Greetings,
I have a fairly vanilla PHP web application that stores and retrieves
data in a MySQL database.
Users will be adding a lot of special characters such as single and
double quotes, accented French characters, etc.
I want to eliminate any potential for XSS or SQL injection attacks.
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
When displaying database fields back on the page, the browser should
automatically take care of converting the HTML characters.
Am I missing something?
What else do I need to do for making my app immune to XSS and injection
attacks?
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
All ideas and suggestions welcome - as you can tell I am new to this.
Thanks,
Harold. 9 2118
Harold Crump wrote:
Greetings,
I have a fairly vanilla PHP web application that stores and retrieves
data in a MySQL database.
Users will be adding a lot of special characters such as single and
double quotes, accented French characters, etc.
I want to eliminate any potential for XSS or SQL injection attacks.
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_esca pe_string(), allthough that's not a 100% secure
either: http://ilia.ws/archives/103-mysql_re...tatements.html
Prepared statements seem the way to go. Use mysqli if available.
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Grtz,
--
Rik Wasmus
Hi Rik --
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_esca pe_string(), allthough that's not a 100% secure
either: http://ilia.ws/archives/103-mysql_re...tatements.html
My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
What's the issue with storing the "e in the database?
Why bother with mysql_real_esca pe_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
What am I missing?
Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
-Harold.
Harold Crump wrote:
Hi Rik --
>>>My question - is it enough to pass all user input through the htmlentities () function call and store the resultant output?
No. Use mysql_real_esca pe_string(), allthough that's not a 100% secure either: http://ilia.ws/archives/103-mysql_re...tatements.html
My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
What's the issue with storing the "e in the database?
What if you want to use the data for other than displaying on the web? For instance, another
(non-web) application is going to print information from the database? It might even be a C/C++
application, for instance.
>
Why bother with mysql_real_esca pe_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
Because mysql_real_esca pe takes the current charset into account when performing its operations.
What am I missing?
The fact that not everything in the world is html based?
>
>>Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
True, but you can secure your code without prepared statements. Additionally, prepared statements
have additional overhead.
>
>>>Also, I would like to replace all semi-colons in input with something else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
So? A semicolon is perfectly valid within a string. Properly escaping your input data will take
care of the problem as any attempt to insert a semicolon and an additional statement will just give
an error due to invalid syntax.
-Harold.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
What's the issue with storing the "e in the database?
>
What if you want to use the data for other than displaying on the web? For instance, another
(non-web) application is going to print information from the database? It might even be a C/C++
application, for instance.
Point taken.
This application, however, is web-only.
I don't anticipate any non-web consumer for this data.
If that does indeed come to pass, I figure it will be easy enough to
write a script that HTML decodes everything and saves it back into the
database with escaped characters - no?
Why bother with mysql_real_esca pe_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
Because mysql_real_esca pe takes the current charset into account when performing its operations.
So does htmlentities()
What am I missing?
The fact that not everything in the world is html based?
No?
You mean you don't dream in HTML?
Where're you from? :p
-Harold.
Harold Crump wrote:
>>My question - is it enough to pass all user input through the htmlentities( ) function call and store the resultant output?
No. Use mysql_real_esca pe_string(), allthough that's not a 100% secure either: http://ilia.ws/archives/103-mysql_re...tatements.html
>
My understanding is that htmlentities replaces all types of quotes
with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
Nope. The problem is, it's possible to post 'abnormal' characters to your
script. Don't assume they will always use you simple HTML-form to post data,
people with trouble in mind can post stuff htmlentitities( ) won't replace.
What's the issue with storing the "e in the database?
Nothing, you surely ca nmysql_real_esc ape_string(html entities($strin g)) if
you want that.
Why bother with mysql_real_esca pe_string and all its inherent issues
if
we can completely eliminate quotes from making their way into the SQL
statement?
htmlentities() won't guarantee that.
>Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
Unfortunately yes.
>>Also, I would like to replace all semi-colons in input with something else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
Like Jerry said: properly escaping the string will make that harmless, and
your users still able to post the normally valid ; without unexpected
results.
Grtz,
--
Rik Wasmus
Harold Crump wrote:
>>>What's the issue with storing the "e in the database?
What if you want to use the data for other than displaying on the web? For instance, another (non-web) application is going to print information from the database? It might even be a C/C++ application , for instance.
Point taken.
This application, however, is web-only.
I don't anticipate any non-web consumer for this data.
If that does indeed come to pass, I figure it will be easy enough to
write a script that HTML decodes everything and saves it back into the
database with escaped characters - no?
First of all, you need to separate the data from the application. You
may very well have multiple applications using the same data.
And *right now* this is a web application. But does that mean it always
will be?
You should always separate your data from the presentation of the data.
"e is part o the presentation, and should be converted after the
data is retrieved from the database, not before it's inserted.
>
>>>Why bother with mysql_real_esca pe_string and all its inherent issues if we can completely eliminate quotes from making their way into the SQL statement? Because mysql_real_esca pe takes the current charset into account when performing its operations.
So does htmlentities()
And no, htmlentities() does not take the current characters set into
account. It only converts specific characters in the Western European
character set to HTML entities.
mysql_real_esca pe, OTOH, looks at the current charset used by the
connection and converts data in the string to input which is compatible
with mysql. A completely different function, for a completely different
purpose.
Two functions, two uses. Don't get them mixed up!
>
>>>What am I missing? The fact that not everything in the world is html based?
No?
You mean you don't dream in HTML?
Where're you from? :p
-Harold.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Harold Crump wrote:
Hi Rik --
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_esca pe_string(), allthough that's not a 100% secure
either: http://ilia.ws/archives/103-mysql_re...tatements.html
My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
What's the issue with storing the "e in the database?
You should try to store the data as cleanly as possible. It saves
hassle when writing the output, which is the bulk of the code. If you
are sanitizing the input the best you can, then you shouldn't have to
decode the output from the database. Keep in mind you can't fully,
100% secure it, you can just make it not worth the effort of attacking.
>
Why bother with mysql_real_esca pe_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
What am I missing?
Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
They became available in MySQL 4.1, which is backwards compatible with
previous client libraries, meaning, you don't need to upgrade PHP. The
only thing you have to do is use the old password hashing function for
the passwords, then everything is dandy (I upgraded from 3.23 to 4.1 a
long time ago and that was the only hiccup I encountered). I highly
recommend upgrading to at least 4.1 for native prepared statements and
subqueries.
>
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
-Harold.
Don't forget, \g is also a statement terminator.
Hi --
Jerry Stuckle wrote:
First of all, you need to separate the data from the application. You
may very well have multiple applications using the same data.
You should always separate your data from the presentation of the data.
"e is part o the presentation, and should be converted after the
data is retrieved from the database, not before it's inserted.
Yes, that makes sense - point taken.
So, am I covering all my bases if I use the following strategy -
Use mysql_real_esca pe_string for all user input that goes into the
database
Use htmlentities() for all output that goes to a browser presentation
Use html_entity_dec ode() for all output that goes to non-web
presentations, like a desktop application or a file stream.
What else do I need to do?
Thanks for your input.
-Harold.
Harold Crump wrote:
Hi --
Jerry Stuckle wrote:
>>First of all, you need to separate the data from the application. You may very well have multiple applications using the same data.
>>You should always separate your data from the presentation of the data. "e is part o the presentation, and should be converted after the data is retrieved from the database, not before it's inserted.
Yes, that makes sense - point taken.
So, am I covering all my bases if I use the following strategy -
Use mysql_real_esca pe_string for all user input that goes into the
database
Use htmlentities() for all output that goes to a browser presentation
Use html_entity_dec ode() for all output that goes to non-web
presentations, like a desktop application or a file stream.
What else do I need to do?
Thanks for your input.
-Harold.
You shouldn't need to use html_entity_dec ode() for output to non-web
presentations, as you shouldn't have html entities in the database anyway.
You should also validate numeric input to ensure it is numeric. It will
prevent other types of SQL injection, i.e.
DELETE FROM table WHERE id=$i;
And the user keys in
'4 OR 1=1'
The result would be:
DELETE FROM table WHERE id=4 OR 1=1;
Deleting everything from your table. The problem doesn't happen in
strings because the entire string would be quoted. Not so for numeric data.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: John Wells |
last post by:
Yes, I know you've seen the above subject before, so please be gentle with
the flamethrowers.
I'm preparing to enter a discussion with management at my company
regarding going forward as either a MySql shop or a Postgresql shop.
It's my opinion that we should be using PG, because of the full ACID
support, and the license involved. A consultant my company hired before
bringing me in is pushing hard for MySql, citing speed and community...
|
by: Marek Lewczuk |
last post by:
Hello,
I have changed DB from MySQL to PostgreSQL. When I have run my
application on PostgreSQL it was disaster - it was much slower than
MySQL...
I have tried to change PG configuration file etc.. no luck. After many
long days of thinking what is wrong I have made several tests with
"EXPLAIN" statement, and to my amusement there was many SeqScan - MySQL
didn't show that things. I have made some changes in PG db structure
(new indexes...
|
by: Bob |
last post by:
All,
I have read through lots of postings regarding my concerns, but I
haven't found what I am looking for.
The center (non profit University) where I work collects scientific
data about subjects enrolled in studies related to respiratory
diseases. Both lab data and questionnaire information are collected.
We use W2K as PC operating systems, MS Access XP, XP Developer, and
Visual SourceSafe. Our databases use a front end – back end...
|
by: Wm. Scott Miller |
last post by:
Hello all!
We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination?...
|
by: Tyson Marchuk |
last post by:
Hello,
Background info
Kind of new to using databases and I'm writing an app in C# which connects
to a MySQL database. I was using the ODBC connector and a DSN entry to
connect to the database but I've since found out that the ODBC connector has
been bugged for some time and you can't send it numeric values (read
floating point values) which basically makes it useless so I'm trying to
switch to the MySQL .NET connector which I believe...
| |
by: BARTKO Zoltan |
last post by:
Hello folks,
First a question and then the rest:
Does the PostgreSQL log contain the stored function calls with all parameters? Or is this something that could be set?
I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are connecting through the same single user. There is a model of the user organization inside (position hierarchy), each person (virtual...
|
by: Stephen Poley |
last post by:
Whenever anyone has a question about securing an Access database he/she
is usually referred (unsurprisingly) to the Security FAQ. This is
however incomplete/unclear with respect to databases with a separate
front-end and back-end, which is rather surprising considering that all
Access databases should be split into a separate front-end and back-end.
Noticing that there are quite a lot of questions on this subject in the
Access newsgroups...
|
by: omerbutt |
last post by:
hi every one I am A new Bee to php mysql and i was surfing through the net to learn about how to secure the mysql when you are working in a web environment while working with php html and javascript i came through this article
http://articles.techrepublic.com.com/5100-6350_11-5287638.html
and before i proceede i must tell you that iam using win xp professional sp2
where were given two main and very first step before you start making your...
|
by: runsun |
last post by:
I am new in PHP/Mysql. I want to input sth from website to mysql, then output the formatted data to .txt, and finally use Excel to open the .txt file. I believe there are better and simpler ways than what I did. But I want to know what's wrong in my codes. Here are the details:
In survey.html, I need people input their ID and comment.
In Mysql, I've already made the survey table.
I use survey_result.php to import people's input to that table...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |