Jump to content

Help to protect against XSS.

creata.physics

By creata.physics
in PHP Coding Help

 Share

Recommended Posts

creata.physics Member

creata.physics

Posted
Posted

So I thought I was secure until I was debugging. I thought I'd give it a try to manually run queries though the url, and I'm able to execute them.

 

When you go to my downloads module, you can click on a category to view results from said category.

You can also modify the query executed to perform extra tasks to grab different results, here's an example:

http://zextcms.com/index.php?component=downloads&cat=0%27%20OR%20download_parent%20=%20%271

 

This shouldn't even be capable of happening. I have a script that recursively checks all post and get data and removes all special characters with htmlspecialchars().

 

I also have a class that handles all my queries, new data and update data is already sanitized with mysqli_escape_string() so that leaves me to finish securing $_GET variables.

I just double checked to see if I may have taken out htmlspecialchars for testing purposes and it is still in effect.

 

My code checks if get or post data is an array, if it is not it uses htmlspecialchars() on the key and value of the array and returns the cleansed version.  If there is an array, the function calls upon itself until it's done cleaning all dimensions of the array, so what am I forgetting?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

You forgot to tell us exactly what it is about that URL that caused a problem. Is it the fact that there is an &cat value present at all or is the &cat=0 supposed to be present and the problem is that there is an ' OR download_parent = '1 following the expected zero value?

 

htmlspecialchars doesn't remove anything. It only converts '&', '"' (double quote), "'" (single quote), '<', and '>' to their html entity. Double and single quotes are only converted when you specify the correct second parameter values when you call htmlspecialchars. I'm guessing you aren't using any of the second parameter values.

 

If your cat= value is expected to be a number, you need validate or cast it as a number because it is possible to inject sql that contains no quotes as part of it and escaping it doesn't do anything because there's nothing to escape and if you happen to be treating it as a string in the query (it is being put between single-quotes in the query statement), you need to use the mysqll_real_escape_string function on it. All external data cannot be trusted, can be anything, and must be filtered/validated/cast/escaped as needed, depending on how you are using that data.

 

The above is based on your description. To get the best help, post the relevant code so that any other problems with it can be found.

Link to comment
Share on other sites
creata.physics Member

creata.physics

Posted
  • Author
Posted

I hadn't posted any code because I didn't see and relevance to it being an issue with the code since it happens everywhere.

 

All input data is stored in a variable called input. So when I call on request data it is done like so:

if( isset( $this->input['cat'] ) )

 

the get variable cat represents the category id of the category being viewed, since I don't consider 0 a valid id number all ids start at 1. So if I'm viewing cat=0 then nothing displays because no category can have the id as 0. So when viewing only cat=0 you will get no results, but if you add ' OR category_id = '1 you will get the cateogry whos ID is 1.

 

Also I'm well aware htmlspecialchars() doesn't remove any characters, that was bad wording on my part so sorry about that.

 

I did not define the second paramater on htmlspecialchars and I'm sure this is why I'm facing this issue. I'll fix it up and get back to you.

 

Edit: Thank you PFMaBiSmAd, as you already knew my issue was not using the constant in the second paramater of htmlspecialchars, once added the issue was resolved. So I'm sorry about that, I didn't intend to waste anybodys time with my stupidity.

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Relying on htmlspecialchars to prevent sql injection won't stop actual hackers, because they can inject sql that contains no quotes and they can use quotes that have meaning to the character set your database is using for which  htmlspecialchars could care less about. As already stated, you must filter/validate/cast/escape data as appropriate for the type of data it is.

Link to comment
Share on other sites
creata.physics Member

creata.physics

Posted
  • Author
Posted

I knew to an extent that htmlspecialchars wouldn't always be there to hold my hand and protect me through the dangers of web attacks.

I will look up commonly used way hackers can go around quotes  and try to make some manual replacements for whatever is necessary.  All data is validated before it's entered into the database, it seems now I just need to make sure what is requested matches its database record ( if any ) and revalidate the data before it is executed.

 

Thanks again.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.