• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 433
  • Last Modified:

Preventing malicious input in a PHP page

I need some advice/code on how to prevent this script from SQL injection attacks.
I ran Acuntix on it and some like it and got back all sorts of junk in the database.

How can I keep individuals from going to this page and entering in querystrings and poking around?  If Accuntix is picking this up, I know hackers would have a field day on my page LOL

define("XMLRPC_DEBUG", 1);
Header("Content-type: text/html");

//more blah blah blah

    if ($resp_key == 'blah') {
    } else
          print "<br> error.";
1 Solution
You could limit the size of your fields in your HTML form.  You could escape any malicious characters before passing it off your dynamic query.  I think dbx_escape_string() does the trick.  Your DB extension probably has a function to do the same.
JuniorBeeAuthor Commented:
I am sorry.  You might as well be speaking in Russian.  


There are no forms.  The strings are passed frm an ASP page:

like that.

Then that data is sent via XML-RPC to a remote application.
When I ran Accuntix on these php pages, The remote application received all sorts of garbled from the scan because it was able to input random strings to pass along to the scipt.

What I think I need is a way to only run the scripts and accept the querystring if it came from my website and a paticular page.  But from what I have read, hackers can trick the browser into thinking the input came from the right page.

you can use HTTP_REFERER as an added security ... but that doesnt always work with antivirus and anti-firewalls these days. also it can be faked easily. probably a good idea would be to use cookies which are made in javascript on the asp page and accessed on the php page? but for that u need both scripts on the same domain.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

i am not sure how you are taking input on the asp page . but it its a form or something similar .. here is what u can do..

take the input on the asp page .... post the data on the same asp page instead of the PHP page .. and in ur ASP page execute an internal call to the php page. i am not sure how it can be done in ASP but in PHP i will do something like this ..

$phpcontent = implode("" , file('thispage.php?a=newstring&b=89&c=lastone'));

this way no one knows about ur php page and everything works from inside your asp page , so u remove the chances of someone accessing it directly without going through your asp page.

hope i made some sense there.
sorry incorrect example.

$phpcontent = implode("" , file('http://www.anything.com/thispage.php?a=newstring&b=89&c=lastone'));
That seems a reasonable approach.  However, it doesn't secure the script.

If you search around here, I've been in on a few discussions of securing input from forms.  My last one (I think) was in this topic:

That's a good read.  If you search around for 'php form' or 'php form secure' or something like that, you'll see more.

A quicker topic was:

They're all good reads.

Security on 'GET' variables is the same as securing 'POST' variables.  Know ALL the data fields possible, and FILTER each field by the known data that should be in it.  That's the starting point.

For instance, let's say field "number" should be a >number<.  Well, force it to be one.
$number = $_GET['number'];
$number = intval($number); // or other conversion if not integer, but say floating point.

Same goes for inputs that are choose-from-a-list (if you know the list, you can ensure the text is one of the answers).  Though, I prefer all list inputs to translate to a number, and have the list be a 'known entity', either agreed upon and hardcoded, or stored in a DB where it can be retrieved and converted back and forth.

For inputs that are unknown text, you have to do escaping of stuff.  This can include things like htmlentities(), strip_tags(), and the like.  Even with unknown text, you generally know things that should and shouldn't be there.  Just clean it up.

Lastly is before it touches the database, which Yasir touched on quickly.

ALL INPUTS TO THE DATABASE SHOULD BE ESCAPED.  Sorry, capslock got stuck. (grin).

For mysql+php, this would be something like:
$string = $_GET['stringvar'];
$dbstring = mysql_real_escape_string($string);

Now $dbstring is safe to insert into a db field.

Again, the first article linked talks a lot about this topic, and there are a lot of other answers on EE that can help further -- but I hope what I've outlined here already helps a bit! ;)


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now