Re: Question on SQLinjection and XSS
- From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@xxxxxxxxxxxxxxxx>
- Date: Thu, 10 Jul 2008 17:25:09 +0200
JuergenRiemer schreef:
On Jul 10, 10:45 am, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@xxxxxxxxxxxxxxxx> wrote:
Petra Meier schreef:
Hi,
I do seriously not want to be pedantic, but here we go:
Are you sure you are using the right words here?
CRUD: Create (=insert), R(ead) (=SELECT), U(pdate), D(elete).
You are only running your 2 methods on the Create, and probably also
when you Update. You do not use them for Delete or Select I expect.
Try to avoid jargon especially when is inappropriate jargon.
I used "i.e." in my first post
create: $query = "insert into users set username = '".$username."'";
read: $query = "select username from users where id=".$uid;
update: $query = "update users set username='".$username."' where id=".
$uid;
delete: $query = "delete from users where id=".$uid;
Futhermore: If you ask "is there still a security hole", you don't
really appreciate what security is all about. For starters, how can we
tell what securityholes you might be having if we don't know the first
thing about your application, the OS it is running on, the PHPversion
you are using, etc. etc.
I have seen this attitude many times, and for your own sake I want to
warn you for it.
What attitude?
This one: "I heard of security, and some things about SQL injection,
XSSattacks, but I do not have the time to investigate them seriously, so
I made a function I call 'sanitize()' that I call whener I need 'security'."
I see that attitude on a regular basis, and the funpart is they all call
it sanitize() as if that solves your securitytroubles.
It doesn't.
You must make sure you dive into the gory details yourself. Try to hack
your own application. Understand each and every function you are using
and understand WHY you use it. If you are serious about it, you must
also dive into the gory details of the OS you are using.
That is the only way to make a remotely secure application.
Not a function called 'sanitize()'.
Hi again,
perhaps I was not clear enough, so here is my question again:
Yes, you were clear. :-)
I have a php script that produces SQL strings (like the 4 ones above).
Even with my level of IT knowledge I know that the variables are entry
points for all sorts of malicious attacks such as SQL injections and
bad data that when printed out to the webpage will execute client side
scripts. so I validate (sanitize) these variables to close this hole.
My humble question was if with the following method calls
$savevalue =
mysql_real_escape_string(htmlspecialchars($unsafevalue));
If you expect an integer (line an id) I simply use:
$userid = (int)$_POST["userid"];
If you expect a string, use something like mysql_real_escape_string().
If you want to protect yourself against XXS (or Javascript in general), you have at least 2 sensible options:
1) call the appropriate functions when you DISPLAY the data, like Jerry pointed out. So store it 'raw' in the database, and when you pull it out later for display in a webpage, pass them through the appropriate functions, like htmlspecialchars().
2) Strip all javascript (or all HTML markup, or whatever suits your needs) BEFORE inserting it into the database.
Why do we advise you NOT to store your strings in a database with htmlspecialchars?
Because you are storing something else than the original data. You store processed data: processed for use in HTML.
It is just more 'natural' to store the original data, and process it the right way at the right place.
This might seem like a unimportant point maybe, but think about an export you might need in the future (CSV or XML or whatever) that needs the original plaintext. Then you are stuck with your html-charaters instead of original data.
Or a search for certain characters in the table.
(Of course you could convert them back).
In the end it is of course your own choice. :-)
Most programmers I know prefer having 'real data' in the database, and process it when needed in a way that is apropriate for that task. So only use htmlspecialchars when you produce the actual html.
I achieve this goal? Or is there a better way to check/validate/
sanitize user input?
If sanitize means no SQL attacks, then yes.
If you want to prevent XSS, I think yes, but I am not 100% sure.
(I am not 100% sure because I have just been reading about sofisticated XSS vectors. So I won't give you advise.)
But this is good place to start reading.
http://en.wikipedia.org/wiki/Cross-site_scripting
I also do know that security as such encompasses a lot more issues,
yet this was not my question.
That's OK.
I/we just want to warn you for a false sense of security. :-)
Good luck and regards,
Erwin Moller
.
thanks
pm
- References:
- Question on SQLinjection and XSS
- From: Petra Meier
- Re: Question on SQLinjection and XSS
- From: Michael Fesser
- Re: Question on SQLinjection and XSS
- From: Petra Meier
- Re: Question on SQLinjection and XSS
- From: Erwin Moller
- Re: Question on SQLinjection and XSS
- From: JuergenRiemer
- Question on SQLinjection and XSS
- Prev by Date: Re: Which Is The Better Approach To Working With Javascript?
- Next by Date: Re: Nested foreach loop over same array
- Previous by thread: Re: Question on SQLinjection and XSS
- Next by thread: free down load songs & vidios
- Index(es):
Relevant Pages
|
