d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Iso Help With Html Injection Protection
Add Reply New Topic New Poll
Views: 906Replies: 8Track Topic
Member
Posts: 10,083
Joined: Aug 19 2007
Gold: 0.00
#1
Apr 19 2013 03:52am
I have a comment box on my website, but right now there is no protection whatsoever. You can write scripts in it, you can even write tags in in etc.

I need help on how to protect against injections like that. It doesn't have to be advanced security system, it's just an example so I can write about it in my assignment. Maybe something like it replaces the <> symbols or something like that.
Member
Posts: 150,017
Joined: May 8 2005
Gold: 5,100.00
#2
Apr 19 2013 04:26am
I am not into html really but I'll give you a buzzword: htmlentities
Member
Posts: 10,083
Joined: Aug 19 2007
Gold: 0.00
#3
Apr 19 2013 04:50am
This is my code if it helps.
Code
<?php
error_reporting (E_ALL ^ E_NOTICE);
require('connect.php');
$name=$_POST['name'];
$comment=$_POST['comment'];
$submit=$_POST['submit'];
if($submit)
{
   if($name&&$comment)
   {
   $query=mysql_query("INSERT INTO comment (id,name,comment) VALUES ('','$name','$comment')");
   header("Location: success.php");
   }
   else
   {
       echo "Please fill out all the fields.";
   }
}
?>
<html>
<head>
 <title>Family Travels - Lanzarote</title>
       <link rel="stylesheet" href="layout2.css" title="style1" media="screen" />
</head>

<body>

<div id="title">

 <img src="images/banner.png" alt="Title">

</div> <!-- title -->
<div id="container">
 
<div id="content">
<h2>Share your experience:</h2>

<form action="comment.php" method="POST">
<label>Name:  </label><br /><input type="text" name="name" value="<?php echo "$name" ?>" /><br /><br />
<label>Comment:  </label><br /><textarea style="width:350px;height:130px" name="comment" cols="25" rows="7"></textarea><br /><br /><br />
<input type="submit" name="submit" value="Comment" /><br />
<div style="height:600px;width:500px;overflow:auto;white-space:pre-line;word-wrap:break-word;">
</form>
<hr width="500px" size="3px" />

<?php
require('connect.php');
$query=mysql_query("SELECT * FROM comment ORDER BY id DESC");
 while($rows=mysql_fetch_assoc($query))
  {
    $id=$rows['id'];
    $dname=$rows['name'];
    $dcomment=$rows['comment'];
    $linkdel="<a href=\"delete.php?id=" . $rows['id'] . "\">Delete Comment</a>";
    echo '<font color="white">Name:</font>  ' . $dname . '<br />' . '<br />' . '<font color="white">Comment:</font>  ' . '<br />' . '<br />' . $dcomment . '<br />' . '<br />' . $linkdel . '<br />' . '<br />' .
    '<hr size="3px" width="500px" />' ;  

   }
?>
</div>
 </div> <!-- content -->
Member
Posts: 31,772
Joined: Jan 22 2008
Gold: 1,795.56
#4
Apr 19 2013 04:59am
look on google for mysql_real_escape_string() and addslashes() or something like that, should help ya
Member
Posts: 10,083
Joined: Aug 19 2007
Gold: 0.00
#5
Apr 19 2013 05:20am
Quote (TiMasse @ Apr 19 2013 10:59am)
look on google for mysql_real_escape_string() and addslashes() or something like that, should help ya


Got help from another board, thanks anyways :)

This post was edited by Polsenols on Apr 19 2013 05:45am
Member
Posts: 11,610
Joined: Oct 28 2008
Gold: 1,795.00
#6
Apr 19 2013 04:18pm
PHP: The Good Parts

thoroughly discusses this, if you're interested
Member
Posts: 13,425
Joined: Sep 29 2007
Gold: 0.00
Warn: 20%
#7
Apr 19 2013 06:18pm
biggest sqli injection ive seen posted here yet.
Member
Posts: 1,628
Joined: Aug 11 2012
Gold: 628.00
#8
Apr 19 2013 08:05pm
you can also look up some filter classes that people have written and put all of your $_POST through them before they go into your datbase

the way i usually do it is something like this by storing it into a variable first incase you want to do more than one thing with it.

$comment = $filter->output_str($_POST['comment']);

then you insert $comment into db.
Member
Posts: 2,612
Joined: Nov 8 2005
Gold: 90.00
#9
Jun 5 2013 10:32am
You'll want to use the mb_convert_encoding() and htmlentities() functions, forcing UTF-8 conversion on incoming data, it's really the only safe way:

Code
<?php
error_reporting (E_ALL ^ E_NOTICE);
require('connect.php');

$name=$_POST['name'];
$name=mb_convert_encoding($name,'UTF-8', 'UTF-8');
$name=htmlentities($name, ENT_QUOTES, 'UTF-8');

$comment=$_POST['comment'];
$comment=mb_convert_encoding($comment,'UTF-8', 'UTF-8');
$comment=htmlentities($comment, ENT_QUOTES, 'UTF-8');

$submit=$_POST['submit'];



The submit var isn't in any real threat here, so I left it alone.
Go Back To Programming & Development Topic List
Add Reply New Topic New Poll

© 2003-2026 d2jsp  Contact