Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

A PHP function to prevent SQL Injections and XSS

I am tring to make my PHP as secure as possible, and the two main things I am trying to avoid are

  • mySQL Injections
  • Cross-Side Scripting (XSS)

This is the script I got against mySQL Injections:

function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable)); 
return $variable;  }

http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/


Against XSS, I found this:

$username = strip_tags($_POST['username']);

Now I want to unite the two into a single function. Would this be the best way to do so? :

function make_safe($variable) {
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable; }

Or does the mysql_real_escape_string already prevent XSS? And lastly, is there anything else that I could add into this function to prevent other forms of hacking?

like image 601
LonelyWebCrawler Avatar asked Jul 28 '11 10:07

LonelyWebCrawler


People also ask

How safe PHP files prevent the SQL injection attacks?

PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function, mysql_real_escape_string . mysql_real_escape_string takes a string that is going to be used in a MySQL query and return the same string with all SQL injection attempts safely escaped.

What is SQL injection explain how you can prevent it in PHP application?

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Which methods can be used to avoid SQL injection?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

Which option will best remediate the following PHP SQL injection vulnerability?

To prevent SQL Injection vulnerabilities in PHP, use PHP Data Objects (PDO) to create parametrized queries (prepared statements).


2 Answers

mysql_real_escape_string() doesn't prevent XSS. It will only make impossible to do SQL injections.

To fight XSS, you need to use htmlspecialchars() or strip_tags(). 1st will convert special chars like < to &lt; that will show up as <, but won't be executed. 2nd just strip all tags out.

I don't recommend to make special function to do it or even make one function to do it all, but your given example would work. I assume.

like image 108
daGrevis Avatar answered Sep 28 '22 19:09

daGrevis


This function:

function make_safe($variable) 
{
   $variable = strip_tags(mysql_real_escape_string(trim($variable)));
   return $variable; 
}

Will not work

SQL injection and XSS are two different beasts. Because they each require different escaping you need to use each escape function strip_tags and mysql_real_escape_string separatly.
Joining them up will defeat the security of each.

Use the standard mysql_real_escape_string() when inputting data into the database.
Use strip_tags() when querying stuff out of the database before outputting them to the screen.

Why combining the two function is dangerous
From the horses mouth: http://php.net/manual/en/function.strip-tags.php

Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected.

So by inputting malformed html into a database field a smart attacker can use your naive implementation to defeat mysql_real_escape_string() in your combo.

like image 28
Johan Avatar answered Sep 28 '22 19:09

Johan