Backend Development

Protection of PHP sites - processing of incoming data

Submitted by 0-Day, , Thread ID: 18949

Thread Closed
01-03-2016, 03:34 PM
#1
Always check the data user ($ _POST, $ _GET, $ _REQUEST, $ _COOKIE, $ _FILES), and not only from different injections, XSS and other things but also for the correctness of input data.

1. SQL Injection

SQL injection is one of the most commonly used methods for obtaining access over sites, working with databases based on the introduction of SQL- query arbitrary code. To prevent this, simply use:

1.1 - mysql_escape_string() - to protect binary data
1.2 - mysql_real_escape_string() - to protect binary data according to the coding instalirano server (requires connection to the server)
1.3 - intval() - Protection of integer numeric values, intval() returns 0 if the string is not a number .
1.4 - floatval() - to protect the fractional values, such as in intval()

2. XSS

XSS is the second most common Internet attack after SQLI injection. Endangered are all sites that display information entered by a user of the site. If the input is not properly processed by software on the site, it automatically makes your site vulnerable to XSS.

2.1 - htmlspecialchars () - convert special characters into HTML entities
2.2 - strip_tags () - deletes HTML and PHP tags from a string ( be careful with this feature )
1

RE: Protection of PHP sites - processing of incoming data

#2
good lesson Smile

How do I filter php code in $_POST?

RE: Protection of PHP sites - processing of incoming data

OP
#3
02-03-2016, 11:01 PM
ivoivo Wrote:
good lesson Smile

How do I filter php code in $_POST?

Hello! Thanks.

Use trim() function.

RE: Protection of PHP sites - processing of incoming data

#4
I use mysql_real_escape_string but me hack :( are you sure it will help me?

RE: Protection of PHP sites - processing of incoming data

OP
#5
02-03-2016, 11:15 PM
ivoivo Wrote:
I use mysql_real_escape_string but me hack :( are you sure it will help me?

Filter and return a result that is taken by mysql

RE: Protection of PHP sites - processing of incoming data

#6
02-03-2016, 11:17 PM
0-Day Wrote:
02-03-2016, 11:15 PM
ivoivo Wrote:
I use mysql_real_escape_string but me hack :( are you sure it will help me?

Filter and return a result that is taken by mysql

Here's a suggestion, use PDO.

RE: Protection of PHP sites - processing of incoming data

#7
Dumb advice. Don't tell people to use deprecated functions.

Avoiding 1st order SQLi: http://pastebin.com/zbk1A7e8 (Sucuri blocks it)

Avoiding XSS:
Code:
function escape($string = '')
{
    return htmlspecialchars($string, ENT_QUOTE, 'UTF-8');
}

RE: Protection of PHP sites - processing of incoming data

#8
Why not use prepared statements for protection. Escaping should be second choice when separation of commands and input does not work.

RE: Protection of PHP sites - processing of incoming data

#9
This is a good site

RE: Protection of PHP sites - processing of incoming data

#10
02-03-2016, 11:01 PM
ivoivo Wrote:
good lesson Smile

How do I filter php code in $_POST?

Do you mean all values? Then:

[pre]
array_walk( $_POST, function( &$value, $key ){
$value = filter_function( $value ); // The filter function can be intval, floatval, or anything.. even a custom function will do.
});
[/pre]

Things to look into after considering the above code:
http://php.net/array_walk
http://php.net/manual/en/functions.anonymous.php
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)

Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.


Users browsing this thread: 3 Guest(s)