Member Avatar for El Duke

Hello folks,


In short, this code is vulnerable:

<div class="search">
        <form action="/search" method="get" name="header_search">
            <label>{l t='Search Business'} <input name="searchtext" type="text" id="searchtext" placeholder="{l t='e.g.Marriott'}" /></label>
            <label>{l t='City'} <input name="cityname" type="text" id="Hsearchcity" autocomplete="off" placeholder="{l t='All Cities'}" class="commentColor cityname"/>
            </label>
             
            <a onclick="header_search.submit()" href="javascript:void(0)">{l t='Search'}</a>
        </form>
    </div>

I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??

  • 3 Contributors
  • 21 Replies
  • 241 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by Stefano Mtangoo
Member Avatar for Stefano Mtangoo

I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??

What is the definition of with no success? You need to be explicit here!

Member Avatar for El Duke

It is either I Implemented it in the wrong way, OR, it gave no results.

My implementation was lacking the variable that takes the searchtext, or is it the $searchtext itself ??

Member Avatar for El Duke

Or to be precise, how to implement the mentioned functions in my code ?

Member Avatar for El Duke

Prevent XSS, in other words, Sanitize Tags ( <, >, ", etc...)

Member Avatar for El Duke

I read that before, but how to use it in the context of my code ? what's the variable that will be sanitized ?

Member Avatar for diafol

You don't show your data handling code, only the input form. The sanitizing occurs with the validating of the $_GET vars.

Member Avatar for El Duke

Thanks ardav, things have become easier now, yet, here is my code:

if($_POST['type']=='biz')
{
					
	$keyword = $_POST['biz'];
	//NEWLY ADDED
	$keyword= filter_var($keyword, FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_LOW);
	$keyword= filter_var($keyword, FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_HIGH);
	$keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_HIGH);
	$keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW);
	//ADD END
	$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
	if($keyword=="")
	$query="select * from `business` order by business_id DESC LIMIT 0,20";
	else
	$query="select * from `business` where business_name like '%".$keyword."%' ORDER BY business_name asc limit 0,20";
	
	$rc=mysql_query($query);
	$i=0;
	while($row = mysql_fetch_array($rc))
	{
		$array[$row['business_id']]=$row;
	}
	if(!$array) exit;
	
	
		$str="<ul>";
		foreach($array as $business_id => $row)
		{
			$showName=preg_replace("/(".$keyword.")/i","<abbr>$1</abbr>",$row['business_name']);
			
			$str.="<li onClick=\"fillBiz('".$business_id."','".addslashes($row['business_name'])."','".addslashes($row['permalink'])."')\">".$showName."</li>";
		}
		$str.= "</ul>";
		
	echo $str;
}

Am I close ?

Member Avatar for Stefano Mtangoo

Don't sanitize verything. If the field is EMAIL sanitize it as EMAIL filter.
You have to know the type expected!
For your case $keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW); seems to be the right. If you put into my sql don't forget to escape it using mysql_real_escape_string()

Member Avatar for El Duke

Thanks,
I don't expect the user to enter anything but names and numbers, so I guess no harm with filtering.

But that doesn't seem to work anyway, I still get XSS upon entering a script in the keyword field, tried str_replace() as well, and it doesn't work, this is confusing!

Member Avatar for Stefano Mtangoo

Thanks,
I don't expect the user to enter anything but names and numbers, so I guess no harm with filtering.

But that doesn't seem to work anyway, I still get XSS upon entering a script in the keyword field, tried str_replace() as well, and it doesn't work, this is confusing!

What is your current code and how do you test it?

Member Avatar for El Duke

I test it by inserting the following in the search field / or url:

"><script>alert(document.cookie);</script>"

and I receive the pop-up showing the cookie info.


I tried working on mod_security level but didn't work as well ( didn't validate the input)

Edited by El Duke because: n/a
Member Avatar for diafol

OK I see, it's what the DB is spitting out that's causing the problem. Why not use htmlentities() on input? This should only kill off html (script) - should be none of that in your input fields right?

You don't need to html_decode_entity() to output as no html should be included.


I use mysql_real_escape_string() to stop SQL injection and htmlentities to avoid xss.

Edited by diafol because: n/a
Member Avatar for El Duke

OK I see, it's what the DB is spitting out that's causing the problem. Why not use htmlentities() on input? This should only kill off html (script) - should be none of that in your input fields right?

You don't need to html_decode_entity() to output as no html should be included.


I use mysql_real_escape_string() to stop SQL injection and htmlentities to avoid xss.

Tried htmlentities() on every possible input, nothing but the bloody pop-up after testing.

Nothing is working, this is frustrating !!

Member Avatar for diafol 
$input = mysql_real_escape_string(htmlentities($var));

Doesn't work?

Member Avatar for El Duke

Here is the combination:

$keyword = $_POST['biz'];
	$keyword = mysql_real_escape_string(htmlentities($keyword)); //this

or

$keyword = $_POST['biz'];
	$keyword = htmlentities($keyword, ENT_QUOTES); //this

Doesn't do anything.

Edited by El Duke because: n/a
Member Avatar for diafol

htmlentities() works for me.

Member Avatar for Stefano Mtangoo

htmlentities() works for me.

may be his tests are flawed

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.