tags:

views:

1616

answers:

5
+5  Q: 

How to prevent code injection attacks in PHP?

I am abot confusing, there are so many functions in PHP, and some using this, some using that. Some people use: htmlspecialchars(), htmlentities(), strip_tags() etc

Which is the correct one and what do you guys usually use?

Is this correct (advise me a better one, if any):

$var = mysql_real_escape_string(htmlentities($_POST['username']));

This line can prevent MySQL injection and XSS attact??

Btw, is there any other things I need to pay attention beside XSS attack and MySQL injection?

EDIT

To conclude:

If I want to insert string to database, I do not need to use htmlentities, just use the mysql_real_escape_string. When displaying the data, use htmlentities(), is that what you all mean??

Summarize:

  • mysql_real_escape_string used when insert into database
  • htmlentities() used when outputting data into webpage
  • htmlspecialchars() used when?
  • strip_tags() used when?
  • addslashes() used when?

Can somebody fill in the question mark?

+2  A: 

Take a look at this site PHP Security Consortium. I found it to be a good site for an overall overview on PHP Security (SQL Injection and XSS included).

Henrik P. Hessel  2009-07-30 11:07:15
A: 

You only need to use mysql_escape_string() when inserting into a database and htmlentites when displaying the HTML. This is sufficient if you want to prevent a simple injection attack, but there are no doubt many other security issues you should be aware of when developing a web app, another major one being cross site request forgeries.

Sam152  2009-07-30 11:08:22
+1  A: 
David Dorward  2009-07-30 11:09:05
A: 

I wouldn't use htmlentities() when inserting data into the database or querying the database. If the data in you database is stored as entities, that data is then only useful to something that understands html entities.

You have to use different escaping mechanisms for different types of output, e.g. SQL - mysql_real_escape_string(), HTML - htmlentities() or htmlspecialchars(), shell - escapeshellarg(). This is because the characters that are 'dangerous' are different for each one - there isn't a magic way you can make any data safe for any output medium.

Tom Haigh  2009-07-30 11:11:13
+6  A:  
mysql_real_escape_string used when insert into database  
htmlentities() used when outputting data into webpage
htmlspecialchars() used when??
strip_tags() used when ??
addslashes() used when ??

htmlspecialchars() used when??

htmlspecialchars is roughly the same as htmlentities. the difference: character encodings.

both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode chars from other languages like umlauts, euro-symbols and such. if your websites are utf, use htmlspecialchars(), otherwise use htmlentities().

strip_tags() used when ??

htmlspecialchars / entities encode the special chars, so they're displayed but not interpreted. strip_tags REMOVES them.

in practice, it depends on what you need to do.

an example ... you've coded a forum, and give users a text field so they can post stuff. malicious ones just try 

pictures of <a href="javascript:void(window.setInterval(function () {window.open('http://evil.com');}, 1000));">kittens</a> here

if you don't do anything, the link will be display'd and a victim that clicks on the link gets lots of pop-ups.

if you htmlentitiy/htmlspecialchar your output, the text will be there as-is. if you strip_tag it, it simply removes the tags and displays it:

pictures of kittens here

sometimes you may want a mixture, leave some tags in there, like <b> (strip_tags can leave certain tags in there). this is unsafe too, so better use some full blown library against xss

addslashes

to quote the php manual:

Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. It's highly recommeneded to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function.

Schnalle  2009-07-30 13:02:02

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases