LucasFerraz
Systems Analyst
Code:
// ** file created on 11/13/2007 4:21:24 PM **
// ** By DeathfireD
// ** Very Basic Tutorial on how to prevent SQL injection and Cross Site Scripting (XSS)
PHP:
<?php
// ** file created on 11/13/2007 4:21:24 PM **
// ** By DeathfireD
// ** Very Basic Tutorial on how to prevent SQL injection and Cross Site Scripting (XSS)
//Intro /////////////////////////////////////////////////////////
// The below examples are very basic examples of how to fix and prevent
// SQL injections and XSS attacks. You should, however, still search the
// web for more examples and info on how to prevent such attacks.
// Do not rely on just this tutorial
//////////////////////////////////////////////////////////////////
////////////////////////////////////////////
//Example 1 preventing SQL injections
////////////////////////////////////////////
<?php
$connect = mysql_connect("localhost", "username", "password");
if (!$connect) {
die('Could not connect: ' . mysql_error());
}
//escape username and password using mysql_real_escape_string() Learn more here: http://www.php.net/mysql_real_escape_string
$user = mysql_real_escape_string($_POST['$user']);
$pwd = mysql_real_escape_string($_POST['$pwd']);
$sql = "SELECT * FROM users WHERE user='" . $user . "' AND password='" . $pwd . "'"
mysql_close($connect);
?>
//When to use this? /////////////////////////////////
// Anytime your saving anything into a database.
/////////////////////////////////////////////////////
//Summary: //////////////////////////////////////////
// The above code will take \x00, \n, \r, \, ', " and \x1a
// and escapes them to prevent people from sending bad code to mysql and taking controle.
/////////////////////////////////////////////////////
////////////////////////////////////////////
//Example 2 preventing Cross Site Scripting (XSS)
////////////////////////////////////////////
<?php
//changing html characters using htmlspecialchars() Learn more here: http://www.php.net/manual/en/function.htmlspecialchars.php
//$_POST['link'] = <a href="test">test</a>
$link = htmlspecialchars($_POST['link'], ENT_QUOTES);
echo $link; //outputs: <a href='test'>Test</a>
?>
//When to use this? /////////////////////////////////
/* This anytime your outputting something users can tamper with.
For example you have a sort feature on your site, the url for sorting by level is probably http://yoursite.com/scores.php?sort=level
now someone attempts to do xss by sending html characters to it (ie. http://yoursite.com/scores.php?sort=>"><iframe src=http://google.com < ) this code will add an iframe to the site and displays google on it. This may not seem that bad but if changed alitte it could harm users really bad. There are loads of really bad things people can do that will effect users the above is just an example. However, by using htmlspecialchars() or htmlentities() your preventing such characters from doing what the attacker intended them to do. So if you protected your sort funtion, the above iframe code would not work and instaid would be displayed as plain text on the web page or not displayed at all.
*/
//Summary: //////////////////////////////////////////
// The above code as as you can see, outputed special characters for the html chatacters < ' >
//Heres a list of chacters and what they will be turned into.
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
// ''' (single quote) becomes ''' only when ENT_QUOTES is set.
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
/////////////////////////////////////////////////////
?>