|
PHP - Small Sanitize Question
Hi all,
I just stumbled upon the 'new' filter function of php and i was wondering if someone could maybe recommend me which to use. for instance if i have a script: <?php $_evilstring = "<script> alert('justin bieber is ruining your sound system')</script>"; $_clean1 = htmlspecialchars($_evilstring); echo 'clean string one = '.$_clean1.'<br />'; $_clean2 = filter_var($_evilstring, FILTER_SANITIZE_SPECIAL_CHARS); echo 'clean string two = '.$_clean2.'<br />'; ?> Both output exactly the same. Now i was wondering if there might be differences in them. For some reason I would like to use the filter function because the name sounds better, but that of course is not very scientific. Anyone with ideas maybe performance, speed, wickedness?? Similar Tutorialslet say i have this <a href="myuploadfolder/picture1.jpg">Picture</a> and when user click on the link, they can see in which folder their picture were kept...is this dangerous?? if yes then how to hide it?? thanks in advance I have a search button to help user searching text they are looking. and i use $_GET to pass the value and get it into my query so it simply like this when value was passed into the URL page.php?search=text the problem is that when i try to modify a bit like this page.php?search=">test although i don't get any problem with the query (ERROR) as i've replaced all special characters with blank string, but i always have this test" /> text appear on my page.. what should i do to avoid this?? if they can do whatever they want, it means there is a space for attacker to inject bad codes thanks in advance Hi all, I thought instead of just simple do all the security stuff automatically, why not see for myself what the it can do. So I made a simple table besides the other tables named delete_me, made a form and started testing. But for some reason I can get that table to drop. this is what i did on the front end with help from he http://en.wikipedia.org/wiki/SQL_injection in all 3 fields (firstname, lastname email) put a value and in the last one i put: but nothing happend. if someone knows what i am doing wrong please tell me because I think it's vital in order to protect yourself one needs to know what he or she is up against. Hey guys. Sorry to start asking questions being such a new member but this just suddenly came up. I have a php script that needs to send binary data to another php script via HTTP. The data can be transferred through the methods GET and POST, preferably POST and preferably not as a file. The problem is that I have tried a number of ways to do this but every time the data seems to be corrupted. Some bytes stay the same but others disappear or change. I guess that they transfer through ASCII mode instead of BINARY but couldn't find any way to fix this. Any help would be deeply appreciated. Cheers. Hi all a small question. I was wondering if someone knows what would be the approach to achieve the following. on a page I show a random number. If the page refreshes (selfreferencing) It shows a new random number but also a the previous number, and this must be able to repeat itself : ) So to make it more visible: New Random number = 98765 Previous Number = 56412 This is what I have but it's ofc not working because ones the session var has been set it will not show the previous variable but the very first one. <?php session_start(); $random_number .= mt_rand(1,100000); if(!isset($_SESSION['number'])){ $_SESSION['number']=$random_number; } // echo all out: echo 'New random number is: '.$random_number; echo 'Previous number is: '.$_SESSION['number']; ?> I bet i need another variable to store the previous one in but for some reasons my brains don't work at the moment HI all, I have a book with some nice examples, but often i wonder if they are that secure for displaying and using outside the production area. One of them is this. A form is created by using a while loop that gets data(email addresses) from a database and shows them with check boxes. after that someone can select the e-mailaddress they don't like and delete them from the database. here is some code: <?php //.... $result = mysqli_query($dbc,$query); while ($row = mysqli_fetch_array($result)){ echo '<input type="checkbox" value"'.$row['id'].'"name="todelete[]"/>'; echo $row['firstname']; } //.........deleting part if (isset($_POST['submit'])){ foreach($_POST['todelete'] as $delete_id){ $query = "DELETE FROM email_list WHERE ID = $delete_id"; mysqli_query ($dbc, $query) or die ('error querying databse'); } } //.... ?> I have two questions: -> is this a smart way of deleting stuff? since you are going to use multiple queries instead of 1 in the for each loop. -> besides not using mysqli_real_escape_string, isn't this application allowing someone to alter the POST-array (todelete) to any value he likes? At least that's what i think can happen. If anyone knows a nice way to do this more secure , I would love to here it, because i don't really trust the html array created. Thanks in advance! Folks,
Someone suggested I sanitize user inputs.
$primary_website_domain_confirmation = trim($_POST["primary_website_domain_confirmation"]);
if (!filter_var($primary_website_email,FILTER_VALIDATE_EMAIL)) {
echo "You entered an Invalid Email Address!";
Now, got to add sanitation part. So, where to add it ?
Latter tutorial looks simpler. Let's try copying that.
// Remove all illegal characters from email
$primary_website_email = filter_var(trim($email, FILTER_SANITIZE_EMAIL));
//Validate Email
if (!filter_var($primary_website_email,FILTER_VALIDATE_EMAIL)) {
echo "You entered an Invalid Email Address!";
Did I fit in the SANITIZER at the right place or not ? Cheers! Hi guys, do you have any idea on how to sanitize this code? using FILTER_SANITIZE_STRING; FILTER_VALIDATE_IP and ect? Thanks Code: [Select] <form action="rnrequest.php" method="POST"> <table class="txt2"> <tr><td >Song title: </td><td><input type="text" name="song" value="" class=".texta"></td></tr> <tr><td>Artist: </td><td><input type="text" name="artist" value=""></td></tr> <tr><td>Your name: </td><td><input type="text" name="name" value=""></td></tr> <tr><td>Greetings: </td><td><textarea name="greetings"></textarea></td></tr> </table> <input type="submit" name="submit" value="Send"> </form> </div> <?php if (isset($_POST['submit'])) { if (empty($_POST['name'])) { echo "Sorry, you haven't supplied your name<br />"; $reg = "no"; } $sql = "SELECT COUNT(*) FROM request_song WHERE ip='{$ip}'"; $result = mysql_query($sql); if (mysql_result($result, 0) > 0) { echo "Sorry, You already wished for one song, you cannot request for another until the DJ's have seen your request..<br />"; $reg = "no"; } if ($reg == "yes") { $dt2=date("Y-m-d H:i:s"); $sql = "INSERT INTO request_song(song, artist, name, greetings, ip, date) VALUES('{$_POST['song']}', '{$_POST['artist']}', '{$_POST['name']}', '{$_POST['greetings']}','{$ip}', '$dt2')"; mysql_query($sql); } } ?> I would like to sanitize input from users so when it's pulled out of the database and stuck into the page, they can't add malicous code to my page. I have heard of striptags but wonder if there is anything better. thanks For some reason I commented out mysql_real_escape_string on my sanitize function, and I don't remember why I did it. Is it something that is vital and I should un-comment it out? function sanitize($formValue){ if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { $formValue = stripslashes($formValue); } //$formValue = mysql_real_escape_string($formValue); return $formValue; } II have been told that I should sanitize my inputs, what does that mean? Isn't that what trim does? Folks this one line and any other variations I have tried just nulls my variable Code: [Select] function check_input($value) { echo '<pre>'; echo "Value before = "; echo $value; echo '</pre>'; // Stripslashes //if (get_magic_quotes_gpc()) // { // $value = stripslashes($value); // } // Quote if not a number //if (!is_numeric($value)) // { $value = "'" . mysql_real_escape_string($value) . "'"; <----- //$value = mysql_real_escape_string($value); //$value = mysql_real_escape_string($value); echo '<pre>'; echo "Value after = "; echo $value; echo '</pre>'; // } return $value; } ... // Make a safe SQL $iso_code = check_input($iso_code); $country_name = check_input($country_name); $query = "select * from countries where iso_code = '".$iso_code."' or country like '%".$country_name."%'"; mysql_query($query); echo '<pre>'; echo $iso_code; echo $country_name; echo $query; echo '</pre>'; The result is:- Code: [Select] Value before = UK Value after = '' Value before = United Kingdom Value after = '' ''''select * from countries where iso_code = '''' or country like '%''%' with no mysql_real_escape statement the app work fine. I'm now trying to make my code more robust. Any help would be appreciated. jamie Hi everyone I am trying to secure some of my code using a sanitize function function sanitize($data) { $cdata = strip_tags(addslashes($data)); $cdata = mysql_real_escape_string($cdata); return $cdata; } If I post a form value such as Code: [Select] 'Apple iPod' to a SQL INSERT QUERY using `title` = sanitize($_POST['title']); then my database value looks like Code: [Select] \\\'the ipod\\\' this is odd because there is 3 slashes if I then print that value on a PHP page using print stripslashes($row['title']); it outputs Code: [Select] \'the ipod\' Why can I not get rid of the slashes and why would it be outputting 3 slashes? I have tried all the magic quote ideas and suggestions, but still cannot sort this out. Thanks John This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=346794.0 Hey all, While the filter itself is functioning properly, the flag doesn't seem to be. Here's how I have it set up: Code: [Select] $UserInput = filter_var($UserInput , FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // Test Format 1 $UserInput = filter_input(INPUT_POST, 'UserInput', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // Test Format 2 As you can see, I have set up to test methods however, each one fails regarding the flag..or so it's seeming to me. FILTER_FLAG_STRIP_LOW is supposed to strip out anything > 32 in ascii, but it isn't. '&' (38) is greater than 32 but it still displays in the browser. Am I missing something here? I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ? Thanks. Hey Guys! I would really like some feedback on the following: I have a site in Portuguese. Php retrieves a lot of POST's with Special Characters and Portuguese Accents (which are expected). With my sanatize function I am having some real problems with the 'htmlentities' for XSS Injection Prevention. htmlentities is changing the accents to strange characters and messes up my database. sanitize( &$_GET ); sanitize( &$_POST ); sanitize( &$_COOKIE ); function sanitize( &$some) { $some = array_map('htmlentities', $some); //XSS Prevention foreach( $some as $key => $value ) { $value = str_replace( '--', '', $value ); $value = str_replace( '/*', '', $value ); $value = str_replace( '"', '', $value ); $value = str_replace( "'", '', $value ); $value = ereg_replace( '[\( ]+0x', '', $value ); if ($value != $some[$key]) { $some[$key] = $value; } } } The only solution I can think of is to take out the 'htmlentities' function, but I would really like to have this as a prevention against XSS, is there any way around this to have both things working? Any ideas, suggestions? Thanks in advance! I'm trying to find the write coding to pull the First and Second words from the 2nd line and the entire 3rd line from this file and have them as $subject1 and $subject2 And I have no php background. http://www.weatherserver.net/text/CWTO/WOCN11.txt so $subject1 = WOCN11 CWTO and $subject2 = SPECIAL WEATHER STATEMENT Hey guys i have a contact form for my site working fine but when i receive the emails i get some unwanted texts after the email section. here they r : name1: ryan number: 343244 message1: hey email: ss@yahoo.com clearField: [type Function] label1: NAME label2: E-MAIL label3: PHONE label5: MESSAGE countField: 5 arrayLabel: undefined,NAME,E-MAIL,PHONE,undefined,MESSAGE i: 6 txtField: _level0.topmenu.page.pages.contactform.txtField5 _request: contact/email.php the script Code: [Select] <?php /***************************************************\ * PHP 4.1.0+ version of email script. For more * information on the mail() function for PHP, see * http://www.php.net/manual/en/function.mail.php \***************************************************/ // First, set up some variables to serve you in // getting an email. This includes the email this is // sent to (yours) and what the subject of this email // should be. It's a good idea to choose your own // subject instead of allowing the user to. This will // help prevent spam filters from snatching this email // out from under your nose when something unusual is put. $sendTo = "hey@email.com"; $subject = "helloy"; // variables are sent to this PHP page through // the POST method. $_POST is a global associative array // of variables passed through this method. From that, we // can get the values sent to this page from Flash and // assign them to appropriate variables which can be used // in the PHP mail() function. // header information not including sendTo and Subject // these all go in one variable. First, include From: $headers = "From: " . $_POST["firstName"] ." ". $_POST["lastname"] . "<" . $_POST["email"] .">\r\n"; // next include a replyto $headers .= "Reply-To: " . $_POST["email"] . "\r\n"; // often email servers won't allow emails to be sent to // domains other than their own. The return path here will // often lift that restriction so, for instance, you could send // email to a hotmail account. (hosting provider settings may vary) // technically bounced email is supposed to go to the return-path email $headers .= "Return-path: " . $_POST["email"]; // now we can add the content of the message to a body variable $message = $_POST['message']; $message = ""; foreach($_POST as $key=>$value) { $message .= $key.": ".$value."\n\r"; } // once the variables have been defined, they can be included // in the mail function call which will send you an email mail($sendTo, $subject, $message, $headers); ?> can some1 suggest me something iam a complete noob ! Hey guys, I've kind of taken over a project from a friend. It's a leaderboard for posting splits for drivers. The splits get posted to a leaderboard.xsl (which is working fine). The update.php page is designed to update a leaderboard.xml file, this way anyone can login and update new splits for each weeks race. (more info can be found here if you are curious). I found a small bug in the leaderboard.xsl file. It is meant for displaying the drivers splits, calculating the difference between drivers, what division they are, car they used and includes a 'Controller' column. This is where the bug is. Normally, it will display if that driver uses a gamepad or a steering wheel. If it's a one lap aka 'hotlap' race, the Controller column shows either a 'wheel' or 'controller' as it should. However, if it's a multi-lap race (2+ laps), then the Controller column automatically defaults to the <xsl:otherwise> option of a "?". Here is an example of the Controller column working properly for each driver: Here is what it does when there are two (or more) sets of splits for each driver on the leaderboard: The code makes the post over the character length, you can view the code here. Any assistance/help would be great appreciated as I'll be done with the project then Jerome |
|||||||