Hey Everyone,
Just wonder what everyone thinks in the best way to pretect yourself against XSS Attacks and SQL Injection. I would like to see some functions people have made up them selves to pretect there sites. And what php functions you think are best.

Regards, Unknown

For SQL Injection, I use:

function SQLConvert($SQL)
{
if(get_magic_quotes_gpc())
{
$SQL = stripslashes($SQL);
}
if(function_exists("mysql_real_escape_string"))
{
$SQL = mysql_real_escape_string($SQL);
}
else
{
$SQL = addslashes($SQL);
}
return $SQL;
}

This is fairly obvious, but one of the best things you can do is validate data types. When you're expecting a numeric value, make sure it's numeric. Otherwise, some things could still pass through escape string functions and cause all sorts of problems.

I Think what 365days said is a good idea i use this to check and see if its just a number:


function isNum($value) {
return (preg_match("/^[0-9]+$/", $value));
}

Hi,

stripping slashes, quotes, double quotes, etc.. is good but it still changes the content the user is sending, which may be correct after all.

The best way in my opinion is to replace those 'dangerous' character by their html special code, example:



function valid($text) {
$bad= array("\"","'","|","%","*","+","?","<",">");
$good= array("& quot;","& #39;","& #124;","& #37;","& #042;","& #43;","& #63;","& #60;","& #62;");
// I had to put space between the '&' and the '#' so you can see it's numeral,
// although, you should remove those spaces if you want to use this code.

return str_replace($bad, $good, $text);
}



Those 'dangerous' characters are gone but their representation stays.

Regards,

G

I Think what 365days said is a good idea i use this to check and see if its just a number:


function isNum($value) {
return (preg_match("/^[0-9]+$/", $value));
}

why dont use php function is_numeric()?

hehachris - I use my function because if i ever want to allow all numbers and the letter "a" i could without have to change and go though alot of my code.

Well, yes, it depends what type of content they are inputting. Mine is only text, not HTML, therefore I don't need a complex function, just a simple one.

Treat ALL input as potential dangerous. I've read stories about how even a simple form-to-email page in php can be used as a mass emailer.

If your column is only varchar(15) make sure you use substr() to cut it down to 15 characters. Just because your form field has a maximum value of 15 doesn't mean that someone can only enter 15 characters - there are ways around it.

NEVER insert/edit data in your database without validating it first, you are just asking for trouble. Client side validation (ie javascript) is nice but can be easily circumvented. If you can be bothered use both client side and server side validation - if not, server side validation is sufficient.

addslashes() is good for fixing text before inserting into a database.

Treat ALL input as potential dangerous. I've read stories about how even a simple form-to-email page in php can be used as a mass emailer.


"Most" simple form-to-email pages can be used as mass emailers. In fact, I've seen very few written by amateur programmers that were 'safe.'

I'm surprised nobody has mentioned mod_security. Not a replacement for good coding, but will mitigate most injections.

http://www.modsecurity.org/

Yes, mod_security is a good tool for Linux/Unix. What about IIS though?