Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Guide] Security: Prevent SQLi and XSS Attacks
#1
Input Of Data

I have also seen a lot of security problems in open source scripts, and in general posts on forums like this. Security is one of the fundamental things that every programmer must learn, which is why im going to make a quick guide here.

Upon input (protecting against SQL Injection), you should only need to use one of the following functions below (you can use other functions, such as trim() but it’s not necessary for security):
PHP Code:
intval()
is_numeric()
ctype_alnum()

mysql_real_escape_string()
addslashes()

hash() 

So let’s go through each of the functions listed above.

You will have noticed I grouped them. The first three functions, is_numeric(), intval() and ctype_alnum() are used to limit the users input, there for preventing any malicious input. The functions above are pretty self explanatory, but I will quickly brush over them:
  • is_numeric() will make sure that a number has a numerical value. It can contain only one full stop (for a decimel place). If your string does not apply with the above, it will fail and return FALSE.
  • intval() will only allow integer values (whole numbers), and if it finds anything else, then it will stop and take the numbers it has found (if any):
    PHP Code:
    $a '123sd987.h4';
    echo 
    intval($a);
    //outputs 123 
  • ctype_alnum() restricts the users input to only alphanumerical characters (0-9, A-Z, a-z).
The function addslashes() just literally adds a backslash before single quotes, double quotes, other backslashes and NUL to escape them. However, if you are using MySQL, then it is actually advised you use the function that is specific to the database, so you would use mysql_real_escape_string(). You would only ever need to use one or the other.

Lastly we have the hash() function. The first parameter you pass to it is the type of hash, and the second is what you would like hashed. This is mainly done upon passwords for security:
PHP Code:
$pws '123abc';
//you can also salt the password, but I will leave that out for now
$secured hash('sha512'$pws); 
We do not need to sanitise the output of that because it will regurgitate a hexadecimal string only (0-9, a-f).

Output Of Data

Next, we have output from the database. This is to prevent Cross-Site Scripting (XSS) attacks. There are one of two functions you can use for this:
PHP Code:
htmlspecialchars()
htmlentites() 

The only difference between htmlspecialchars() and htmlentites() is that the former function translates only special characters (&, ', ", <, >). Whereas the latter function translates all characters which have HTML character entity equivalents (into those entities).

I have always been taught to only escape data upon input to the database, and then to properly sanitise it (with functions such as htmlspecialchars()) upon output of data from the database.
Reply


Messages In This Thread
[Guide] Security: Prevent SQLi and XSS Attacks - by Haxalot - 03-08-2012, 10:21 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
  How can I prevent this? `P R O D I G Y™ 7 2,253 12-01-2010, 06:54 AM
Last Post: Orgy

Forum Jump:


Users browsing this thread: 1 Guest(s)