Block javascript and sql-Injection attack on the same string

Asked

Viewed 2,818 times

5

I am receiving data from a form in php via get.

I’m handling the information as follows:

$search = mysql_real_escape_string(htmlspecialchars($_GET["t"], ENT_QUOTES, 'UTF-8'));

With this I intend to block attacks by javascript and sql-Injection.

Doubts are:

  • It is the best way to block these two types of attacks?
  • htmlspecialchars could somehow undo the effectiveness of the mysql_real_escape_string function?

I have read several topics on these subjects, but each one says one thing and it is not always possible to check whether the information is reliable or not.

  • 1
  • 2

    http://xkcd.com/327/

  • Possible duplicate of this: http://answall.com/questions/3864/comor- prevenir-injecao-de-codigo-sql-no-meu-codigo-php

  • @missed the question is different, I put 2 questions at the end that are not answered in the topic mentioned.

  • @Bacco the question is different, I put 2 questions at the end that are not answered in the topic mentioned.

2 answers

1

Protecting against XSS and SQL Injection at the same time can be a very complicated task and potentially with many mouse grabs that only someone with DOM and SQL expertise can have idea of the risk. Against Sqli, the documentation is plenty, but think of the following situations where javascript can be executed:

Properties like onload, onclick, onblur (...) allow you to execute javascript

< img src="foo.gif" onload="Alert('XSS!')"/>

Urls can run javascript prefixed "javascript:"

< a href="javascript:Alert('XSS');">Ola Mundo< /a>

I recommend reading the document https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet. There are hundreds of ways, even when using a filter against Sqli, to save in the database a string that will be an XSS problem when viewed.

What to do?

The simplest way to make sure you avoid Sqli and XSS at the same time is, in addition to using well-known native functions against Sqli, and make an aggressive filter. If a field only accepts integer, remove all that is not number. If it is letters and numbers, filter to just that. And, more importantly, avoid accepting HTML in a user input.

If you really have to accept HTML, you should either use a ready-made library that removes all Javascript references from the code, or make a white list of which tags are allowed and which tag properties are allowed, which is not trivial.

1


  • Thanks for the links, but I asked 2 questions and only the first one was answered, know anything about the second one? Thanks.

  • 1

    Good @Filipe, the second automatically was answered, because, the use mysql_real_escape_string would already be inappropriate by the Deprecate factor of Mysql_ as already answered in the first, this is a safety factor. Now, it is good practice to use the routine developed for this would only mysql_real_escape_string or mysql_espace_string, I always used so and never had problem, although today I use PDO with prepare and the same does the protection work. Another thing would be to use filter_input instead of $_GET and $_POST I edit the post and there’s the link please read the subject line

  • 1

    Thank you for your time, I’ve been enlightened.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.