 |
|
|
02-20-2008, 05:08 AM
|
Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
Hiya
i wanted to make a file that i can use throughout my site to check for MySQL injections, also remove all html, java, and other stuff all in 1 go..
think this is secure enough or is there other things i should add, this as far as i can see removes EVERYTHING apart from the <br> as i capture it before removing < and >
this is the include i put in my php processing forms $message being whatever variable i am using for the string
PHP Code:
$checker = $message; include( "****/secure.php" ); $message = $checker;
then in my secure.php i have this
PHP Code:
$checker = str_replace("\r","\n",str_replace("\r\n","aaaa~return~aaaa",$checker)); // looks for carriage returns and replaces with aaaa~return~aaaa
$checker = str_replace("<", "", $checker); // strips <
$checker = str_replace(">", "", $checker); // stips >
$checker = mysql_real_escape_string($checker); //prevents MySQL injection
$checker = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\']>{1}([^<]+)<\/a>/is', '\2 (\1)',$checker); // Looks for other items that could be harmful
$checker = str_replace("aaaa~return~aaaa", "<br>", $checker); // Wherever there was it replaces with <br>
i can use the
PHP Code:
$checker = $message; include( "****/secure.php" ); $message = $checker;
at anytime through my site and call it up several times on a page if lots of fields being submitted..
i can also use it on my
PHP Code:
$query = !empty($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : null;
if you can think of anything else then please let me know
Shaz x
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
02-20-2008, 06:35 AM
|
Re: Is this secure enough?
|
Posts: 3,621
Name: Thierry
Location: I'm the uber Spaminator !
|
It's a creative way to reinvent the wheel, I must say :-)
What you are mimicing, and should use, is a function.
PHP don't just give you some functions, you can create your own.
In your case something like
PHP Code:
function secureIt($value){
$retVal ="";
$retVal = str_replace("\r","\n",str_replace("\r\n","aaaa~return~aaaa",$value)); // looks for carriage returns and replaces with aaaa~return~aaaa
$retVal = str_replace("<", "", $retVal); // strips <
$retVal = str_replace(">", "", $retVal); // stips >
$retVal = mysql_real_escape_string($retVal); //prevents MySQL injection
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\']>{1}([^<]+)<\/a>/is', '\2 (\1)',$retVal); // Looks for other items that could be harmful
$retVal = str_replace("aaaa~return~aaaa", "<br>", $retVal); // Wherever there was it replaces with <br>
return $retVal;
}
Which is the content of your include put between { and }, with a return statement, which obviously return the value of the funtion-local variable $retVal to the function caller.
Then, you put this function in a file which is included site-wide (to have access to it from every pages) and you refer to it like any other PHP function:
PHP Code:
$checker = secureIt($message)
If you want more infos about writing your own functions, look at this page of the PHP documentation:
http://www.php.net/manual/en/language.functions.php
And read about variable scope too:
http://ch2.php.net/manual/en/languag...bles.scope.php
And let me add, that for something that started programming not so long ago, I see you make impressive advancements in a very short time span.
Congratulation, you deserve them.
Thierry.
__________________
Only a biker knows why a dog sticks his head out the window.
|
|
|
|
|
02-20-2008, 12:03 PM
|
Re: Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
hehe i used a function for another part to tell you the truth so don't really know why i didn't use it here, is that a little madness setting in? I will change it to how it should be lol
Do you think its secure enough to remove all the nasties out though from submission from forms, url edits and so on?
and thanks, hehe i feel as though i am learning lol.. the forums was a little tricky though and had to stop 1/2 way through when i noticed iframes could be posted in them with code in to get data from database.. but this fixes that now..
just need to know if there is anything else i need to know to stop nasties getting through?
thanks
shaz x
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
02-20-2008, 01:30 PM
|
Re: Is this secure enough?
|
Posts: 3,621
Name: Thierry
Location: I'm the uber Spaminator !
|
I can see some things, yes...
PHP Code:
$retVal = str_replace("\r","\n",str_replace("\r\n","aaaa~return~aaaa",$value)); // looks for carriage returns and replaces with aaaa~return~aaaa
This is not really needed, as I stated in the other post.
PHP Code:
$retVal = str_replace("<", "", $retVal); // strips <
$retVal = str_replace(">", "", $retVal); // stips >
...
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\']>{1}([^<]+)<\/a>/is', '\2(\1)',$retVal); // Looks for other items that could be harmful
As far as I read this correctly, you are stripping HTML characters.
There is already a function for that: strip_tags(). You can pass a parameter to it, telling it which html tags can be leaved in the code.
http://www.php.net/manual/en/function.strip-tags.php
PHP Code:
$str=<<<HTML
<p class="para">
<div class="example">
<p><b>Example#1 <b>strip_tags()</b> example</b></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$text </span><span style="color: #007700">= </span><span style="color: #DD0000">'<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>'</span><span style="color: #007700">;<br />echo </span><span style="color: #0000BB">strip_tags</span><span style="color: #007700">(</span><span style="color: #0000BB">$text</span><span style="color: #007700">);<br />echo </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Allow <p> and <a><br /></span><span style="color: #007700">echo </span><span style="color: #0000BB">strip_tags</span><span style="color: #007700">(</span><span style="color: #0000BB">$text</span><span style="color: #007700">, </span><span style="color: #DD0000">'<p><a>'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<div class="example-contents"><p>The above example will output:</p></div>
<div class="example-contents"><pre>
<div class="cdata"><pre>
Test paragraph. Other text
<p>Test paragraph.</p> <a href="#fragment">Other text</a>
</pre></div>
</pre></div>
</div>
</p>
HTML;
$clean=strip_tags('<a><pre>');
will return a string with every HTML elements removed (But the text will still be there, it removes the tr, td, div, etc... declarations, not their content), excepts the "a" and "pre" elements.
Looks like something that would work for you.
To prevent the "<<<<" elements (which would not be striped by the previous function), you can use htmlentities() to convert them to their html entities "<"
http://www.php.net/manual/en/function.htmlentities.php
PHP Code:
$retVal = str_replace("aaaa~return~aaaa", "<br>", $retVal); // Wherever there was it replaces with <br>
As I stated on the other threads, use nl2br(). As being a core function, it's compiled into the PHP engine, and is faster.
__________________
Only a biker knows why a dog sticks his head out the window.
Last edited by tripy; 02-20-2008 at 01:31 PM..
|
|
|
|
|
02-20-2008, 01:43 PM
|
Re: Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
Hiya
even with
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\']>{1}([^<]+)<\/a>/is', '\2(\1)',$retVal);
it still wasn't stripping < and > so thats why i added them as an extra
and i read there is a fault with strip_tags()
if a tag is entered and not closed, it can strip all the text after it to.. and leaves a few other things
it says in that manual you posted ( where i think i originally read it hehe )
Quote:
Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected.
This function does not modify any attributes on the tags that you allow using allowable_tags , including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.
|
is there anything else you think that should be stripped?
i think i read about securing a website for about 12 hours in the last 2 days and think i about got it all.. but never know lol
thanks
Shaz x
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
02-20-2008, 03:25 PM
|
Re: Is this secure enough?
|
Posts: 5,662
Name: John Alexander
|
The thing is, you could read about securing a web application for 12 years, then somebody can think of a brand new way to attack.
As far as I can tell, you're handling the stuff that seems dangerous. Especially if you kill < and > characters, then a person can't inject client script into a forum post.
|
|
|
|
|
02-21-2008, 09:58 PM
|
Re: Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
Quote:
Originally Posted by Learning Newbie
The thing is, you could read about securing a web application for 12 years, then somebody can think of a brand new way to attack.
As far as I can tell, you're handling the stuff that seems dangerous. Especially if you kill < and > characters, then a person can't inject client script into a forum post.
|
and now i just moved host, i find out i was learning php4 and my site has loads of errors in php 5 
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
02-21-2008, 11:39 PM
|
Re: Is this secure enough?
|
Posts: 1,712
Name: Jeremy Miller
Location: Las Vegas, NV
|
Correct me if I'm wrong, but shouldn't
Quote:
PHP Code:
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\']>{1}([^<]+)<\/a>/is', '\2(\1)',$retVal);
|
be
PHP Code:
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\'][^>]+>{1}([^<]+)<\/a>/is', '\2(\1)',$retVal);
to catch tags with attributes after href="..." ?
__________________
Jeremy Miller
Please login or register to view this content. Registration is FREE
|
|
|
|
|
02-22-2008, 08:12 PM
|
Re: Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
Quote:
Originally Posted by JeremyMiller
Correct me if I'm wrong, but shouldn't
be
PHP Code:
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\'][^>]+>{1}([^<]+)<\/a>/is', '\2(\1)',$retVal);
to catch tags with attributes after href="..." ? |
To tell you the honest ruth, i'm not sure
i grabbed that bunch of symbols of the web as was unsure of them all to use
Shaz x
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
02-22-2008, 08:24 PM
|
Re: Is this secure enough?
|
Posts: 1,712
Name: Jeremy Miller
Location: Las Vegas, NV
|
Well, "["|\']>" is after the href portion and terminates it with either a double or single quote and then it is immediately followed by a >, so I'm pretty sure you should add that in there.
OH: And nothing addresses href= where there's no quotes of any kind around the URL. For example, <a href=http://www.teratask.com>TeraTask</a> would not be caught.
__________________
Jeremy Miller
Please login or register to view this content. Registration is FREE
|
|
|
|
|
02-22-2008, 08:26 PM
|
Re: Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
done!
thanks hehe
shaz x
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
02-23-2008, 01:39 AM
|
Re: Is this secure enough?
|
Posts: 1,712
Name: Jeremy Miller
Location: Las Vegas, NV
|
Glad it helped, but I made a booboo. Replace it with this:
PHP Code:
$retVal = preg_replace('/<a\s+.*?[href=]["|\']([^"\']+)["|\'][^>]*>{1}([^<]+)<\/a>/is', '\2(\1)',$retVal);
The * means 0 or more. I had a + which meant one or more, so that could cause a problem. Now, I haven't tested these regexs which one should really do before using, so be sure you test and post if you have a problem (but, please include code!)
__________________
Jeremy Miller
Please login or register to view this content. Registration is FREE
|
|
|
|
|
02-24-2008, 09:18 PM
|
Re: Is this secure enough?
|
Posts: 217
|
Wouldnt strip_tags(), mysql_real_escape_string() and stripslashes() do the trick for any sql injections? (not so much a suggestion to the poster, but an actual question)
|
|
|
|
|
02-25-2008, 10:36 AM
|
Re: Is this secure enough?
|
Posts: 115
Name: Sharon
Location: Leicester, uk
|
i included both lines now JeremyMiller just to be safe hehe
Slick Nick, for me, i wasn't just looking to block MySQL injection..
I wanted to completely remove all html, mysql, and all the other bits in 1 go,, this same function i will be using for posts on my forums, form posts and ($_SERVER['QUERY_STRING']) all in 1 go rather than in different bits hehe
Shaz x
__________________
mysql_connect("localhost", "brain", "sharon") or die(mysql_error());
mysql error: brain doesn't exist!
|
|
|
|
|
|
« Reply to Is this secure enough?
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
