Re: [PHP] Preventing XSS Attacks
On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote: > From: Ashley Sheridan > > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > >> mysql_real_escape_string() only sanitise the input. I would > personally > >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) > >> Validate the input in some way, or make extra sanitisation of it > >> before running the search query. > >> > >> Regarding the HTML output, just entities() it and you'll be good :) > >> > >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > >> wrote: > >> > >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: > >> > As far for the output, just html entities () it and you > will > >> be good. > >> > > >> > You better check the search query for sql injection, which > >> is more > >> > dangerous. > >> > > >> > HTH > >> > Nitsan > >> > > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > >> > wrote: > >> > Hi all, > >> > > >> > I'm looking at adding a new search feature to my > >> site, and one > >> > of the > >> > elements of this is to echo back in the search > >> results page, > >> > the > >> > original string the user searched for. Up until > now, > >> XSS > >> > hasn't (afaik) > >> > been an issue for my site, but I can see from a > mile > >> off this > >> > will be. > >> > What would you guys recommend to avoid this? > >> > > >> > I'd thought initially of using a mixture of > >> > html_special_chars() and a > >> > regex (as yet not sure what I'll be stripping out > >> with this) > >> > to sanitise > >> > the output for display on the results page, but is > >> this > >> > enough? > >> > > >> > >> I always use mysql_real_escape_string() for that sort of > >> thing, not had > >> a problem with it, but is there anything you think I should > be > >> wary of? > >> > > > > Well, I don't understand, what is the problem with > > mysql_real_escape_string() for sanitising input to use for a search? > It > > should escape anything out so that the query can't be used in ways > that > > I don't want no? > > > > I'd thought about using a whitelist-only regex, but that seems a > little > > limiting tbh, and as my site contains code, it's not unreasonable to > > expect some people might want to search for particular code excerpts. > > What if we don't use MySQL? We are using Postgres on our web servers. > None of the MySQL libraries are available. I am currently reviewing a > half-dozen different and incomplete black-list sanitization functions > that don't to a very good job while removing characters that we need to > be able to use. I need to identify a clean strategy to replace or > restructure them. PostgreSQL has a function called pg_escape_string() which probably performs a function similar to MySQL's function. See http://us2.php.net/manual/en/function.pg-escape-string.php But you'll still need other functions (as above in this thread) to do a thorough job. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing XSS Attacks
From: Ashley Sheridan > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: >> mysql_real_escape_string() only sanitise the input. I would personally >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) >> Validate the input in some way, or make extra sanitisation of it >> before running the search query. >> >> Regarding the HTML output, just entities() it and you'll be good :) >> >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan >> wrote: >> >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: >> > As far for the output, just html entities () it and you will >> be good. >> > >> > You better check the search query for sql injection, which >> is more >> > dangerous. >> > >> > HTH >> > Nitsan >> > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan >> > wrote: >> > Hi all, >> > >> > I'm looking at adding a new search feature to my >> site, and one >> > of the >> > elements of this is to echo back in the search >> results page, >> > the >> > original string the user searched for. Up until now, >> XSS >> > hasn't (afaik) >> > been an issue for my site, but I can see from a mile >> off this >> > will be. >> > What would you guys recommend to avoid this? >> > >> > I'd thought initially of using a mixture of >> > html_special_chars() and a >> > regex (as yet not sure what I'll be stripping out >> with this) >> > to sanitise >> > the output for display on the results page, but is >> this >> > enough? >> > >> >> I always use mysql_real_escape_string() for that sort of >> thing, not had >> a problem with it, but is there anything you think I should be >> wary of? >> > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a search? It > should escape anything out so that the query can't be used in ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems a little > limiting tbh, and as my site contains code, it's not unreasonable to > expect some people might want to search for particular code excerpts. What if we don't use MySQL? We are using Postgres on our web servers. None of the MySQL libraries are available. I am currently reviewing a half-dozen different and incomplete black-list sanitization functions that don't to a very good job while removing characters that we need to be able to use. I need to identify a clean strategy to replace or restructure them. Bob McConnell Sorry for posting this so late, I just got back from a week of vacation. bm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Thu, 2009-06-11 at 18:27 +0200, Jan G.B. wrote: > 2009/6/11 HallMarc Websites > > > > > > > > -Original Message- > > > From: tedd [mailto:tedd.sperl...@gmail.com] > > > Sent: Thursday, June 11, 2009 9:28 AM > > > To: PHP-General List > > > Subject: Re: [PHP] Preventing XSS Attacks > > > > > > At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: > > > > > > > >So something like this would be acceptable?: > > > > > > > >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > > > >$searchTerms = htmlentities($searchTerms); > > > >$dbSearchTerms = mysql_real_escape_string($searchTerms); > > > > > > > >Giving me two variables, one for display output to user, the other for > > > >use in the database? > > > > > > > >Thanks > > > >Ash > > > > > > Ash: > > > > > > I wouldn't use $_REQUEST. If you know the request method then use it. > > > > > > There can be problems using $_REQUEST. > > > > > > Cheers, > > > > > > tedd > > > > > > -- > > > --- > > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > > > > I agree with tedd whole heartedly and I want to repeat the importance of > > protecting the data coming back from the db as well by using > > safeEscapeString in your queries and again the reason for this is to > > prevent > > malicious code from being executed. > > > > As far as CSRF/XSRF take a read here > > http://shiflett.org/articles/cross-site-request-forgeries > > > > [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com > > 610.446.3346] > > > > > > I'd recommend that you *always* use ENT_QUOTES as the second parameter on > htmlentities or htmlspecialchars. Otherwise a single ' will not be escaped, > which may be evil. > > Also be sure that you don't code a possibility to include local or even > remote files: It's so easy to Inject code into logfiles. > include('whatever'.$_REQUEST['var'].'.whatever') is not a sufficient > protection. > > Also, like someone already mentioned, *always* prefer _POST over _REQUEST, > when dealing with a FORM with method POST! > > Regards In this case I'm expecting input from both forms and links, so have to use $_REQUEST, really. As far as I can tell, $_REQUEST is no less safe than any of the others, as they are all getting their data from the user, so it's all unsafe until validated/cleaned. Thanks for the ENT_QUOTES thing, I really haven't had my head screwed on the last few days! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
2009/6/11 HallMarc Websites > > > > -Original Message- > > From: tedd [mailto:tedd.sperl...@gmail.com] > > Sent: Thursday, June 11, 2009 9:28 AM > > To: PHP-General List > > Subject: Re: [PHP] Preventing XSS Attacks > > > > At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: > > > > > >So something like this would be acceptable?: > > > > > >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > > >$searchTerms = htmlentities($searchTerms); > > >$dbSearchTerms = mysql_real_escape_string($searchTerms); > > > > > >Giving me two variables, one for display output to user, the other for > > >use in the database? > > > > > >Thanks > > >Ash > > > > Ash: > > > > I wouldn't use $_REQUEST. If you know the request method then use it. > > > > There can be problems using $_REQUEST. > > > > Cheers, > > > > tedd > > > > -- > > --- > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > I agree with tedd whole heartedly and I want to repeat the importance of > protecting the data coming back from the db as well by using > safeEscapeString in your queries and again the reason for this is to > prevent > malicious code from being executed. > > As far as CSRF/XSRF take a read here > http://shiflett.org/articles/cross-site-request-forgeries > > [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com > 610.446.3346] > > I'd recommend that you *always* use ENT_QUOTES as the second parameter on htmlentities or htmlspecialchars. Otherwise a single ' will not be escaped, which may be evil. Also be sure that you don't code a possibility to include local or even remote files: It's so easy to Inject code into logfiles. include('whatever'.$_REQUEST['var'].'.whatever') is not a sufficient protection. Also, like someone already mentioned, *always* prefer _POST over _REQUEST, when dealing with a FORM with method POST! Regards
RE: [PHP] Preventing XSS Attacks
> -Original Message- > From: tedd [mailto:tedd.sperl...@gmail.com] > Sent: Thursday, June 11, 2009 9:28 AM > To: PHP-General List > Subject: Re: [PHP] Preventing XSS Attacks > > At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: > > > >So something like this would be acceptable?: > > > >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > >$searchTerms = htmlentities($searchTerms); > >$dbSearchTerms = mysql_real_escape_string($searchTerms); > > > >Giving me two variables, one for display output to user, the other for > >use in the database? > > > >Thanks > >Ash > > Ash: > > I wouldn't use $_REQUEST. If you know the request method then use it. > > There can be problems using $_REQUEST. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > I agree with tedd whole heartedly and I want to repeat the importance of protecting the data coming back from the db as well by using safeEscapeString in your queries and again the reason for this is to prevent malicious code from being executed. As far as CSRF/XSRF take a read here http://shiflett.org/articles/cross-site-request-forgeries [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com 610.446.3346] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash Ash: I wouldn't use $_REQUEST. If you know the request method then use it. There can be problems using $_REQUEST. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nun wrote: > Usually I would support you on this one. In chemistry you always keep > your stock "pure" and make any observations or mixtures in clean and > other glasses in order to keep it pure. > > When it comes to printing an output or hosting it in a variables and > then printing it out it is just a matter of taste. > It is a matter of taste. If I see a variable named $searchTerms, I expect it to have the only the (appropriately sanitized) search terms in it without any specific escape sequences. For me, it's the same problem I have with magic_quotes (and related variants). If the magic_quotes setting is enabled, you have to call stripslashes() on the variable before you do just about anything with it, such as passing it to htmlspecialchars(), mysql_real_escape_string(), a DBMS other than MySQL, etc. All I'm saying is that if I want to assign the returned value of an escape function to a variable, I use a new variable whose name describes its purpose -- Ash's $dbSearchTerms variable does just this -- rather than assigning it back to the original variable. (I do sometimes make an exception when the variable's scope is inside a function whose sole purpose is to escape the value and then do something with the escaped value.) I just often skip the extra variable and use the function return value directly unless having the extra variable makes the code more readable -- as a matter of taste. :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Usually I would support you on this one. In chemistry you always keep your stock "pure" and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste. On Wed, Jun 10, 2009 at 8:54 PM, Andrew Ballard wrote: > On Wed, Jun 10, 2009 at 2:56 PM, Ashley > Sheridan wrote: >> On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: >>> On Wed, Jun 10, 2009 at 2:26 PM, Ashley >>> Sheridan wrote: >>> > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: >>> >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan >>> >> wrote: >>> >> >>> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >>> >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >>> >> > > > Ashley Sheridan wrote: >>> >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >>> >> > > > > >>> >> > > > >>> I've been doing a bit of reading, and I can't really >>> >> > > > >>> understand why >>> >> > XSS >>> >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: > On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: >> On Wed, Jun 10, 2009 at 2:26 PM, Ashley >> Sheridan wrote: >>> On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >>> Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> I've been doing a bit of reading, and I can't really understand why > XSS >> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: >> On Wed, Jun 10, 2009 at 2:26 PM, Ashley >> Sheridan wrote: >> > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: >> >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan >> >> wrote: >> >> >> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >> >> > > > Ashley Sheridan wrote: >> >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> >> > > > > >> >> > > > >>> I've been doing a bit of reading, and I can't really understand >> >> > > > >>> why >> >> > XSS >> >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: > On Wed, Jun 10, 2009 at 2:26 PM, Ashley > Sheridan wrote: > > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: > >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan > >> wrote: > >> > >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > >> > > > Ashley Sheridan wrote: > >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > >> > > > > > >> > > > >>> I've been doing a bit of reading, and I can't really understand > >> > > > >>> why > >> > XSS > >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan >> wrote: >> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >> > > > Ashley Sheridan wrote: >> > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> > > > > >> > > > >>> I've been doing a bit of reading, and I can't really understand why >> > XSS >> > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: > On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan > wrote: > > > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > > > > Ashley Sheridan wrote: > > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > > > > > > > >>> I've been doing a bit of reading, and I can't really understand why > > XSS > > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > > > Ashley Sheridan wrote: > > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > > > > > >>> I've been doing a bit of reading, and I can't really understand why > XSS > > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote: > That would do the job. > > If you are already digging into it, take a look at XSRF/CSRF which are > both can be very harmful, especially for ecommerce websites. > > On Wed, Jun 10, 2009 at 8:08 PM, Ashley > Sheridan wrote: > > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > >> > Ashley Sheridan wrote: > >> > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > >> > > > >> > >>> I've been doing a bit of reading, and I can't really understand why > >> > >>> XSS > >> > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: >> > Ashley Sheridan wrote: >> > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: >> > > >> > >>> I've been doing a bit of reading, and I can't really understand why XSS >> > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > > Ashley Sheridan wrote: > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > > > >>> I've been doing a bit of reading, and I can't really understand why XSS > > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > Ashley Sheridan wrote: > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > > >>> I've been doing a bit of reading, and I can't really understand why XSS > >>> is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > > I've been doing a bit of reading, and I can't really understand why XSS > > is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: >> mysql_real_escape_string() only sanitise the input. I would personally >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) >> Validate the input in some way, or make extra sanitisation of it >> before running the search query. >> >> Regarding the HTML output, just entities() it and you'll be good :) >> >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan >> wrote: >> >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: >> > As far for the output, just html entities () it and you will >> be good. >> > >> > You better check the search query for sql injection, which >> is more >> > dangerous. >> > >> > HTH >> > Nitsan >> > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan >> > wrote: >> > Hi all, >> > >> > I'm looking at adding a new search feature to my >> site, and one >> > of the >> > elements of this is to echo back in the search >> results page, >> > the >> > original string the user searched for. Up until now, >> XSS >> > hasn't (afaik) >> > been an issue for my site, but I can see from a mile >> off this >> > will be. >> > What would you guys recommend to avoid this? >> > >> > I'd thought initially of using a mixture of >> > html_special_chars() and a >> > regex (as yet not sure what I'll be stripping out >> with this) >> > to sanitise >> > the output for display on the results page, but is >> this >> > enough? >> > >> > Thanks >> > Ash >> > www.ashleysheridan.co.uk >> > >> > >> >> I always use mysql_real_escape_string() for that sort of >> thing, not had >> a problem with it, but is there anything you think I should be >> wary of? >> >> >> Thanks >> Ash >> www.ashleysheridan.co.uk >> >> >> >> > [just bringing it back on list] > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a search? It > should escape anything out so that the query can't be used in ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems a little > limiting tbh, and as my site contains code, it's not unreasonable to > expect some people might want to search for particular code excerpts. > > > Thanks > Ash > www.ashleysheridan.co.uk > You would use mysql_real_escape_string() before using the string in a db query (searching). You should use htmlentities() and/or strip tags before displaying the string. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote: > The problem with using a database escaping string for output escaping > is that something like (despite being the world's lamest XSS) > > location.href('google.com') > > Would output mostly the same and with some cleverness, it wouldn't be > too hard to get that to function properly with a full fledged XSS > attack. I'd personally use one of the FILTER_* constants in > conjunction with the filter functions themselves, say filter_var and > FILTER_SANITIZE_SPECIAL_CHARS. > > > On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan > wrote: > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > > mysql_real_escape_string() only sanitise the input. I would > personally > > only allow [a-zA-Z0-9-_] in search string but that's just > me ;) > > Validate the input in some way, or make extra sanitisation > of it > > before running the search query. > > > > Regarding the HTML output, just entities() it and you'll be > good :) > > > > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > > wrote: > > > > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun > wrote: > > > As far for the output, just html entities () it > and you will > > be good. > > > > > > You better check the search query for sql > injection, which > > is more > > > dangerous. > > > > > > HTH > > > Nitsan > > > > > > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > > > wrote: > > > Hi all, > > > > > > I'm looking at adding a new search feature > to my > > site, and one > > > of the > > > elements of this is to echo back in the > search > > results page, > > > the > > > original string the user searched for. Up > until now, > > XSS > > > hasn't (afaik) > > > been an issue for my site, but I can see > from a mile > > off this > > > will be. > > > What would you guys recommend to avoid > this? > > > > > > I'd thought initially of using a mixture > of > > > html_special_chars() and a > > > regex (as yet not sure what I'll be > stripping out > > with this) > > > to sanitise > > > the output for display on the results > page, but is > > this > > > enough? > > > > > > Thanks > > > Ash > > > www.ashleysheridan.co.uk > > > > > > > > > > > I always use mysql_real_escape_string() for that > sort of > > thing, not had > > a problem with it, but is there anything you think I > should be > > wary of? > > > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > > > > > > > [just bringing it back on list] > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a > search? It > should escape anything out so that the query can't be used in > ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems > a little > limiting tbh, and as my site contains code, it's not > unreasonable to > expect some people might want to search for particular code > excerpts. > > > > Thanks > Ash > www.ashleysheridan.co.uk > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Oh no, I think I'm misunderstood here. I was going to use mysql_real_escape_string only for the database input, and use htmlentities for the display output, as essentially they are separate, and should be treated as such. I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a
Re: [PHP] Preventing XSS Attacks
The problem with using a database escaping string for output escaping is that something like (despite being the world's lamest XSS) location.href('google.com') Would output mostly the same and with some cleverness, it wouldn't be too hard to get that to function properly with a full fledged XSS attack. I'd personally use one of the FILTER_* constants in conjunction with the filter functions themselves, say filter_var and FILTER_SANITIZE_SPECIAL_CHARS. On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan wrote: > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > > mysql_real_escape_string() only sanitise the input. I would personally > > only allow [a-zA-Z0-9-_] in search string but that's just me ;) > > Validate the input in some way, or make extra sanitisation of it > > before running the search query. > > > > Regarding the HTML output, just entities() it and you'll be good :) > > > > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > > wrote: > > > > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: > > > As far for the output, just html entities () it and you will > > be good. > > > > > > You better check the search query for sql injection, which > > is more > > > dangerous. > > > > > > HTH > > > Nitsan > > > > > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > > > wrote: > > > Hi all, > > > > > > I'm looking at adding a new search feature to my > > site, and one > > > of the > > > elements of this is to echo back in the search > > results page, > > > the > > > original string the user searched for. Up until now, > > XSS > > > hasn't (afaik) > > > been an issue for my site, but I can see from a mile > > off this > > > will be. > > > What would you guys recommend to avoid this? > > > > > > I'd thought initially of using a mixture of > > > html_special_chars() and a > > > regex (as yet not sure what I'll be stripping out > > with this) > > > to sanitise > > > the output for display on the results page, but is > > this > > > enough? > > > > > > Thanks > > > Ash > > > www.ashleysheridan.co.uk > > > > > > > > > > I always use mysql_real_escape_string() for that sort of > > thing, not had > > a problem with it, but is there anything you think I should be > > wary of? > > > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > > > > > > [just bringing it back on list] > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a search? It > should escape anything out so that the query can't be used in ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems a little > limiting tbh, and as my site contains code, it's not unreasonable to > expect some people might want to search for particular code excerpts. > > > Thanks > Ash > www.ashleysheridan.co.uk > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > mysql_real_escape_string() only sanitise the input. I would personally > only allow [a-zA-Z0-9-_] in search string but that's just me ;) > Validate the input in some way, or make extra sanitisation of it > before running the search query. > > Regarding the HTML output, just entities() it and you'll be good :) > > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > wrote: > > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: > > As far for the output, just html entities () it and you will > be good. > > > > You better check the search query for sql injection, which > is more > > dangerous. > > > > HTH > > Nitsan > > > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > > wrote: > > Hi all, > > > > I'm looking at adding a new search feature to my > site, and one > > of the > > elements of this is to echo back in the search > results page, > > the > > original string the user searched for. Up until now, > XSS > > hasn't (afaik) > > been an issue for my site, but I can see from a mile > off this > > will be. > > What would you guys recommend to avoid this? > > > > I'd thought initially of using a mixture of > > html_special_chars() and a > > regex (as yet not sure what I'll be stripping out > with this) > > to sanitise > > the output for display on the results page, but is > this > > enough? > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > > > I always use mysql_real_escape_string() for that sort of > thing, not had > a problem with it, but is there anything you think I should be > wary of? > > > Thanks > Ash > www.ashleysheridan.co.uk > > > > [just bringing it back on list] Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php