RE: [PHP] Preventing XSS Attacks
From: Ashley Sheridan On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query. Regarding the HTML output, just entities() it and you'll be good :) On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: As far for the output, just html entities () it and you will be good. You better check the search query for sql injection, which is more dangerous. HTH Nitsan On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? I always use mysql_real_escape_string() for that sort of thing, not had a problem with it, but is there anything you think I should be wary of? Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. What if we don't use MySQL? We are using Postgres on our web servers. None of the MySQL libraries are available. I am currently reviewing a half-dozen different and incomplete black-list sanitization functions that don't to a very good job while removing characters that we need to be able to use. I need to identify a clean strategy to replace or restructure them. Bob McConnell Sorry for posting this so late, I just got back from a week of vacation. bm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote: From: Ashley Sheridan On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query. Regarding the HTML output, just entities() it and you'll be good :) On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: As far for the output, just html entities () it and you will be good. You better check the search query for sql injection, which is more dangerous. HTH Nitsan On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? I always use mysql_real_escape_string() for that sort of thing, not had a problem with it, but is there anything you think I should be wary of? Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. What if we don't use MySQL? We are using Postgres on our web servers. None of the MySQL libraries are available. I am currently reviewing a half-dozen different and incomplete black-list sanitization functions that don't to a very good job while removing characters that we need to be able to use. I need to identify a clean strategy to replace or restructure them. PostgreSQL has a function called pg_escape_string() which probably performs a function similar to MySQL's function. See http://us2.php.net/manual/en/function.pg-escape-string.php But you'll still need other functions (as above in this thread) to do a thorough job. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Thu, 2009-06-11 at 18:27 +0200, Jan G.B. wrote:
2009/6/11 HallMarc Websites m...@hallmarcwebsites.com
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Sent: Thursday, June 11, 2009 9:28 AM
To: PHP-General List
Subject: Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
So something like this would be acceptable?:
$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:'';
$searchTerms = htmlentities($searchTerms);
$dbSearchTerms = mysql_real_escape_string($searchTerms);
Giving me two variables, one for display output to user, the other for
use in the database?
Thanks
Ash
Ash:
I wouldn't use $_REQUEST. If you know the request method then use it.
There can be problems using $_REQUEST.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
I agree with tedd whole heartedly and I want to repeat the importance of
protecting the data coming back from the db as well by using
safeEscapeString in your queries and again the reason for this is to
prevent
malicious code from being executed.
As far as CSRF/XSRF take a read here
http://shiflett.org/articles/cross-site-request-forgeries
[Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com
610.446.3346]
I'd recommend that you *always* use ENT_QUOTES as the second parameter on
htmlentities or htmlspecialchars. Otherwise a single ' will not be escaped,
which may be evil.
Also be sure that you don't code a possibility to include local or even
remote files: It's so easy to Inject code into logfiles.
include('whatever'.$_REQUEST['var'].'.whatever') is not a sufficient
protection.
Also, like someone already mentioned, *always* prefer _POST over _REQUEST,
when dealing with a FORM with method POST!
Regards
In this case I'm expecting input from both forms and links, so have to
use $_REQUEST, really. As far as I can tell, $_REQUEST is no less safe
than any of the others, as they are all getting their data from the
user, so it's all unsafe until validated/cleaned.
Thanks for the ENT_QUOTES thing, I really haven't had my head screwed on
the last few days!
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash Ash: I wouldn't use $_REQUEST. If you know the request method then use it. There can be problems using $_REQUEST. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing XSS Attacks
-Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: Thursday, June 11, 2009 9:28 AM To: PHP-General List Subject: Re: [PHP] Preventing XSS Attacks At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash Ash: I wouldn't use $_REQUEST. If you know the request method then use it. There can be problems using $_REQUEST. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com I agree with tedd whole heartedly and I want to repeat the importance of protecting the data coming back from the db as well by using safeEscapeString in your queries and again the reason for this is to prevent malicious code from being executed. As far as CSRF/XSRF take a read here http://shiflett.org/articles/cross-site-request-forgeries [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com 610.446.3346] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
2009/6/11 HallMarc Websites m...@hallmarcwebsites.com
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Sent: Thursday, June 11, 2009 9:28 AM
To: PHP-General List
Subject: Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
So something like this would be acceptable?:
$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:'';
$searchTerms = htmlentities($searchTerms);
$dbSearchTerms = mysql_real_escape_string($searchTerms);
Giving me two variables, one for display output to user, the other for
use in the database?
Thanks
Ash
Ash:
I wouldn't use $_REQUEST. If you know the request method then use it.
There can be problems using $_REQUEST.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
I agree with tedd whole heartedly and I want to repeat the importance of
protecting the data coming back from the db as well by using
safeEscapeString in your queries and again the reason for this is to
prevent
malicious code from being executed.
As far as CSRF/XSRF take a read here
http://shiflett.org/articles/cross-site-request-forgeries
[Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com
610.446.3346]
I'd recommend that you *always* use ENT_QUOTES as the second parameter on
htmlentities or htmlspecialchars. Otherwise a single ' will not be escaped,
which may be evil.
Also be sure that you don't code a possibility to include local or even
remote files: It's so easy to Inject code into logfiles.
include('whatever'.$_REQUEST['var'].'.whatever') is not a sufficient
protection.
Also, like someone already mentioned, *always* prefer _POST over _REQUEST,
when dealing with a FORM with method POST!
Regards
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query. Regarding the HTML output, just entities() it and you'll be good :) On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: As far for the output, just html entities () it and you will be good. You better check the search query for sql injection, which is more dangerous. HTH Nitsan On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? Thanks Ash www.ashleysheridan.co.uk I always use mysql_real_escape_string() for that sort of thing, not had a problem with it, but is there anything you think I should be wary of? Thanks Ash www.ashleysheridan.co.uk [just bringing it back on list] Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
The problem with using a database escaping string for output escaping is
that something like (despite being the world's lamest XSS)
script
location.href('google.com')
/script
Would output mostly the same and with some cleverness, it wouldn't be too
hard to get that to function properly with a full fledged XSS attack. I'd
personally use one of the FILTER_* constants in conjunction with the filter
functions themselves, say filter_var and FILTER_SANITIZE_SPECIAL_CHARS.
On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would personally
only allow [a-zA-Z0-9-_] in search string but that's just me ;)
Validate the input in some way, or make extra sanitisation of it
before running the search query.
Regarding the HTML output, just entities() it and you'll be good :)
On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
As far for the output, just html entities () it and you will
be good.
You better check the search query for sql injection, which
is more
dangerous.
HTH
Nitsan
On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
Hi all,
I'm looking at adding a new search feature to my
site, and one
of the
elements of this is to echo back in the search
results page,
the
original string the user searched for. Up until now,
XSS
hasn't (afaik)
been an issue for my site, but I can see from a mile
off this
will be.
What would you guys recommend to avoid this?
I'd thought initially of using a mixture of
html_special_chars() and a
regex (as yet not sure what I'll be stripping out
with this)
to sanitise
the output for display on the results page, but is
this
enough?
Thanks
Ash
www.ashleysheridan.co.uk
I always use mysql_real_escape_string() for that sort of
thing, not had
a problem with it, but is there anything you think I should be
wary of?
Thanks
Ash
www.ashleysheridan.co.uk
[just bringing it back on list]
Well, I don't understand, what is the problem with
mysql_real_escape_string() for sanitising input to use for a search? It
should escape anything out so that the query can't be used in ways that
I don't want no?
I'd thought about using a whitelist-only regex, but that seems a little
limiting tbh, and as my site contains code, it's not unreasonable to
expect some people might want to search for particular code excerpts.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote:
The problem with using a database escaping string for output escaping
is that something like (despite being the world's lamest XSS)
script
location.href('google.com')
/script
Would output mostly the same and with some cleverness, it wouldn't be
too hard to get that to function properly with a full fledged XSS
attack. I'd personally use one of the FILTER_* constants in
conjunction with the filter functions themselves, say filter_var and
FILTER_SANITIZE_SPECIAL_CHARS.
On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would
personally
only allow [a-zA-Z0-9-_] in search string but that's just
me ;)
Validate the input in some way, or make extra sanitisation
of it
before running the search query.
Regarding the HTML output, just entities() it and you'll be
good :)
On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun
wrote:
As far for the output, just html entities () it
and you will
be good.
You better check the search query for sql
injection, which
is more
dangerous.
HTH
Nitsan
On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
Hi all,
I'm looking at adding a new search feature
to my
site, and one
of the
elements of this is to echo back in the
search
results page,
the
original string the user searched for. Up
until now,
XSS
hasn't (afaik)
been an issue for my site, but I can see
from a mile
off this
will be.
What would you guys recommend to avoid
this?
I'd thought initially of using a mixture
of
html_special_chars() and a
regex (as yet not sure what I'll be
stripping out
with this)
to sanitise
the output for display on the results
page, but is
this
enough?
Thanks
Ash
www.ashleysheridan.co.uk
I always use mysql_real_escape_string() for that
sort of
thing, not had
a problem with it, but is there anything you think I
should be
wary of?
Thanks
Ash
www.ashleysheridan.co.uk
[just bringing it back on list]
Well, I don't understand, what is the problem with
mysql_real_escape_string() for sanitising input to use for a
search? It
should escape anything out so that the query can't be used in
ways that
I don't want no?
I'd thought about using a whitelist-only regex, but that seems
a little
limiting tbh, and as my site contains code, it's not
unreasonable to
expect some people might want to search for particular code
excerpts.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Oh no, I think I'm misunderstood here. I was going to use
mysql_real_escape_string only for the database input, and use
htmlentities for the display output, as essentially they are separate,
and should be treated as such.
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a script tag, what
difference will that make to anyone else, as it is only on their own
browser.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query. Regarding the HTML output, just entities() it and you'll be good :) On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: As far for the output, just html entities () it and you will be good. You better check the search query for sql injection, which is more dangerous. HTH Nitsan On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: Hi all, I'm looking at adding a new search feature to my site, and one of the elements of this is to echo back in the search results page, the original string the user searched for. Up until now, XSS hasn't (afaik) been an issue for my site, but I can see from a mile off this will be. What would you guys recommend to avoid this? I'd thought initially of using a mixture of html_special_chars() and a regex (as yet not sure what I'll be stripping out with this) to sanitise the output for display on the results page, but is this enough? Thanks Ash www.ashleysheridan.co.uk I always use mysql_real_escape_string() for that sort of thing, not had a problem with it, but is there anything you think I should be wary of? Thanks Ash www.ashleysheridan.co.uk [just bringing it back on list] Well, I don't understand, what is the problem with mysql_real_escape_string() for sanitising input to use for a search? It should escape anything out so that the query can't be used in ways that I don't want no? I'd thought about using a whitelist-only regex, but that seems a little limiting tbh, and as my site contains code, it's not unreasonable to expect some people might want to search for particular code excerpts. Thanks Ash www.ashleysheridan.co.uk You would use mysql_real_escape_string() before using the string in a db query (searching). You should use htmlentities() and/or strip tags before displaying the string. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote: That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk Thanks, I will. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc.
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk You are storing it - in a variable. If I store an escaped value in a variable, it is a very specifically purposed variable with a very limited scope. I still prefer to keep a pure copy of the variable somewhere in case I need to use it for a different purpose elsewhere in the script. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Ashley Sheridan wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk I normally use and recommend a set of functions that you can use for both cases, display_prep(), store_prep(). You can pass optional args that tell the function whether to htmlentities() or striptags() or both, etc... You can extend them later to do more complex checks or sanitizing. Then you can just use them inline: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; echo display_prep($searchTerms); $sql = SELECT * FROM table WHERE field=' . store_prep($searchTerms) . '; -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing XSS Attacks
Usually I would support you on this one. In chemistry you always keep your stock pure and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste. On Wed, Jun 10, 2009 at 8:54 PM, Andrew Ballardaball...@gmail.com wrote: On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS code in it. The server accepts the input, is stored in the database. 2. User 2 logs on to the application. Goes to the view the information stored in the database. The JS gets executed on user 2's browser. User is attacked by XSS. I hope that clarifies the question. It does to a degree. So I shouldn't really worry about it in this case, as input from one user will never be displayed to any other user. If it was a forum or something, it would, but the search string is only ever shown to the user who entered it, and never stored for later display. It is easy to slip by. I recall a website was hacked using XSS on the page the admin views the log entries. Just in case, you or somebody else tries to add the search log feature in the future, keep this at the back of your mind. Having the user to click on a harmful URI is ridiculously easy. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net Yeah, I never realised what a minefield it could be, but I've been doing a lot of reading today! Thanks Ash www.ashleysheridan.co.uk So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display output to user, the other for use in the database? Thanks Ash www.ashleysheridan.co.uk You wouldn't want to insert htmlentity escaped information into your database. This method has always worked well for me: Accept input - db escape - store; Retrieve output from db - html escape - display; So, I'm actually storing (in at least one case that I've seen), human readable XSS in the database, but I have a consistent approach to escaping before outputting so that it never gets displayed as XSS and I never accidentally escape it twice, which depending on a few factors, can have some pretty ugly results. You wouldn't want to see amp;amp; anywhere, would you? Alternatively though, if you are storing it html-escaped in the database, make sure you don't ever escape it before you output, but I find that approach a lot less flexible, has problems with searches, isn't easy to read from the mysql cli console, etc. etc. OK, so I just swapped those last two lines over like so: $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; $dbSearchTerms = mysql_real_escape_string($searchTerms); $searchTerms = htmlentities($searchTerms); Thanks Ash www.ashleysheridan.co.uk I wouldn't self-assign the output of htmlentities to $searchTerms at all. ?php $searchTerms = (isset($_REQUEST['q']))?trim($_REQUEST['q']):''; // Rather than this: $searchTerms = htmlspecialchars($searchTerms); echo $searchTerms; // I prefer this: echo htmlspecialchars($searchTerms); ? Escape sequences are not part of the data, so I don't store them. Andrew If you'll notice, I'm not storing the escape sequences, I'm displaying them, hence the $dbSearchTerms variable, which is just for the database, and outputting the return from the function rather than assigning it to a variable and then outputting it is probably just down to taste. Thanks Ash www.ashleysheridan.co.uk You are storing it - in a variable.
Re: [PHP] Preventing XSS Attacks
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nunnitsa...@gmail.com wrote: Usually I would support you on this one. In chemistry you always keep your stock pure and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste. It is a matter of taste. If I see a variable named $searchTerms, I expect it to have the only the (appropriately sanitized) search terms in it without any specific escape sequences. For me, it's the same problem I have with magic_quotes (and related variants). If the magic_quotes setting is enabled, you have to call stripslashes() on the variable before you do just about anything with it, such as passing it to htmlspecialchars(), mysql_real_escape_string(), a DBMS other than MySQL, etc. All I'm saying is that if I want to assign the returned value of an escape function to a variable, I use a new variable whose name describes its purpose -- Ash's $dbSearchTerms variable does just this -- rather than assigning it back to the original variable. (I do sometimes make an exception when the variable's scope is inside a function whose sole purpose is to escape the value and then do something with the escaped value.) I just often skip the extra variable and use the function return value directly unless having the extra variable makes the code more readable -- as a matter of taste. :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
