php - Efficiently sanitize user entered text -


i have html form accepts user entered text of size 1000, , submitted php page stored in mysql database. use pdo prepared statements prevent sql injection. sanitize text entered user, best efforts needed ?

i want prevent script injection, xss attacks, etc.

security interesting concept , attracts lot of people it. unfortunately it's complex subject , professionals wrong. i've found security holes in google (csrf), facebook (more csrf), several major online retailers (mainly sql injection / xss), thousands of smaller sites both corporate , personal.

these recommendations:

1) use parameterised queries
parameterised queries force values passed query treated separate data, input values cannot parsed sql code dbms. lot of people recommend escape strings using mysql_real_escape_string(), contrary popular belief not catch-all solution sql injection. take query example:

select * users userid = $_get['userid']

if $_get['userid'] set 1 or 1=1, there no special characters , not filtered. results in rows being returned. or, worse, if it's set 1 or is_admin = 1?

parameterised queries prevent kind of injection occuring.

2) validate inputs
parameterised queries great, unexpected values might cause problems code. make sure you're validating they're within range , won't allow current user alter shouldn't able to.

for example, might have password change form sends post request script changes password. if place user id hidden variable in form, change it. sending id=123 instead of id=321 might mean change else's password. make sure validated correctly, in terms of type, range , access.

3) use htmlspecialchars escape displayed user-input
let's user enters "about me" this:
</div><script>document.alert('hello!');</script><div>
problem output contain markup user entered. trying filter blacklists bad idea. use htmlspecialchars filter out strings html tags converted html entities.

4) don't use $_request
cross-site request forgery (csrf) attacks work getting user click link or visit url represents script perfoms action on site logged in. $_request variable combination of $_get, $_post , $_cookie, means can't tell difference between variable sent in post request (i.e. through input tag in form) or variable set in url part of (e.g. page.php?id=1).

let's user wants send private message someone. might send post request sendmessage.php, to, subject , message parameters. let's imagine sends request instead:

sendmessage.php?to=someone&subject=spam&message=viagra!

if you're using $_post, won't see of parameters, set in $_get instead. code won't see $_post['to'] or of other variables, won't send message. however, if you're using $_request, $_get , $_post stuck together, attacker can set parameters part of url. when user visits url, inadvertantly send message. worrysome part user doesn't have anything. if attacker creates malicious page, contain iframe points url. example:

<iframe src="http://yoursite.com/sendmessage.php?to=someone&subject=spam&message=viagra!"> </iframe>

this results in user sending messages people without ever realising did anything. reason, should avoid $_request , use $_post , $_get instead.

5) treat you're given suspicious (or malicious)
have no idea user sending you. legitimate. attack. never trust user has sent you. convert correct types, validate inputs, use whitelists filter necessary (avoid blacklists). includes sent via $_get, $_post, $_cookie , $_files.



if follow these guidelines, you're @ reasonable standing in terms of security.


Comments

Post a Comment

Popular posts from this blog

angular - Ionic slides - dynamically add slides before and after -

hi i'm using ngfor create set of 3 slides while starting in middle i'm guaranteed able slide left or right on start. when slide right can simple listen reachedend , push slide array i'm looping. but have problem adding slide beginning. if same above , use e.g. array.unshift() or spread add item beginning, view think it's on position 0 , snaps view new slide. the code below work animates slide change index 1. slide = [0,1,2] //example loop slidechanged(event) { if(this.slides.isbeginning()){ this.slide = [this.slide[0]-1, ...this.slide]; this.slides.update(); this.slides.slideto(1) } } <ion-slides [initialslide]="1" (ionslidedidchange)="slidechanged($event)"> <ion-slide *ngfor="let item of slide"> <h1>slide {{item}}</h1> </ion-slide> </ion-slides> any appreciated! you can using ionslidenextend , ionslideprevend events slides . please
Read more

minify - Minimizing css files -

i want know how css files can minimized. currently, using external sites css minifier compress css files. however, after removing whitespaces, comments, etc, file sizes reduced 10-15%. how frameworks bootstrap manage make minimized versions kilobytes. as example, css is: body { background-color: #ff0; } the reduction goes 28 bytes 22 bytes other css files have lot more characters still smaller this. actually minifying code means it's remove thing code white space characters new line characters comments block delimiters it reduces amount of code has transferred on web , speed site load fastly.but unreadable format.
Read more

Add a dynamic header in angular 2 http provider -

i have http interceptor built via tutorial https://scotch.io/@kashyapmukkamala/using-http-interceptor-with-angular2 the problem need have dynamic header changes automatically once changes 'mode' in app. service able tell interceptor change header, or have interceptor pull header (which string)from service each request. able throwing away patch method, call http.patch('new header string') set header string. call in service controls 'mode' setting. wondering if there way interceptor pull recent value service each request or if can add method http provider via interceptor? i've tried call service in interceptor each request returns undefined. because creating new instance of service or copying value before service fired , loaded/changed data. i don't want pass header string every http provider call because defeats purpose of having interceptor, id able set once changes or have provider fetch service before makes request. tl;dr : need add autom
Read more