Preventing malicious input in a PHP page

Posted on 2006-05-06
Last Modified: 2008-02-01
I need some advice/code on how to prevent this script from SQL injection attacks.
I ran Acuntix on it and some like it and got back all sorts of junk in the database.

How can I keep individuals from going to this page and entering in querystrings and poking around?  If Accuntix is picking this up, I know hackers would have a field day on my page LOL

define("XMLRPC_DEBUG", 1);
Header("Content-type: text/html");

//more blah blah blah

    if ($resp_key == 'blah') {
    } else
          print "<br> error.";
Question by:JuniorBee
    LVL 3

    Expert Comment

    You could limit the size of your fields in your HTML form.  You could escape any malicious characters before passing it off your dynamic query.  I think dbx_escape_string() does the trick.  Your DB extension probably has a function to do the same.

    Author Comment

    I am sorry.  You might as well be speaking in Russian.  


    There are no forms.  The strings are passed frm an ASP page:

    like that.

    Then that data is sent via XML-RPC to a remote application.
    When I ran Accuntix on these php pages, The remote application received all sorts of garbled from the scan because it was able to input random strings to pass along to the scipt.

    What I think I need is a way to only run the scripts and accept the querystring if it came from my website and a paticular page.  But from what I have read, hackers can trick the browser into thinking the input came from the right page.

    LVL 5

    Expert Comment

    you can use HTTP_REFERER as an added security ... but that doesnt always work with antivirus and anti-firewalls these days. also it can be faked easily. probably a good idea would be to use cookies which are made in javascript on the asp page and accessed on the php page? but for that u need both scripts on the same domain.

    LVL 5

    Expert Comment

    i am not sure how you are taking input on the asp page . but it its a form or something similar .. here is what u can do..

    take the input on the asp page .... post the data on the same asp page instead of the PHP page .. and in ur ASP page execute an internal call to the php page. i am not sure how it can be done in ASP but in PHP i will do something like this ..

    $phpcontent = implode("" , file('thispage.php?a=newstring&b=89&c=lastone'));

    this way no one knows about ur php page and everything works from inside your asp page , so u remove the chances of someone accessing it directly without going through your asp page.

    hope i made some sense there.
    LVL 5

    Expert Comment

    sorry incorrect example.

    $phpcontent = implode("" , file(''));
    LVL 17

    Accepted Solution

    That seems a reasonable approach.  However, it doesn't secure the script.

    If you search around here, I've been in on a few discussions of securing input from forms.  My last one (I think) was in this topic:

    That's a good read.  If you search around for 'php form' or 'php form secure' or something like that, you'll see more.

    A quicker topic was:

    They're all good reads.

    Security on 'GET' variables is the same as securing 'POST' variables.  Know ALL the data fields possible, and FILTER each field by the known data that should be in it.  That's the starting point.

    For instance, let's say field "number" should be a >number<.  Well, force it to be one.
    $number = $_GET['number'];
    $number = intval($number); // or other conversion if not integer, but say floating point.

    Same goes for inputs that are choose-from-a-list (if you know the list, you can ensure the text is one of the answers).  Though, I prefer all list inputs to translate to a number, and have the list be a 'known entity', either agreed upon and hardcoded, or stored in a DB where it can be retrieved and converted back and forth.

    For inputs that are unknown text, you have to do escaping of stuff.  This can include things like htmlentities(), strip_tags(), and the like.  Even with unknown text, you generally know things that should and shouldn't be there.  Just clean it up.

    Lastly is before it touches the database, which Yasir touched on quickly.

    ALL INPUTS TO THE DATABASE SHOULD BE ESCAPED.  Sorry, capslock got stuck. (grin).

    For mysql+php, this would be something like:
    $string = $_GET['stringvar'];
    $dbstring = mysql_real_escape_string($string);

    Now $dbstring is safe to insert into a db field.

    Again, the first article linked talks a lot about this topic, and there are a lot of other answers on EE that can help further -- but I hope what I've outlined here already helps a bit! ;)


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Both Easy and Powerful How easy is PHP? (  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
    Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to dynamically set the form action using jQuery.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now