Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Feb 2009
    Posts
    44
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Unhappy Confused on using injections

    I've been reading different tutorials on injections and been going by different examples. I am trying to prevent my guestbook users from spamming my guestbook and preventing xss, html, and sql injections. I've read that prepared statements automatically prevent injections, and that mysql_real_escape_string() along with string sanization to prevents sql injection. Also, I read that prepared statements shouldnt be used. If someone could please help and look over my code, not sure if I am getting the hang of things.


    PHP Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 

    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <!-- 
    Author: Reality Software 
    Website: http://www.realitysoftware.ca 
    Note: This is a free template released under the Creative Commons Attribution 3.0 license,  
    which means you can use it in any way you want provided you keep the link to the author 

    intact. 
    --> 
    <html xmlns="http://www.w3.org/1999/xhtml"> 
    <head> 
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
    <title></title> 
    <link href="style.css" rel="stylesheet" type="text/css" /></head> 
    <body> 
     
     
        <!-- header --> 
        <div id="header"> 
            <div id="logo"><a href="index.html">Header</a></div> 
            <div id="menu"> 
                <ul> 
                <li><a href="index.html">Home</a></li> 
                <li><a href="">Link 1</a></li> 
                <li><a href="">Link 2</a></li> 
                <li><a href="">Link 3</a></li> 
                <li><a href="">Contact</a></li> 
            <li><a href="guestbook.php">Guestbook</a></li> 
                      </ul>    
      </div> 
    </div>
    <div id="icon"><a href="twitter.com/"> 
    <img border="0" src="http://www.***************/forum/images/twitter.png" alt="twitter" 

    width="58px;" height="53px;" /> 
    </a></div> 

        <!--end header --> 
        <!-- main --> 
        <div id="main"> 
        <div id="content">   
      
      
     <div id="text"> 
                    <h1><strong>Guestbook</strong></h1> 
    </div> 
     
    <?php   

    function sanitizeString($string) {
        return 
    htmlentities( (string) $stringENT_COMPAT"UTF-8" );
    }  

    $input is_numeric($input) ? intval($input) : mysql_real_escape_string($input);
    mysql_real_escape_string($comment);
    mysql_real_escape_string($name);
    mysql_real_escape_string($verif_box);


    $db = new mysqli("localhost""a7560006_host""mypassword""a7560006_guest");
    $preparedStatement1 $db->prepare('SELECT * FROM guestbook WHERE name = ? and verif_box = ? and comment = ? '); 

    $preparedStatement1 ->bind_param("s"$name);
    $preparedStatement1 ->execute();
    $prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
    $preparedStatement1->store();

    $preparedStatement2 $db->prepare('SELECT * FROM guestbook WHERE name = ? and verif_box = ? 
    and comment = ? '
    ); 

    $preparedStatement2 ->bind_param("s"$verif_box);
    $preparedStatement2 ->execute();
    $prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
    $preparedStatement2->store();

    $preparedStatement3 $db->prepare('SELECT * FROM guestbook WHERE name = ? and verif_box = ? 

    and comment = ? '
    ); 
    $preparedStatement3 ->bind_param("s"$comment);
    $preparedStatement3 ->execute();
    $prerapedStatement1->bind_result($comment_id,$name,$comment,$datetime);
    $preparedStatement2->store();

    while(
    $preparedStatement1->fetch()){

    $mysql_host "localhost";
    $mysql_database "a7560006_guest";
    $mysql_user "a7560006_host";
    $mysql_password "mypassword";
     
    // Connect to server and select database.
    mysql_connect("$mysql_host""$mysql_user""$mysql_password") or die("cannot connect 

    server"
    );
    mysql_select_db("$mysql_database") or die("cannot select DB");

    $tbl_name="guestbook"// Table name 
     
    $name = ($_POST['name']); 
    $comment = ($_POST['comment']); 
     
    $datetime=date("M-d-Y h:i:s A"); //date time   
    $verif_box = ($_POST['verif_box']);   
      
    if(
    md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?> 
    <table width="400" border="0" align="center">    
    <tr><td align="center"><h4>You have not entered captcha or entered incorrect 

    captcha!</h4></td></tr>      
    </table>  
            
    </div>  
         <!-- footer --> 
        <div id="footer"> 
        <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div> 
        <div id="right_footer"> 
     
    <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
    Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality 

    Software</a> 
     
        </div> 
        </div> 
        <!-- end footer --> 
        </div>           
        <!-- end main --> 
         
    </body> 
    </html> 
     
    <? 
    exit;  

     
    if(empty(
    $name) || empty($comment)) { ?>    
      <table width="400" border="0" align="center">    
      <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>      
      </table>    
    <?      
    } else {    
     
    $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('$name', '$comment', 

    '$datetime')"
    ;   
    $result=mysql_query($sql);   
     
    //check if query successful   
    if($result) { ?>  
    <table width="400" border="0" align="center">    
    <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>      
    </table>    
    <?   
    echo "<meta http-equiv='Refresh' content='1; URL=viewguestbook.php'>";  // link to view 

    guestbook page   
    } else {   
    echo 
    "ERROR";   
    }   
     
    mysql_close();  


    ?> 
     
    </div>  
     
         <!-- footer --> 
        <div id="footer"> 
        <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div> 
        <div id="right_footer"> 
     
    <!-- Please do not change or delete this link. Read the license! Thanks. :-) --> 
    Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality 

    Software</a> 
     
        </div> 
        </div> 
        <!-- end footer --> 
        </div>           
        <!-- end main --> 
     
    </body> 
    </html>
    Last edited by saxchick1; 11-22-2011 at 03:40 AM.

  • #2
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,134
    Thanks
    12
    Thanked 332 Times in 328 Posts
    Quote Originally Posted by saxchick1 View Post
    I've read that prepared statements automatically prevent injections, and that mysql_real_escape_string() along with string sanization to prevents sql injection.
    if you use Prepared Statements, you mustnít use mysql_real_escape_string().
    a) mysql_* functions (which you would need for mysql_real_escape_string()) donít support Prepared Statements
    b) you canít mix mysql_*, MySQLi and PDO
    c) if you feed an escaped string to a Prepared Statement, it will insert that string as is (with(!) the backslashes) into the DB

    however, you should use string sanitisation to prevent XSS attacks before you output the data from DB.

    regarding that, in your code you can safely delete all the mysql_real_escape_string() stuff (you donít even have the required connection for that to work).
    additionally your query will fail (or turn out differently) since you only provide one parameter instead of the required 3.
    and why you revert to using mysql_query() (bottom half of the code) I donít understand at all.

    Quote Originally Posted by saxchick1 View Post
    Also, I read that prepared statements shouldnt be used.
    IMO, a completely insane statement. I wonder where youíve read that.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    Andrť Behrens, NY Times Software Developer

  • #3
    New Coder
    Join Date
    Jul 2011
    Location
    Kediri - Indonesia
    Posts
    61
    Thanks
    2
    Thanked 19 Times in 19 Posts
    use htmlentities before insert it. it will prevent xss and html and sqlinjection.
    PHP Code:
    $sql="INSERT INTO $tbl_name (name, comment, datetime) VALUES ('".htmlentities($name,ENT_QUOTE)."', '".htmlentities($comment,ENT_QUOTE)."', '$datetime')"
    prevent from spamming, you can use captcha.

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    Quote Originally Posted by XterM View Post
    use htmlentities before insert it. it will prevent xss and html and sqlinjection.
    htmlentities() is not for preventing SQL injections. Example. Use strip_tags() to remove HTML if you aren't expecting HTML for input, and always pass your user input through mysql_real_escape_string().

  • #5
    New Coder
    Join Date
    Feb 2009
    Posts
    44
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Inigoesdr View Post
    htmlentities() is not for preventing SQL injections. Example. Use strip_tags() to remove HTML if you aren't expecting HTML for input, and always pass your user input through mysql_real_escape_string().
    Let me see if I understand this now.

    PHP Code:
    <!--
    Author: Reality Software
    Website: http://www.realitysoftware.ca
    Note: This is a free template released under the Creative Commons Attribution 3.0 license, 
    which means you can use it in any way you want provided you keep the link to the author intact.
    -->
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title></title>
    <link href="style.css" rel="stylesheet" type="text/css" /></head>
    <body>


        <!-- header -->
        <div id="header">
            <div id="logo"><a href="index.html">Header</a></div>
            <ul id="menu">
                <ul>
                <li><a href="index.html">Home</a></li>
                <li><a href="">Link 1</a></li>
                <li><a href="">Link 2</a></li>
                <li><a href="">Link 3</a></li>
                <li><a href="">Contact</a></li>
            <li><a href="guestbook.php">Guestbook</a></li>
                      </ul>
    <div id="icon"><a href="twitter.com/">
    <img border="0" src="http://www.***************/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" />
    </a></div>

       
      </div>
        <!--end header -->
        <!-- main -->
        <div id="main">
        <div id="content">  
     
     
     <div id="text">
                    <h1><strong>Guestbook</strong></h1>
    </div>

    <?php  
    $db 
    = new mysqli('host''user''password''db_name');
    $tbl_name="guestbook"// Table name 

    $name $_POST['name'];  
    $name strip_tags($name);
    $comment $_POST['comment'];  
    $comment strip_tags($comment);   


    $datetime=date("M-d-Y h:i:s A"); //date time  
    $verif_box $_POST['verif_box']; 
    $verif_box strip_tags($verif_box);  
     
    if(
    md5($verif_box).'a4xn' != $_COOKIE['tntcon']){ ?>
    <table width="400" border="0" align="center">   
    <tr><td align="center"><h4>You have not entered captcha or entered incorrect captcha!</h4></td></tr>     
    </table> 
           
    </div> 
         <!-- footer -->
        <div id="footer">
        <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
        <div id="right_footer">

    <!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
    Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a>

        </div>
        </div>
        <!-- end footer -->
        </div>          
        <!-- end main -->
        
    </body>
    </html>
    <?
    exit; }

    if(empty(
    $name) || empty($comment)) { ?>   
      <table width="400" border="0" align="center">   
      <tr><td align="center"><h3>Sorry, all fields are required!</h3></td></tr>     
      </table>   
    <?     
    } else { 
    $stmt $db->prepare("insert into $tbl_name values (?, ?, ?, ?)");
    $stmt->bind_param("isss"$comm_id$name$comment$datetime);
    // "isss" means that the 4 parameters are an integer, a string, a string and a string.
    $stmt->execute();
    //check if query successful  
    if($stmt->affected_rows) { ?> 
    <table width="400" border="0" align="center">   
    <tr><td align="center"><h3>Thank you for signing my guestbook!</h3></td></tr>     
    </table>   
    <meta http-equiv='Refresh' content='1; URL=viewguestbook.php'> 
    <? 
    } else {  
    echo 
    "ERROR";  
    }  

    $stmt->close();

    ?>
    </div> 

         <!-- footer -->
        <div id="footer">
        <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
        <div id="right_footer">

    <!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
    Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a>

        </div>
        </div>
        <!-- end footer -->
        </div>          
        <!-- end main -->

    </body>
    </html>
    PHP Code:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <!--
    Author: Reality Software
    Website: http://www.realitysoftware.ca
    Note: This is a free template released under the Creative Commons Attribution 3.0 license, 
    which means you can use it in any way you want provided you keep the link to the author intact.
    -->
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title></title>
    <link href="style.css" rel="stylesheet" type="text/css" /></head>
    <body>


        <!-- header -->
        <div id="header">
            <div id="logo"><a href="index.html">Header</a></div>
            <ul id="menu">
                <ul>
                <li><a href="index.html">Home</a></li>
                <li><a href="">Link 1</a></li>
                <li><a href="">Link 2</a></li>
                <li><a href="">Link 3</a></li>
                <li><a href="contact.php">Contact</a></li>
            <li><a href="guestbook.php">Guestbook</a></li>
                
                      </ul>
    <div><a href="twitter.com/">
    <img border="0" src="http://www.***************/forum/images/twitter.png" alt="twitter" width="58px;" height="53px;" />
    </a></div>

      
      </div>
        <!--end header -->
        <!-- main -->
        <div id="main">
        <div id="content">

       
     <div id="text">
                    <h1><strong>Guestbook</strong></h1>

    <table width="400" border="0" align="center" cellpadding="3" cellspacing="0" bgcolor="#000000" >
    <tr>
    <td><strong>View Guestbook | <a href="guestbook.php">Sign Guestbook</a> </strong></td>
    </tr>
    </table>
    <br>

    <?php
    $db 
    = new mysqli('host''user''password''db_name');
    $tbl_name="guestbook"// Table name 

    $stmt $db->prepare("select * from $tbl_name");
    $stmt->bind_result($comm_id$name$comment$datetime);
                 
    mysql_real_escape_string($name),
                
    mysql_real_escape_string($comment)
                 
    mysql_real_escape_string($verif_box));
    $stmt->execute();
    $stmt->store_result();
    while(
    $stmt->fetch()) {
    ?>
    <table width="400" border="0" align="center" cellpadding="0" cellspacing="1" >
    <tr>
    <td><table width="400" border="0" cellpadding="3" cellspacing="1">
    <tr>
    <td>ID</td>
    <td>:</td>
    <td><? echo $comm_id?></td>
    </tr>
    <tr>
    <td width="117">Name</td>
    <td width="14">:</td>
    <td width="357"><? echo $name?></td>
    </tr>
    <tr>
    <td valign="top">Comment</td>
    <td valign="top">:</td>
    <td><? echo nl2br($comment); ?></td>
    </tr>
    <tr>
    <td valign="top">Date/Time </td>
    <td valign="top">:</td>
    <td><? echo $datetime?></td>
    </tr>
    </table></td>
    </tr>
    </table>
    <BR>
    <?
    }
    $stmt->close(); //close database
    ?>

    </div>

    </div>
               
         <!-- footer -->
        <div id="footer">
        <div id="left_footer">&copy; Copyright 2011<strong> Author </strong></div>
        <div id="right_footer">

    <!-- Please do not change or delete this link. Read the license! Thanks. :-) -->
    Design by <a href="http://www.realitysoftware.ca" title="Website Design">Reality Software</a>

        </div>
        </div>
        <!-- end footer -->
    </div>
        <!-- end main -->

    </body>
    </html>

  • #6
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,134
    Thanks
    12
    Thanked 332 Times in 328 Posts
    Quote Originally Posted by Inigoesdr View Post
    and always pass your user input through mysql_real_escape_string().
    not necessary in case of Prepared Statements.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    Andrť Behrens, NY Times Software Developer

  • #7
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    Quote Originally Posted by Dormilich View Post
    not necessary in case of Prepared Statements.
    Yeah, I was referring to the query example I was replying to which doesn't use a prepared statement.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •