On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote: > It's not that bad. > > Use filter functions and sanity checks for input. > > Use htmlspecialchars() basically on output. > > That should take care of basically everything. > > On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolin...@gmail.com> wrote: > > > This was my fear. > > > > Regards, > > Igor Escobar > > Systems Analyst & Interface Designer > > > > + http://blog.igorescobar.com > > + http://www.igorescobar.com > > + @igorescobar (twitter) > > > > > > > > > > > > On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind <peter.e.l...@gmail.com> > > wrote: > > > >> On 7 June 2010 14:54, Igor Escobar <titiolin...@gmail.com> wrote: > >>> Hi Folks! > >>> > >>> The portal for which I work is suffering constant attacks that I > >>> feel > >> that > >>> is PHP Injection. Somehow the hacker is getting to change the > >>> cache files > >>> that our system generates. Concatenating the HTML file with > >>> another that > >>> have an iframe to a malicious JAR file. Do you have any > >>> suggestions to > >>> prevent this action? The hacker has no access to our file system, > >>> he is > >>> imputing the code through some security hole. The problem is that > >>> the > >> portal > >>> is very big and has lots and lots partners hosted on our estructure > >>> structure. We are failing to identify the focus of this attacks. > >>> > >>> Any ideas? > >>> > >> > >> Check all user input + upload: make sure that whatever comes from the > >> user is validated. Then check all output: make sure that everythin > >> output is escaped properly. Yes, it's an enormous task, but there's > >> no > >> way around it. > >> > >> Regards > >> Peter > >> > >> -- > >> <hype> > >> WWW: http://plphp.dk / http://plind.dk > >> LinkedIn: http://www.linkedin.com/in/plind > >> BeWelcome/Couchsurfing: Fake51 > >> Twitter: http://twitter.com/kafe15 > >> </hype> > >> >
htmlspecialchars() is really only good for user input that you are outputting to the browser. For inserting data into a database, use mysql_real_escape_string(). I find it's good to think carefully about what sort of data I expect and sanitise it accordingly. If I want a numerical value, I use intval($_GET['var']) or floatval(). For things like small text box elements, regex's work well depending on the data. For data from select lists of checkboxes, make sure the value given is within a list of pre-determined values you have. Basically, nothing from the user should be trusted at all, ever. As soon as you let go of that trust in the good honesty of people you'll do fine ;) Thanks, Ash http://www.ashleysheridan.co.uk
