« ASP.NET Introduction - Quick Start Tutorial

PHP Security - Avoid SQL Injection and XSS Attacks

Post Page Rank
  • If using $_GET or $_POST variables in an mysql query, clean them with mysql_real_escape_string.
  • When displaying user submitted content from the database, apply htmlentities before it is displayed.

SQL Injection - mysql_real_escape_string()

Using mysql_real_escape_string stops malicious inputs breaking SQL queries. The quote ‘ is a reserved character in SQL. When it appears as part of a parameter it can break or change the meaning of a query. The mysql_real_escape_string function escapes the quote ‘ so it becomes \’ SQL will not treat the quote as a reserved character and it can safely be used in a parameter usually to insert a quote into the DB.

XSS - Htmlentities()

Htmlentities turns characters into their equivalent html entities. This allows javascript code to be displayed in a page without the browser executing it. If a user enters some javascript into a form on your site and you display it back to them unaltered then the code will execute leaving you open to a scripting attack.

If I enter this into a form field on a web site:

<script>alert(”Your site executed my code. Thanks”);</script>

and the next page displays it without applying htmlentities, the browser will execute it and pop open an alert message box.

The consequences are worse if the input is stored and displayed again to another user. In this example that user would also see the alert message box pop open. The malicious script has access to private data that the browser stores for that user.

An html entity is a representation of a character. for example the < less-than sign’s html entity is &lt;. Applying htmlentities() replaces characters in the above javascript with their equivalent html entities to give.

&lt;script&gt;alert(&quot;Your site executed my code&quot;);&lt;/script&gt;

When the browser encounters this it will decode the characters and display it in its original form but without executing the javascript it represents.

Tags:

This entry was posted on Tuesday, October 28th, 2008 at 11:10 pm and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “PHP Security - Avoid SQL Injection and XSS Attacks”

  1. Louis Says:
    November 4th, 2008 at 6:09 am

    Thanks a lot. I was wondering if you know, regarding comment spam…..would a comment form in Flash render me free of automated spam attacks? I’ve read that bots can’t read Flash (yet)…do you know if this is true. Thanks again for your useful info for security.

  2. admin Says:
    November 4th, 2008 at 11:07 am

    Hi Louis. If you have a Flash form then it will be harder for a bot to submit to. But you will still have a back-end page to receive these inputs and a way for spam to be posted.

    You also could use a captcha image on your form ( even one that doesnt change ) this would stop automated submissions but not spam from humans.

    Using a mailto: link is the easiest spam target.

    A proper contact form should be coded carefully. If hackers can change the email headers they can send mail from your server. Use http://swiftmailer.org/ on the back-end to get it right.

    thanks

  3. Ewan Says:
    November 5th, 2008 at 11:54 pm

    Some simple but important tips/functions there. Cheers!

Leave a Reply