sql injection / Browser-Hijacker prevention php

views:

answers:

+2 Q:

sql injection / Browser-Hijacker prevention php

Hi Folks,

I have a website where I can't use html_entities() or html_specialchars() to process user input data. Instead, I added a custom function, which in the end is a function, which uses an array $forbidden to clean the input string of all unwanted characters. At the moment I have '<', '>', "'" as unwanted characters because of sql-injection/browser hijacking. My site is encoded in utf-8 - do I have to add more characters to that array, i.e. the characters '<', encoded in other charsets?

Thanks for any help,

Maenny

You should escape ", too. It is much more harm than ', because you often enclose HTML attributes in ". But, why don't you simlpy use htmlspecialchars to do that job?

Futhermore: It isn't good to use one escaping function for both SQL and HTML. HTML needs escaping of tags, whereas SQL does not. So it would be best, if you used htmlspecialchars for HTML output and PDO::quote (or mysql_real_escape_string or whatever you are using) for SQL queries.

But I know (from my own experience) that escaping all user input in SQL queries may be really annoying and sometimes I simply don't escape parts, because I think they are "secure". But I am sure I'm not always right, about assuming that. So, in the end I wanted to ensure that I really escape all variables used in an SQL query and therefore have written a little class to do this easily: http://github.com/nikic/DB Maybe you want to use something similar, too.

nikic 2010-07-13 12:00:11

+1 A:

htmlentities nor htmlspecialchars functions has nothing to do with sql injection
to prevent injection, you have to follow some rules, I've described them all here
to filter HTML you may use htmlspecialchars() function, it will harm none of your cyrillic characters

Col. Shrapnel 2010-07-13 12:22:22

its true that htmlentities or htmlspecialchars have nothing to do with sql injection, that would be for browser-hijacking. Nevertheless, it seems like the problem I have really is a encoding problem, because all of the cyrillic characters are sent through POST and hereby converted to ampersand. I haven't found a way to convert ampersand to utf-8 characters, anyone has an idea for that?Maenny

Maenny 2010-07-13 13:27:48

@Maenny html_entity_decode() is idea for that, but instead of constant decoding you have to do it only once and then stop encoding at all.

Col. Shrapnel 2010-07-13 15:02:23

+1 you are correct sir.

Rook 2010-07-13 18:27:13

Put this code into your header page. It can prevent SQL injection attack in PHP.

function clean_header($string) { $string = trim($string);

// From RFC 822: “The field-body may be composed of any ASCII // characters, except CR or LF.” if (strpos($string, “\n“) !== false) { $string = substr($string, 0, strpos($string, “\n“)); } if (strpos($string, “\r“) !== false) { $string = substr($string, 0, strpos($string, “\r“)); }

return $string; }

ppshein 2010-08-03 08:21:27

whis disaster should be stopped somehow

Col. Shrapnel 2010-08-03 08:30:34

ansaurus

tags:

views:

answers:

sql injection / Browser-Hijacker prevention php

related questions