Web development, scripts, source code and IT stuff
Prevent code injection in PHP
Security it is important, really important.
Here you can find an script that prevents the POST method of receiving code injection, not html, JS …
UPDATED: New code
function clean($var){//request string cleaner if(get_magic_quotes_gpc()) $var=stripslashes($var); //clean $var=mysql_real_escape_string($var); //clean return strip_tags($var, '<b><a>');//returning clean var } function hackerDefense(){//thanks to Allen Sanford // begin hacker defense foreach ($_POST as &$postvalue){ //checking posts $postvalue = clean($postvalue);//cleaning the value } } // end hacker defense
OLD CODE: Don’t use this!!!
Simple but effective.
function hackerDefense(){ // begin hacker defense - Thanks Kreuznacher | wurdzwurk foreach ($_POST as $secvalue) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*php.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*]*>", $secvalue))) { die ("There was a problem with your post. Please do not include code."); } } // end hacker defense }
Hacker defense – Thanks Kreuznacher | wurdzwurk
To use it just call the function at the beginning of your script.
You’ll probably be better off using the strip_tags function to remove any HTML tags. There’s also htmlspecialchars and htmlentities to convert special characters to entities. Something like the below code will remove tags from input:
$_POST = array_map(‘strip_tags’, $_POST);
$_GET = array_map(‘strip_tags’, $_GET);
Note that strip_tags also accepts a white list of allowed tags. Alternatively, the below will cause special characters to be displayed as text and not rendered by the browser:
$_POST = array_map(‘htmlentities’, $_POST);
$_GET = array_map(‘htmlentities’, $_GET);
Also, the ereg* functions have been deprecated in favor of preg* functions for regular expressions.
http://www.php.net/manual/function.strip-tags.php
http://www.php.net/manual/function.htmlspecialchars.php
http://www.php.net/manual/function.htmlentities.php
http://www.php.net/manual/function.array-map.php
I hope you find this useful. :)
Hi Steve,
Thanks for the info it is really usefull, your proposal is really good, but for example in my case I want it to allow css style. With the code that I propose it is possible since you can just comment the line and then it would be allowed.
Another time thanks for the info ;)
You can also do something like this to provide a white list of allowed tags. In this example, it allows p, em, and strong tags. Any CSS can be applied to these tags as well.
$clean = array_map(‘clean_input’, $_POST);
function clean_input($value)
{
return strip_tags($value, ‘‘);
}
Keep in mind that allowing some tags will also allow JavaScript injection, so it might be best to use BBCode type tags instead of allowing any HTML.
Sorry, the code above got messed up. Here it is again:
$clean = array_map('clean_input', $_POST); function clean_input($value) { return strip_tags($value, ''); }yes I think you are right and bbcode is better .
Thanks for your sharing and if you have any example off bbcode is welcome.
Here’s a tutorial I wrote about creating a BBCode parser function:
http://www.ultramegatech.com/blog/2009/04/creating-a-bbcode-parser/
You also might be interested in this PECL extension, which seems to allow more advanced parsing:
http://www.php.net/manual/book.bbcode.php
Rally useful Steve! I just bookmark it! nice ;)
Please note that eregi() gets deprecated with PHP 5.3.
I just saw it, I should use this instead, no? http://www.php.net/manual/en/function.preg-match.php
Any one know how we can prevent the HTML code injection which some one is inserting at the end of a page something like this evel(%64%6F……….)lot of chuks .
Please adam check the new code I posted ;)