Security - User Input and Cross Site Scripting XSS

AliceH · 10-13-2003, 03:12 AM

For the past week I've been reading up on security concerning php.
After reading paper after paper, tutorial after tutorial, I feel more lost than ever.
I can't seem to get my head around securing my php code!

So here I am, hopefully you guys can help me out

(I have searched the forum, but I still do not have a clear understanding)

1) Securing User Input

addslashes, stripslashes, strip_tags, htmlspecialchars, trim...

I understand all these functions (thanks to php.net) although I'm not sure how exactly I should use them (thanks to magic quotes). Do I do something like this?:

a. check if magic quotes are on, if not then addslashes to post, get, cookies
b. Then before data is printed to the screen, remove the slashes
(kinda what phpbb2 does)

Or do I do this:

a. check if magic quotes are on, if IT IS then stripslashes from post, get cookies
b. addslashes to every user inputed variable in a QUERY
(kinda what vbulletin does)

How about htmlspecialchars? When should I use them?

Couldn't I just use a database abstraction layer, and then addslashes(htmlspecialchars($var) in the mysql_query (so that i only need to do it once)?

I feel so lost

2) Preventing XSS Attacks

How? I created an XSS Clean Function, but I don't know where to use it

PHP Code:


			
function clean_xss($input)

{

  $input = preg_replace( '/javascript/i', 'java script', $input );

  $input = str_replace( '"', '&quot;', $input );

  $input = str_replace( '(', '(', $input );

  $input = str_replace( ')', ')', $input );

  $input = str_replace( '#', '#', $input );

  $input = str_replace( '&', '&', $input );

  $input = str_replace( '<', '&lt;', $input );

  $input = str_replace( '>', '&gt;', $input );



  return $input;

}

3) $GLOBALS

Okay last question, in many scripts I see the variable '$GLOBALS'.
Is that a predefined variable containing all the global variables?

So could I do something like this:

PHP Code:


			
if(get_magic_quotes_gpc())

{

  StripSlashesArray($GLOBALS);

}

***laserlight*** · 10-13-2003, 04:02 AM

1. If magic_quotes_gpc is on, that means that incoming get, post and cookie data are automatically escaped.
This is a Good Thing.
If they are not automatically escaped (i.e. magic_quotes_gpc is not on), then you need to escape them, usually using addslashes().
If a string has been escaped, then if you want to display it to the user, you need to use stripslashes() on it first.

You would use htmlspecialchars() in order to prevent malicious code injection.
You can use it before storage, though that means your storage used increases.
You could also use it after storage, before output to the user.

Of course you could integrate these functions into a database abstraction layer, or in my case I created a module to simplify matters.

2. Your cross site scripting function is actually about the same as htmlspecialchars(), though some things are added and others removed.
I suggest read up on htmlspecialchars(), and perhaps redefining your XSS clean function.

To answer your question, you would use that function where you might use htmlspecialchars().

3. Read the PHP Manual on $GLOBALS.
I would recommend using $_POST, $_GET, $_COOKIE arrays instead, if you know where the data should come from.

AliceH · 10-13-2003, 04:21 AM

Thanks for the fast reply!

Okay so would this pretty much take care of things?:

check if magic quotes are on, if not then add slashes to post, get, cookie
(it is now safe to query any user input right?)

and then echo all data like this:

echo htmlspecialchars(trim(stripslashes($var)));

***laserlight*** · 10-13-2003, 04:23 AM

In my case I wrote 2 functions to handle i/o (more than 2 actually, but the others are specialised):

PHP Code:


			
//for storage to database

function prepIn($input) {

    $input = trim($input);

    if (!get_magic_quotes_gpc()) {

        return addslashes($input);

    }

    return $input;

}



//for o/p to html page, textbox or textarea

function prepOut($output) {

    $output = stripslashes($output);

    return htmlspecialchars($output);

}

AliceH · 10-13-2003, 05:15 AM

Thanks again laserlight

So does this pretty much take care of xss attacks?

Tea_J · 01-15-2006, 11:37 AM

Quote:

Thanks again laserlight

yep.. laserlight is one of the most helpful people around here!!!

anyway just wanted to give a tip on your clean xss function if you decide to pursue that, or someting similar...

you can actually use ARRAYS in your str_replace functions...

eg:

PHP Code:


			
$myString="one, two, three";

$targets[0] = "one";

$targets[1] = "two";

$targets[2] = "three";



$replacements[0]="UNO";

$replacements[1]="DOS";

$replacements[2]="TRES";



$newString = str_replace($targets,$replacements,$myString); 

echo $newString;//print's "UNO ODS TRES";

this would be easier to handle and faster for php to process... no need to keep calling the str_replace function.