Secure query against xss

Question

RobotFX 0 Junior Poster in Training

13 Years Ago

Hi
I'll get straight to the point. I'm using this code

$sex = @$_GET['v'] ;
  $sex= trim($sex); //trim whitespace from the stored variable
$sex = htmlentities($sex);

  $age= @$_GET['age'] ;
  $age = trim($age); //trim whitespace from the stored variable
$age = htmlentities($age);

... to get the age and sex credentials from the url address (example.com/page.php?age=22&sex=Female)
and this:

$query = "SELECT * FROM personas WHERE sex LIKE \"%$sex%\" AND age LIKE \"%$age%\" order by id DESC";

... to interogate the database and get the results displayed on page. It is working fine, but I know it is not secure, so my questions are:
- How to make it safer?
- How to make it do nothing if values don't exist in database - for example if there's nobody age 22, do nothing, or popup a message.
- How to make it check if age doesn't contain other characters beside numbers, and again, if it does, do nothing or display a message.
- Same as above, but to check sex for letters and popup the message if anything else is used as sex.
Thanks for your help!

php

5 Contributors
12 Replies
250 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by Sorcher

pritaeas 2,194 ¯\_(ツ)_/¯

13 Years Ago

Personally, I would use is_numeric() on the age as an extra check, as well as checking an upper and lower boundary (say 0-110). For sex I would explicitly check for your allowed values, or maybe default to one of them if the data is incorrect.

Edited 13 Years Ago by pritaeas because: n/a

Stefano Mtangoo 455 Senior Poster

13 Years Ago

Sorry, I must gave the impression I'm an expert :)
Would you kindly write the code that will do the trick? I don't know much about php and mysql :(
Thank you!

to secure a web app from XSS, validate input against whitelist and discard anything not in white list. Also escape output in case something was missed and got through your line of defense!
implementation differs and that is programming!

Stefano Mtangoo 455 Senior Poster

13 Years Ago

If using DBs, the standard cleaner is mysql_real_escape_string().

Moving to MySQLi or PDO and do parametric queries is the recommended way !

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

RobotFX 0 Junior Poster in Training · Answer 1 · 2011-11-09T21:36:24+00:00

Sorry, I must gave the impression I'm an expert :)
Would you kindly write the code that will do the trick? I don't know much about php and mysql :(
Thank you!

diafol · Answer 2 · 2011-11-09T23:54:20+00:00

is_numeric() or maybe is_int() for integers. Each data item should be validated against the expected data type and constraints. You can check for complicated patterns with preg_match().

If using DBs, the standard cleaner is mysql_real_escape_string().
You can convert html to plain text (showing tags) with htmlentities.
Also you can use strip_tags() to remove all tags other than ones you wish to allow.

e.g.

$tagless = striptags($input,'<p><b><strong>');

This will allow only paragraph, and bold/strong tags to remain in $tagless - uselful for stripping <script> tags.

diafol · Answer 3 · 2011-11-10T00:43:39+00:00

Agree Ev - I prefer PDO via binding parameters. But coders starting out usually begin with vanilla mysql.

Stefano Mtangoo 455 Senior Poster · Answer 4 · 2011-11-10T00:50:13+00:00

Agree Ev - I prefer PDO via binding parameters. But coders starting out usually begin with vanilla mysql.

Which I always don't like as it becomes their behaviour :)

diafol · Answer 5 · 2011-11-10T04:10:47+00:00

Well you could argue that, but PDO, as its OOP, can be a little difficult to grasp - especially if your trying to get to grips with basic SQL. However, I would recommend moving to PDO asap.

Stefano Mtangoo 455 Senior Poster · Answer 6 · 2011-11-10T12:19:28+00:00

Well you could argue that, but PDO, as its OOP, can be a little difficult to grasp - especially if your trying to get to grips with basic SQL. However, I would recommend moving to PDO asap.

Yeah, PDO is OOP and OOP is not that hard ;)
If they find it hard, MySQLi have non OOP way also of doing param queries

diafol · Answer 7 · 2011-11-11T05:46:32+00:00

Yep MySQLi has procedural way - but I'm a PDO convert now that I've got my head into OOP. And don't say OOP isn't hard! It took me 5 years to knock on the door! :)

Stefano Mtangoo 455 Senior Poster · Answer 8 · 2011-11-11T11:23:51+00:00

And don't say OOP isn't hard! It took me 5 years to knock on the door! :)

:)

Sorcher 6 Junior Poster · Answer 9 · 2011-11-11T12:29:58+00:00

Thanks evstevemd and Ardav, this was helpful content! :)