Prevent code injection in PHP
Security it is important, really important.
Here you can find an script that prevents the POST method of receiving code injection, not html, JS …
Simple but effective.
function hackerDefense(){
// begin hacker defense - Thanks Kreuznacher | wurdzwurk
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*php.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*<?.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img.*\"?[^>]*>", $secvalue))) {
die ("There was a problem with your post. Please do not include code.");
}
}
// end hacker defense
}Hacker defense – Thanks Kreuznacher | wurdzwurk
To use it just call the function at the beginning of your script.
Related posts:
You’ll probably be better off using the strip_tags function to remove any HTML tags. There’s also htmlspecialchars and htmlentities to convert special characters to entities. Something like the below code will remove tags from input:
$_POST = array_map(’strip_tags’, $_POST);
$_GET = array_map(’strip_tags’, $_GET);
Note that strip_tags also accepts a white list of allowed tags. Alternatively, the below will cause special characters to be displayed as text and not rendered by the browser:
$_POST = array_map(’htmlentities’, $_POST);
$_GET = array_map(’htmlentities’, $_GET);
Also, the ereg* functions have been deprecated in favor of preg* functions for regular expressions.
http://www.php.net/manual/function.strip-tags.php
http://www.php.net/manual/function.htmlspecialchars.php
http://www.php.net/manual/function.htmlentities.php
http://www.php.net/manual/function.array-map.php
I hope you find this useful. :)
Hi Steve,
Thanks for the info it is really usefull, your proposal is really good, but for example in my case I want it to allow css style. With the code that I propose it is possible since you can just comment the line and then it would be allowed.
Another time thanks for the info ;)
You can also do something like this to provide a white list of allowed tags. In this example, it allows p, em, and strong tags. Any CSS can be applied to these tags as well.
$clean = array_map(’clean_input’, $_POST);
function clean_input($value)
{
return strip_tags($value, ‘‘);
}
Keep in mind that allowing some tags will also allow JavaScript injection, so it might be best to use BBCode type tags instead of allowing any HTML.
Sorry, the code above got messed up. Here it is again:
$clean = array_map('clean_input', $_POST); function clean_input($value) { return strip_tags($value, ''); }yes I think you are right and bbcode is better .
Thanks for your sharing and if you have any example off bbcode is welcome.
Here’s a tutorial I wrote about creating a BBCode parser function:
http://www.ultramegatech.com/blog/2009/04/creating-a-bbcode-parser/
You also might be interested in this PECL extension, which seems to allow more advanced parsing:
http://www.php.net/manual/book.bbcode.php
Rally useful Steve! I just bookmark it! nice ;)