Backend Development

Protection of PHP sites - processing of incoming data

Submitted by 0-Day, , Thread ID: 18949

Thread Closed
0-Day
Novice
Level:
0
Reputation:
0
Posts:
23
Likes:
1
Credits:
7
01-03-2016, 03:34 PM
#1
Always check the data user ($ _POST, $ _GET, $ _REQUEST, $ _COOKIE, $ _FILES), and not only from different injections, XSS and other things but also for the correctness of input data.

1. SQL Injection

SQL injection is one of the most commonly used methods for obtaining access over sites, working with databases based on the introduction of SQL- query arbitrary code. To prevent this, simply use:

1.1 - mysql_escape_string() - to protect binary data
1.2 - mysql_real_escape_string() - to protect binary data according to the coding instalirano server (requires connection to the server)
1.3 - intval() - Protection of integer numeric values, intval() returns 0 if the string is not a number .
1.4 - floatval() - to protect the fractional values, such as in intval()

2. XSS

XSS is the second most common Internet attack after SQLI injection. Endangered are all sites that display information entered by a user of the site. If the input is not properly processed by software on the site, it automatically makes your site vulnerable to XSS.

2.1 - htmlspecialchars () - convert special characters into HTML entities
2.2 - strip_tags () - deletes HTML and PHP tags from a string ( be careful with this feature )
1

RE: Protection of PHP sites - processing of incoming data

ivoivo
Lurker
Level:
0
Reputation:
0
Posts:
4
Likes:
0
Credits:
6
02-03-2016, 11:01 PM
#2
good lesson Smile

How do I filter php code in $_POST?

RE: Protection of PHP sites - processing of incoming data

0-Day
Novice
Level:
0
Reputation:
0
Posts:
23
Likes:
1
Credits:
7
OP
02-03-2016, 11:05 PM
#3
02-03-2016, 11:01 PM
ivoivo Wrote:
good lesson Smile

How do I filter php code in $_POST?

Hello! Thanks.

Use trim() function.

RE: Protection of PHP sites - processing of incoming data

ivoivo
Lurker
Level:
0
Reputation:
0
Posts:
4
Likes:
0
Credits:
6
02-03-2016, 11:15 PM
#4
I use mysql_real_escape_string but me hack :( are you sure it will help me?

RE: Protection of PHP sites - processing of incoming data

0-Day
Novice
Level:
0
Reputation:
0
Posts:
23
Likes:
1
Credits:
7
OP
02-03-2016, 11:17 PM
#5
02-03-2016, 11:15 PM
ivoivo Wrote:
I use mysql_real_escape_string but me hack :( are you sure it will help me?

Filter and return a result that is taken by mysql

RE: Protection of PHP sites - processing of incoming data

Lol234d
what am i doin here
Supreme
Level:
0
Reputation:
-7
Posts:
433
Likes:
40
Credits:
1.07K
03-03-2016, 04:16 AM
#6
02-03-2016, 11:17 PM
0-Day Wrote:
02-03-2016, 11:15 PM
ivoivo Wrote:
I use mysql_real_escape_string but me hack :( are you sure it will help me?

Filter and return a result that is taken by mysql

Here's a suggestion, use PDO.

RE: Protection of PHP sites - processing of incoming data

kara
Junior Member
Supreme
Level:
0
Reputation:
12
Posts:
95
Likes:
19
Credits:
168
03-03-2016, 04:24 AM
#7
Dumb advice. Don't tell people to use deprecated functions.

Avoiding 1st order SQLi: http://pastebin.com/zbk1A7e8 (Sucuri blocks it)

Avoiding XSS:
Code:
function escape($string = '')
{
    return htmlspecialchars($string, ENT_QUOTE, 'UTF-8');
}

RE: Protection of PHP sites - processing of incoming data

gruntyz
Junior Member
Level:
0
Reputation:
0
Posts:
65
Likes:
1
Credits:
0
07-03-2016, 11:14 AM
#8
Why not use prepared statements for protection. Escaping should be second choice when separation of commands and input does not work.

RE: Protection of PHP sites - processing of incoming data

Billy
Junior Member
Prime
Level:
0
Reputation:
13
Posts:
64
Likes:
4
Credits:
62
13-03-2016, 04:36 AM
#9
This is a good site

RE: Protection of PHP sites - processing of incoming data

Sozin
Nan Ihier Gelair Mordor
Divine
Level:
0
Reputation:
91
Posts:
2.33K
Likes:
374
Credits:
11K
19-03-2016, 07:44 PM
#10
02-03-2016, 11:01 PM
ivoivo Wrote:
good lesson Smile

How do I filter php code in $_POST?

Do you mean all values? Then:

[pre]
array_walk( $_POST, function( &$value, $key ){
$value = filter_function( $value ); // The filter function can be intval, floatval, or anything.. even a custom function will do.
});
[/pre]

Things to look into after considering the above code:
http://php.net/array_walk
http://php.net/manual/en/functions.anonymous.php
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)

Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.


Users browsing this thread: 1 Guest(s)