Greetings,
I have a fairly vanilla PHP web application that stores and retrieves
data in a MySQL database.
Users will be adding a lot of special characters such as single and
double quotes, accented French characters, etc.
I want to eliminate any potential for XSS or SQL injection attacks.
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
When displaying database fields back on the page, the browser should
automatically take care of converting the HTML characters.
Am I missing something?
What else do I need to do for making my app immune to XSS and injection
attacks?
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
All ideas and suggestions welcome - as you can tell I am new to this.
Thanks,
Harold.
9  2086 
Harold Crump wrote:
Greetings,
I have a fairly vanilla PHP web application that stores and retrieves
data in a MySQL database.
Users will be adding a lot of special characters such as single and
double quotes, accented French characters, etc.
I want to eliminate any potential for XSS or SQL injection attacks.
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_escape_string(), allthough that's not a 100% secure
either: http://ilia.ws/archives/103-mysql_re...tatements.html
Prepared statements seem the way to go. Use mysqli if available.
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Grtz,
--
Rik Wasmus
Hi Rik --
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_escape_string(), allthough that's not a 100% secure
either:
http://ilia.ws/archives/103-mysql_re...tatements.html
My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
What's the issue with storing the "e in the database?
Why bother with mysql_real_escape_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
What am I missing?
Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
-Harold.
Harold Crump wrote:
Hi Rik --
>>>My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_escape_string(), allthough that's not a 100% secure
either:
http://ilia.ws/archives/103-mysql_re...tatements.html
My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
What's the issue with storing the "e in the database?
What if you want to use the data for other than displaying on the web? For instance, another
(non-web) application is going to print information from the database? It might even be a C/C++
application, for instance.
>
Why bother with mysql_real_escape_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
Because mysql_real_escape takes the current charset into account when performing its operations.
What am I missing?
The fact that not everything in the world is html based?
>
>>Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
True, but you can secure your code without prepared statements. Additionally, prepared statements
have additional overhead.
>
>>>Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
So? A semicolon is perfectly valid within a string. Properly escaping your input data will take
care of the problem as any attempt to insert a semicolon and an additional statement will just give
an error due to invalid syntax.
-Harold.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
What's the issue with storing the "e in the database?
>
What if you want to use the data for other than displaying on the web? For instance, another
(non-web) application is going to print information from the database? It might even be a C/C++
application, for instance.
Point taken.
This application, however, is web-only.
I don't anticipate any non-web consumer for this data.
If that does indeed come to pass, I figure it will be easy enough to
write a script that HTML decodes everything and saves it back into the
database with escaped characters - no?
Why bother with mysql_real_escape_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
Because mysql_real_escape takes the current charset into account when performing its operations.
So does htmlentities()
What am I missing?
The fact that not everything in the world is html based?
No?
You mean you don't dream in HTML?
Where're you from? :p
-Harold.
Harold Crump wrote:
>>My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_escape_string(), allthough that's not a 100%
secure
either:
http://ilia.ws/archives/103-mysql_re...tatements.html
>
My understanding is that htmlentities replaces all types of quotes
with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
Nope. The problem is, it's possible to post 'abnormal' characters to your
script. Don't assume they will always use you simple HTML-form to post data,
people with trouble in mind can post stuff htmlentitities() won't replace.
What's the issue with storing the "e in the database?
Nothing, you surely ca nmysql_real_escape_string(htmlentities($string)) if
you want that.
Why bother with mysql_real_escape_string and all its inherent issues
if
we can completely eliminate quotes from making their way into the SQL
statement?
htmlentities() won't guarantee that.
>Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
Unfortunately yes.
>>Also, I would like to replace all semi-colons in input with
something
else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
Like Jerry said: properly escaping the string will make that harmless, and
your users still able to post the normally valid ; without unexpected
results.
Grtz,
--
Rik Wasmus
Harold Crump wrote:
>>>What's the issue with storing the "e in the database?
What if you want to use the data for other than displaying on the web? For instance, another
(non-web) application is going to print information from the database? It might even be a C/C++
application, for instance.
Point taken.
This application, however, is web-only.
I don't anticipate any non-web consumer for this data.
If that does indeed come to pass, I figure it will be easy enough to
write a script that HTML decodes everything and saves it back into the
database with escaped characters - no?
First of all, you need to separate the data from the application. You
may very well have multiple applications using the same data.
And *right now* this is a web application. But does that mean it always
will be?
You should always separate your data from the presentation of the data.
"e is part o the presentation, and should be converted after the
data is retrieved from the database, not before it's inserted.
>
>>>Why bother with mysql_real_escape_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
Because mysql_real_escape takes the current charset into account when performing its operations.
So does htmlentities()
And no, htmlentities() does not take the current characters set into
account. It only converts specific characters in the Western European
character set to HTML entities.
mysql_real_escape, OTOH, looks at the current charset used by the
connection and converts data in the string to input which is compatible
with mysql. A completely different function, for a completely different
purpose.
Two functions, two uses. Don't get them mixed up!
>
>>>What am I missing?
The fact that not everything in the world is html based?
No?
You mean you don't dream in HTML?
Where're you from? :p
-Harold.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Harold Crump wrote:
Hi Rik --
My question - is it enough to pass all user input through the
htmlentities() function call and store the resultant output?
No. Use mysql_real_escape_string(), allthough that's not a 100% secure
either:
http://ilia.ws/archives/103-mysql_re...tatements.html
My understanding is that htmlentities replaces all types of quotes with
its HTML equivalent - doesn't that get rid of the whole problem with
escaping, or not escaping, quotes?
What's the issue with storing the "e in the database?
You should try to store the data as cleanly as possible. It saves
hassle when writing the output, which is the bulk of the code. If you
are sanitizing the input the best you can, then you shouldn't have to
decode the output from the database. Keep in mind you can't fully,
100% secure it, you can just make it not worth the effort of attacking.
>
Why bother with mysql_real_escape_string and all its inherent issues if
we can completely eliminate quotes from making their way into the SQL
statement?
What am I missing?
Prepared statements seem the way to go. Use mysqli if available.
Aren't they available only with version 5 and above?
I am still on an older version.
They became available in MySQL 4.1, which is backwards compatible with
previous client libraries, meaning, you don't need to upgrade PHP. The
only thing you have to do is use the old password hashing function for
the passwords, then everything is dandy (I upgraded from 3.23 to 4.1 a
long time ago and that was the only hiccup I encountered). I highly
recommend upgrading to at least 4.1 for native prepared statements and
subqueries.
>
Also, I would like to replace all semi-colons in input with something
else - but I am not sure what and how.
Why?
Semi-colons are statement terminators in SQL.
They are commonly used in SQL injection attacks to end the current
statement and insert a malicious statement.
-Harold.
Don't forget, \g is also a statement terminator.
Hi --
Jerry Stuckle wrote:
First of all, you need to separate the data from the application. You
may very well have multiple applications using the same data.
You should always separate your data from the presentation of the data.
"e is part o the presentation, and should be converted after the
data is retrieved from the database, not before it's inserted.
Yes, that makes sense - point taken.
So, am I covering all my bases if I use the following strategy -
Use mysql_real_escape_string for all user input that goes into the
database
Use htmlentities() for all output that goes to a browser presentation
Use html_entity_decode() for all output that goes to non-web
presentations, like a desktop application or a file stream.
What else do I need to do?
Thanks for your input.
-Harold.
Harold Crump wrote:
Hi --
Jerry Stuckle wrote:
>>First of all, you need to separate the data from the application. You
may very well have multiple applications using the same data.
>>You should always separate your data from the presentation of the data.
"e is part o the presentation, and should be converted after the
data is retrieved from the database, not before it's inserted.
Yes, that makes sense - point taken.
So, am I covering all my bases if I use the following strategy -
Use mysql_real_escape_string for all user input that goes into the
database
Use htmlentities() for all output that goes to a browser presentation
Use html_entity_decode() for all output that goes to non-web
presentations, like a desktop application or a file stream.
What else do I need to do?
Thanks for your input.
-Harold.
You shouldn't need to use html_entity_decode() for output to non-web
presentations, as you shouldn't have html entities in the database anyway.
You should also validate numeric input to ensure it is numeric. It will
prevent other types of SQL injection, i.e.
DELETE FROM table WHERE id=$i;
And the user keys in
'4 OR 1=1'
The result would be:
DELETE FROM table WHERE id=4 OR 1=1;
Deleting everything from your table. The problem doesn't happen in
strings because the entire string would be quoted. Not so for numeric data.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: John Wells |
last post by:
Yes, I know you've seen the above subject before, so please be gentle with
the flamethrowers.
I'm preparing to enter a discussion with management at my company
regarding going forward as either...
|
by: Marek Lewczuk |
last post by:
Hello,
I have changed DB from MySQL to PostgreSQL. When I have run my
application on PostgreSQL it was disaster - it was much slower than
MySQL...
I have tried to change PG configuration file...
|
by: Bob |
last post by:
All,
I have read through lots of postings regarding my concerns, but I
haven't found what I am looking for.
The center (non profit University) where I work collects scientific
data about...
|
by: Wm. Scott Miller |
last post by:
Hello all!
We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice...
|
by: Tyson Marchuk |
last post by:
Hello,
Background info
Kind of new to using databases and I'm writing an app in C# which connects
to a MySQL database. I was using the ODBC connector and a DSN entry to
connect to the database...
|
by: BARTKO Zoltan |
last post by:
Hello folks,
First a question and then the rest:
Does the PostgreSQL log contain the stored function calls with all parameters? Or is this something that could be set?
I would appreciate...
|
by: Stephen Poley |
last post by:
Whenever anyone has a question about securing an Access database he/she
is usually referred (unsurprisingly) to the Security FAQ. This is
however incomplete/unclear with respect to databases with a...
|
by: omerbutt |
last post by:
hi every one I am A new Bee to php mysql and i was surfing through the net to learn about how to secure the mysql when you are working in a web environment while working with php html and javascript...
|
by: runsun |
last post by:
I am new in PHP/Mysql. I want to input sth from website to mysql, then output the formatted data to .txt, and finally use Excel to open the .txt file. I believe there are better and simpler ways than...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
