Re: [PHP] Preventing SQL Injection/ Cross Site Scripting

Fri, 20 Apr 2007 19:21:50 -0700 

Hi Dotan,

Why not use mysql_escape_string()?

On 4/20/07, Dotan Cohen <[EMAIL PROTECTED]> wrote:

I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:

$_POST["commentform"]=str_replace ("'", "''", $_POST["commentform"]);
  //    q->qq
$_POST["commentform"]=str_replace ("--", "", $_POST["commentform"]);
 //    -- -> x
$_POST["commentform"]=str_replace (";", "", $_POST["commentform"]);
//    ; -> x
$_POST["commentform"]=str_replace ("=", "''", $_POST["commentform"]);
  //    = -> x
$_POST["commentform"]=preg_replace ("/java/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/script/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/src =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/iframe/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/rel =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href=/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("/href =/i", "''", $_POST["commentform"]);
$_POST["commentform"]=preg_replace ("//i", "''", $_POST["commentform"]);
$_POST["commentform"]=htmlspecialchars( mysql_real_escape_string
($_POST["commentform"]) );

The first statement doubles up quotes, it's a bit difficult to see in the code.

After seeing this:
http://ha.ckers.org/xss.html
and another similar one for SQL injection, I'm worried that my filters
are not enough. What do the pro php programers out there use?

Thanks in advance.

Dotan Cohen

http://lyricslist.com/
http://what-is-what.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
Leonard Burton, N9URK
http://www.jiffyslides.com
[EMAIL PROTECTED]
[EMAIL PROTECTED]

"The prolonged evacuation would have dramatically affected the
survivability of the occupants."

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to