I read a lot about filtering data which my web site get from user to make web site secure in sql injenction and xss . . .but I saw a lot function in php so I can't make decide what to do . . .please help me make it more secure
Moein HosseiniMoein Hosseini
2,2171313 gold badges5555 silver badges9292 bronze badges
3 Answers
You're asking a couple questions here, so I'll try to break it down:
SQL InjectionProblem
This can occur when you pass user input directly to the database, something like this:
Hack windows 7 64 bit. Unlike Vista, this version is much more user-friendly and accessible even for a layman.
The user can put whatever they want into the 'field' field on the form, and the database will execute it. This means a user could enter a malicious string which prematurely terminates your intended query and then runs a query of their own.
Solution
Don't directly construct your queries with user input. Instead, you should look into using prepared statements (This is typically handled with the PDO library). Prepared statements can take several forms, but they all involve using placeholders in the actual query string to tell the database where to stick other data you'll pass in later. That way the database can handle any appropriate escaping itself. The code would look a bit like this:
In this case,
:field indicates the placeholder for the value later supplied by bindValue . PDO will take care of the escaping as needed.
That said, you should still sanitize any user data as needed.
XSSProblem
Cross-Site Scripting, or XSS, occurs when unsanitized user input is passed directly back to the browser. If the user entered JavaScript commands, these commands could be executed in another users browser, possibly allowing the original hacker to gain access to that users credentials.
Solution
Rather than going into a lot of detail here, I'll simply say that this can be avoided by setting the HttpOnly flag on any cookies you set, so that they cannot be accessed in JavaScript (malicious or otherwise), and by never, ever echoing back unsanitized inputs to a user.
Ctf Bash Injection Filter SystemSanitizing User Inputs
PHP has some nice features built in for sanitizing many forms of user input. I'll simply recommend that you check out the
filter_var function and the various filters it can apply.
Never just echo user input back to the user. You should do your best to validate your inputs and reject anything that doesn't conform, but for inputs you need to display back to the user, always use something like
htmlentities() . For a heavier but much more thorough option, you can take a look at the HTML Purifier library.
Hope that gets you started in the right direction.
AgentConundrumAgentConundrum
16.5k66 gold badges5757 silver badges9797 bronze badges
Most SQL injections can be prevented with
mysql_real_escape_string() , assuming you're running MySQL. Other database systems also have similar functions.
Protecting your site from XSS attacks is more complicated. The simplest way to prevent javascript code injection is stripping away all HTML tags with KaivosukeltajaKaivosukeltaja
strip_tags() , but that will prevent using harmless tags like <b> as well, though they can be whitelisted if needed.
12.1k33 gold badges3333 silver badges6666 bronze badges
The only generic advice I can give you is to learn:
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |