERT INTO messages (to_user, message, from_user) VALUES ('$to_user', '$message', '$from_user')")or die(mysql_error());
  echo "PM succesfully sent!"; 
}
else
{
    // if the form has not been submitted, this will show the form
?>
              <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
                <table border="0" width="388">
                  <tr>
                    <td colspan="2"><h3>Personal Messaging System</h3></td>
                  </tr>
                  <tr>
                    <td>To User: </td>
                    <td><input maxlength="32" name="to_user" type="text" value="" />
                    </td>
                  </tr>
                  <tr>
                    <td>Message: </td>
                    <td><textarea cols="30" name="message" rows="5"></textarea>
                    </td>
                  </tr>
                  <tr>
                    <td align="center" colspan="2"><div align="left">
                        <input name="submit" type="submit" value="Send Message" />
                    </div></td>
                  </tr>
                </table>
              </form>
              <?php
}
?>

This post has been edited by rpgmaker: 28 January 2012 - 01:49 PM

[macosxnerd101]

Use Prepared Statements like PDO or MySQLi, which are immune to SQL Injection attacks. On top of that, the mysql_*() family of functions is going to be deprecated in the next version of PHP. They are based on old C libraries which haven't been upgraded in many years, so you shouldn't use them anyways.

[rpgmaker]

So if i don;t get the hang of pdo then there is no way around it ? In till the php updates ?

[macosxnerd101]

PDO isn't hard to use. Dormilich's tutorial is better than the documentation, in my opinion. Why don't you give it a try? Also, PDO and MySQLi are the alternatives. When functions are deprectaed, warnings are produced when you go to use them. Things are deprectaed to say that you shouldn't use them, not that they are being upgraded.

[rpgmaker]

Ok so i have found a trick around it.
i used

$foo = preg_replace('/[^a-z]/i', null, $foo);

which if the value is not from a-z then it will not use it.

So i do

  $to_user = mysql_real_escape_string($_POST['to_user']);
  $from_user = mysql_real_escape_string($_SESSION['username']);
  $message = mysql_real_escape_string($_POST['message']);
 
 $to_user2 = preg_replace('/[^a-z]/i', null, $to_user);
  $from_user2 = preg_replace('/[^a-z]/i', null, $from_user);
  $message2 = preg_replace('/[^a-z]/i', null, $message);
  
  
  mysql_query("INSERT INTO messages (to_user, message, from_user) VALUES ('$to_user2', '$message2', '$from_user2')")or die(mysql_error());
  echo "PM succesfully sent!"; 

Which works real good

[CTphpnwb]

And how are you going to stop the next issue? And the next? This is why it's better to learn PDO.

[SittingonDucks]

Use PDO, and I also recommend using the filter_input() function.
If you don't want to use that, just put these together into one function:

• htmlentities
  
• stripslashes

Although that's not recommended. XSS and SQL injection aren't good.

[Dormilich]

I may also note that filter functions also avoid the "undefined index" problem you can get in $_POST/$_GET when a key-value pair is missing.

[Duckington]

Although you should defintely be guarding against SQL injections, the reason the alert is working is not because of that, it's because it's being parsed when you view the message. The message should be run through something like

http://uk.php.net/ma...tmlentities.php

before it is displayed to the user, to stop the tags being treated as HTML.

[no2pencil]

rpgmaker, on 28 January 2012 - 03:54 PM, said:

So if i don;t get the hang of pdo then there is no way around it ?

There are right ways of doing things, & there are easy ways.

It really comes down to you. Do you want crap software today, or secure software tomorrow?