5 Replies - 875 Views - Last Post: 22 January 2013 - 01:22 PM Rate Topic: -----

#1 Scott M  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 14
  • Joined: 14-November 12

Looking for some help with security.

Posted 22 January 2013 - 02:50 AM

Hi there,

I'm just wondering if I'm taking the right steps to protect my website against injection attacks and the like. At the moment I am using strip_tags($value) and then mysql_real_escape_string($value) for anything that the user is allowed freedom to input.


While googling around it was suggested that mysql_real_escape_string was better than strip_tags, as it was more secure, but I found that tags were still being allowed... as in I could input <?php echo "load of rubbish" ?> and it would take the value, when the page refreshed it messed around with all of the code after it and thus messed everything up. I found the easy way around this was to strip the tags and then use mysql_real_escape_string.

Am I on the right track? As you can probably guess I'm very much a novice at this sort of thing, and while I am doing OK fumbling around the one thing I want to be sure of is security.

Thanks

Is This A Good Question/Topic? 0
  • +

Replies To: Looking for some help with security.

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3717
  • View blog
  • Posts: 5,981
  • Joined: 08-June 10

Re: Looking for some help with security.

Posted 22 January 2013 - 03:53 AM

Hey.

You seem to be mixing together two kinds of injection attacks. The first on is XSS (cross-site scripting), which is when user supplied data is allowed to inject scripts into the HTML, thus redirecting or otherwise messing up the page the user sees. That is what things like strip_tags and htmlentities help with. The other type is SQL Injection, which is where user input is allowed to mess up the SQL queries executed on the database server. That is a more complicated issue.

Long ago, functions like mysql_real_escape_string were considered sufficient protection against SQL Injection. However these days escaping input is more or less outdated, and instead you are encouraged to use prepared statements. With those, you bypass the SQL Injection altogether, as the user input never actually becomes a part of the SQL query.

Also, the mysql_* family of functions is deprecated. You should use MySQLi or PDO instead; both of which are capable of prepared statements. (Which the old mysql function are not.)
Was This Post Helpful? 2
  • +
  • -

#3 Scott M  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 14
  • Joined: 14-November 12

Re: Looking for some help with security.

Posted 22 January 2013 - 05:17 AM

View PostAtli, on 22 January 2013 - 03:53 AM, said:

Hey.

You seem to be mixing together two kinds of injection attacks. The first on is XSS (cross-site scripting), which is when user supplied data is allowed to inject scripts into the HTML, thus redirecting or otherwise messing up the page the user sees. That is what things like strip_tags and htmlentities help with. The other type is SQL Injection, which is where user input is allowed to mess up the SQL queries executed on the database server. That is a more complicated issue.

Long ago, functions like mysql_real_escape_string were considered sufficient protection against SQL Injection. However these days escaping input is more or less outdated, and instead you are encouraged to use prepared statements. With those, you bypass the SQL Injection altogether, as the user input never actually becomes a part of the SQL query.

Also, the mysql_* family of functions is deprecated. You should use MySQLi or PDO instead; both of which are capable of prepared statements. (Which the old mysql function are not.)


Thanks for the reply and the links, off to do some reading :D
Was This Post Helpful? 0
  • +
  • -

#4 DaneAU  Icon User is offline

  • Great::Southern::Land
  • member icon

Reputation: 284
  • View blog
  • Posts: 1,617
  • Joined: 15-May 08

Re: Looking for some help with security.

Posted 22 January 2013 - 05:24 AM

Hello,

Any input data from a user field i put through specific regular expression checks to ensure it conforms to what the expected input is. Definitely strip_tags, htmlentites is helpful but i believe for the small overhead you should go the next step.

If you expect an integer input then check sure up that this is the case. When using regular expressions as an approach for security, work on the basis of allowable characters rather than trying to exclude all bad characters. If you do not check and enforce variable conformation to a defined, strict set of checks then you are asking not only for SQL Injection but also making your web application susceptible to XSS also.

For instance you could do something along the lines of the following as an example to ensure a username conforms to alphabetic constraints and negate any possible issue by assigning it some other defined value.

$username = preg_match( '/^[a-zA-Z]$/', $_GET['userid']) ? $_GET['userid'] : 'guest';

This post has been edited by Dormilich: 23 January 2013 - 04:17 AM
Reason for edit:: fixing quotes

Was This Post Helpful? 2
  • +
  • -

#5 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2934
  • View blog
  • Posts: 10,139
  • Joined: 08-August 08

Re: Looking for some help with security.

Posted 22 January 2013 - 09:12 AM

If you're using prepared statements you don't need to limit inputs. For example, '; DROP yourtablename;' might be a valid username.
Was This Post Helpful? 0
  • +
  • -

#6 Scott M  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 14
  • Joined: 14-November 12

Re: Looking for some help with security.

Posted 22 January 2013 - 01:22 PM

Unfortunately this is all way over my head at the moment. I'm a complete novice as far as coding goes. I've picked up bits and bobs from searching around and built my website to the best of my ability, but what you just said means absolutely nothing to me at the moment. I have no idea what a prepared statement is or how to create one, although I'm guessing you mean that if someone were to choose the above as a username... pushing it through as a prepared statement would save it as the username without actually allowing any code to be executed based on it?

Through having a quick look at the link from above it's going to take a lot of reading and understanding to get me there. I had only just got my head around strip_tags and mysql_real_escape_string lol. I'm a learn by doing (wrong) kinda guy, trial and error till something works is how I've basically got to where I am :)

Currently working on a live search, it's been fun but I think I've got it. Will try it out in the website tomorrow :D

Ajax is really handy eh :)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1