On 21/04/07, Tim <[EMAIL PROTECTED]> wrote:
> -----Message d'origine----- > De : Dotan Cohen [mailto:[EMAIL PROTECTED] > Envoyé : samedi 21 avril 2007 03:08 > À : php php > Objet : [PHP] Preventing SQL Injection/ Cross Site Scripting > > I've got a comments form that I'd like to harden against SQL Injection > / XSS attacks. The data is stored in UTF-8 in a mysql database. I > currently parse the data as such: > ... > The first statement doubles up quotes, it's a bit difficult > to see in the code. > > After seeing this: > http://ha.ckers.org/xss.html > and another similar one for SQL injection, I'm worried that my filters > are not enough. What do the pro php programers out there use? Sql and xss attacks are two different issues that should each be adressed accordingly at at the right time... XSS attacks should be parsed when the form is "checked", sql should be adresssed when you are puting the actuall information in the database.
The information is inserted into the database right after it is checked.
PHP has several functions that adress sql injection issues for example as stated: mysql_real_escape_string(); which will "safely" escape any data used in an sql statement to evade sql injection, thats a good first measure any ways...
Yes, that is the second to last function that I'm using.
Second, a mesure that i take for both xss and sql is instead of escaping certain data, i only "allow" certain data, that i consider safe for display on a web site..
Although I can semicolons and the like, greater than and less than signs I want to keep as there are some rather witty people from the Mathematics faculty who will be using the comments. I'll str_replace() them to > and < however.
I recommend you dig deeper into that xss page you might even find a script that filters xss.. You might even be able to modify it to suit your needs and/or to harden/better it...
Obviously I keep missing it. I've reread it twice since you mention there is a filter script and can't find it. I've followed most of the links as well. I'll keep looking. Dotan Cohen http://what-is-what.com/what_is/blog.html http://ultu.com