tags:

views:

155

answers:

5
+4  Q: 

Preventing server-side scripting, XSS

Hey all

Are there any pre-made scripts that I can use for PHP / MySQL to prevent server-side scripting and JS injections?

I know about the typical functions such as htmlentities, special characters, string replace etc. but is there a simple bit of code or a function that is a failsafe for everything?

Any ideas would be great. Many thanks :)

EDIT: Something generic that strips out anything that could be hazardous, ie. greater than / less than signs, semi-colons, words like "DROP", etc?

I basically just want to compress everything to be alphanumeric, I guess...?

+1  A: 

No, there isn't. Risks depend on what you do with data, you can't write something that makes data safe for everything (unless you want to discard most of the data)

David Dorward  2010-06-03 11:25:10
Well yeah, but we're not speaking so generically when it comes to the web and PHP. There are obviously certain characters and strings that you will want to disable, so I would like a fairly generic list of such things, if possible. I basically just want alphanumeric info.
Tim  2010-06-03 11:36:05
Which alphabets? Do you want to forbid people from using hyphens and full stops? It is rarely that simple.
David Dorward  2010-06-03 11:38:48
+4  A: 

Never output any bit of data whatsoever to the HTML stream that has not been passed through htmlspecialchars() and you're done. Simple rule, easy to follow, completely eradicates any XSS risk.

As a programmer it's your job to do it, though.

You can define

function h(s) { return htmlspecialchars(s); }

if htmlspecialchars() is too long to write 100 times per PHP file. On the other hand, using htmlentities() is not necessary at all.

The key point is: There is code, and there is data. If you intermix the two, bad things ensue.

In the case of HTML, code is elements, attribute names, entities, comments. Data is everything else. Data must be escaped to avoid being mistaken for code.

In case of URLs, code is the scheme, the host name, the path, the mechanism of the query string (?, &, =, #). Data is everything in the query string: parameter names and values. They must be escaped to avoid being mistaken for code.

URLs embedded in HTML must be doubly escaped (by URL-escaping and HTML-escaping) to ensure proper separation of code and data.

Modern browsers are capable of parsing amazingly broken and incorrect markup into something useful. This capability should not be stressed, though. The fact that something happens to work (like URLs in <a href> without proper HTML-escaping applied) does not mean that it's good or correct to do it. XSS is a problem that roots in a) people unaware of data/code separation (i.e. "escaping") or those that are sloppy and b) people that try to be clever about what part of data they don't need to escape.

XSS is easy enough to avoid if you make sure you don't fall into categories a) and b).

Tomalak  2010-06-03 11:27:13
No, it doesn't. If you put it as a text node, then you are safe (assuming it isn't inside a script or style element). Attribute values on the other hand? `<img src="javascript:xss()">` (these days, most browsers protect against that, but there are other risks)
David Dorward  2010-06-03 11:30:16
Ok cool, but what about when a user submits SQL into the URL? i.e. "DROP table users"
Tim  2010-06-03 11:31:55
"Never output any bit of *user supplied* data" I'd say. Site templates may escape that peril :)
Col. Shrapnel  2010-06-03 11:33:09
@Tim and so what?
Col. Shrapnel  2010-06-03 11:34:21
@Tim: For SQL you ought to use paramterized queries (`mysqli_*` or PDO). Because *they* completely eraticate SQL injection.
Tomalak  2010-06-03 11:34:30
@Col. Shrapnel: Since distinction between "user supplied" and "abstractly calculated" sometimes is fuzzy in complex application, it can't hurt to escape absolutly everything.
Tomalak  2010-06-03 11:36:08
@Tomalak got a parameter for the field name for the dynamic sorting? ;)
Col. Shrapnel  2010-06-03 11:36:23
@Col. Shrapnel: Special case, point made. However, this calls for whitelisting the possible values, which will put you on the safe side again.
Tomalak  2010-06-03 11:54:22
I just have dig on the word "completely" :) Just good point to mention. I think.
Col. Shrapnel  2010-06-03 12:06:15
htmlspecialchars is not safe to use alone. see http://stackoverflow.com/questions/2964424/to-htmlencode-or-not-to-htmlencode-user-input-on-web-form-asp-net-vb/2965444#2965444
Cheekysoft  2010-06-03 14:40:13
A: 

To answer to your edition: everything except <> symbols has nothing to do with XSS.
And htmlspecialchars() can deal with them.

There is no harm in the word DROP table in the page's text ;)

Col. Shrapnel  2010-06-03 11:38:51
And what about `"` to close an attribute and then continuing with your own code? `<img src="user-supplied-stuff" onerror="alert(document.cookie)">` seems to be rather XSS-y to me. :-)
janmoesen  2010-06-03 11:45:01
@janm `htmlspecialchars` will catch double quotes so you should end up with `<img src="user-supplied-stuff" onerror="alert(document.cookie)">`. But with images, you should check that the image exists first anyway to avoid broken images.
DisgruntledGoat  2010-06-03 11:53:25
this is simply not correct. see http://stackoverflow.com/questions/2964424/to-htmlencode-or-not-to-htmlencode-user-input-on-web-form-asp-net-vb/2965444#2965444
Cheekysoft  2010-06-03 14:39:23
@DisgruntledGoat: my comment was about the erroneous statement "everything except <> symbols has nothing to do with XSS."
janmoesen  2010-06-04 08:58:45
A: 

for clean user data use html_special_chars(); str_replace() and other funcs to cut unsafe data.

GOsha  2010-06-03 11:40:47
`mysql_escape_string` is deprecated and doesn't handle character encoding properly.
David Dorward  2010-06-03 11:42:26
ok. in that situation you can use str_replace to clean your request.
GOsha  2010-06-03 11:44:50
str_replace is even worst. and get_magic_quotes_gpc has nothing to do with database escaping. and whole function concept is stupid - it does double escaping!
Col. Shrapnel  2010-06-03 11:47:08
so, please, write a good function to prevent this troubles. I know you have such ))) If don't - it takes you 5 minutes)))
GOsha  2010-06-03 11:52:41
to place some *data* into mysql query you can use `$data="'".mysql_real_escape_string($data)."'";` or binding. and some other rules on operators/identifiers. but it has nothing to do with XSS anyway
Col. Shrapnel  2010-06-03 12:03:16
thank you. I know that it has nothing to do with XSS. it`s for me.
GOsha  2010-06-03 12:10:05
A: 

is there a simple bit of code or a function that is a failsafe for everything?

No.

The representation of data leaving PHP must be converted / encoded specifically according where it is going. And therefore should only be converted/encoded at the point where it leaves PHP.

C.

symcbean  2010-06-03 12:03:29

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL