View Full Version : Vulnerables in $_POST

01-10-2008, 01:38 PM
Hi guys
I did a scan for my site with "Acunetix Web Vulnerability Scanner"
and I found 4 Vulnerables in my registration page, all of them are about $_post.
I have a function "escapestring" that validate the $_POST before its continue (escapestring($_POST))

function EscapeString($text){
$text = htmlentities($text,ENT_NOQUOTES, "UTF-8");

$text = mysql_real_escape_string($text);

return $text;

But it seems its not enough cuz it returned the 4 vulnerables about each $_post

The POST variable name has been set to >"><ScRiPt&#37;20%0a%0d>alert(39490.5803280903)%3B</ScRiPt>.

The POST variable name has been set to "+onmouseover=alert(39672.5858216319)+.

The POST variable name has been set to %00"'><ScRiPt%20%0a%0d>alert(39676.5858217477)%3B</ScRiPt>.

The POST variable name has been set to %00'"><ScRiPt%20%0a%0d>alert(39675.5858217477)%3B</ScRiPt>.

How can write a safe function to prevent those attacks??

01-10-2008, 05:24 PM
Use strip_tags() to remove tags inside any string.

01-10-2008, 05:29 PM
sorry for being noobish but how is


an attack?

01-10-2008, 05:33 PM
If your PHP script just spits back what is entered on a form, and what is entered is Javascript that redirects your page, creates 100 popups, completely rewrites your page, adds a marquee, for godsake-- you don't call that an attack?

So yeah any <script> tags need to be denied for sure.

01-10-2008, 05:43 PM
easy now :) I've only been at this game for 7 months

01-10-2008, 09:35 PM
What is each field supposed to contain. Validate that the content of the field makes sense for what the field is supposed to be. For example someone's name can contain letters, spaces, hyphens, single quotes etc but can't contain numbers or less than or greater than signs. Applying appropriate validation to each field passed against what sort of content is valid for that field is not only more secure than simply using a couple of standard functions to make sure that what is entered as content is treated as content and can't update the code but it also avoids your storing data for a person named >"><ScRiPt&#37;20%0a%0d>alert(39490.5803280903)%3B</ScRiPt> and allows you to tell the person that they entered the wrong value as you need their name and not a string of garbage.

01-10-2008, 10:55 PM
I think thats true ,the whole site is validated with escapeString function, and there was no problem until I tried to use it. all pages now have errors and some texts cant be diplayed although they have no special charecters just letters and numbers.
does htmlspecialchars() will do the job?
any other help?

01-11-2008, 10:50 AM
htmlspecialchars() is good for preserving html code in the database.

01-11-2008, 07:01 PM
I did a scan for my site with "Acunetix Web Vulnerability Scanner"

Don't use a tool like that.

Use common sense, read through security tutorials and know what openings are possible in PHP. Tools like that make your programming mind lazy.

01-11-2008, 07:16 PM
Im wondering why not??
of course before you start programming something u must read security tutorials and you will cover most of it while u programming, but you will never know all the possible security holes to cover it .
so I dont mind to use it just to make sure everything is ok . specially that im new in php.

when I used htmlspecialchars it did as strip_tags() did !!
any other help?

01-11-2008, 09:13 PM
Here is my new function, but still the hack code can pass it: (see the attachment )

function EscapeString($text){
$text = strip_tags($text);
$text = htmlentities($text,ENT_NOQUOTES, "UTF-8");

$text = mysql_real_escape_string($text);

$text = htmlspecialchars($text);
return $text

What can I do ? any idea will be appreciate it.