PHP MYSQL injection

for PHP also please?

ie for a iframe injection

You can also strip unwanted HTML tags out of the user input.

See this page and its comments:
http://us.php.net/manual/en/function.strip-tags.php

Follow-up: Here is a better function than strip_tags found within the comments of that page.

The arguments are:
- $i_html - the HTML string to be parsed
- $i_allowedtags - an array of allowed tag names
- $i_trimtext - whether or not to strip all text outside of the allowed tags

<?php

/**
 * Function courtesy of lucky760 at VideoSift dot com
 */
function real_strip_tags($i_html, $i_allowedtags = array(), $i_trimtext = FALSE) {
  if (!is_array($i_allowedtags))
    $i_allowedtags = !empty($i_allowedtags) ? array($i_allowedtags) : array();
  $tags = implode('|', $i_allowedtags);

  if (empty($tags))
    $tags = '[a-z]+';

  preg_match_all('@</?\s*(' . $tags . ')(\s+[a-z_]+=(\'[^\']+\'|"[^"]+"))*\s*/?>@i', $i_html, $matches);

  $full_tags = $matches[0];
  $tag_names = $matches[1];

  foreach ($full_tags as $i => $full_tag) {
    if (!in_array($tag_names[$i], $i_allowedtags))
      if ($i_trimtext)
        unset($full_tags[$i]);
      else
        $i_html = str_replace($full_tag, '', $i_html);
  }

  return $i_trimtext ? implode('', $full_tags) : $i_html;
}

// Example Usage
$allowed_tags = array('p','a','b','i','u','br','div','hr','ul','ol','li');
$good_html = real_strip_tags($html, $allowed_tags);

Select allOpen in new window

Also, one more follow-up, this is the XSS (cross-site-scripting) filter from CodeIgniter (open source PHP Framework, see http://codeigniter.com/ )

NOTE: This will not work on its own. You must look at the Input library from codeigniter/system/libraries/Input.php and adapt its methods to your application.

<?php

/**
* XSS Clean
*
* Sanitizes data so that Cross Site Scripting Hacks can be
* prevented.  This function does a fair amount of work but
* it is extremely thorough, designed to prevent even the
* most obscure XSS attempts.  Nothing is ever 100% foolproof,
* of course, but I haven't been able to get anything passed
* the filter.
*
* Note: This function should only be used to deal with data
* upon submission.  It's not something that should
* be used for general runtime processing.
*
* This function was based in part on some code and ideas I
* got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
*
* To help develop this script I used this great list of
* vulnerabilities along with a few other hacks I've
* harvested from examining vulnerabilities in other programs:
* http://ha.ckers.org/xss.html
*
* @access public
* @param  string
* @return string
*/
function xss_clean($str, $is_image = FALSE)
{
  /*
  * Is the string an array?
  *
  */
  if (is_array($str))
  {
    while (list($key) = each($str))
    {
      $str[$key] = $this->xss_clean($str[$key]);
    }

    return $str;
  }

  /*
  * Remove Invisible Characters
  */
  $str = $this->_remove_invisible_characters($str);

  /*
  * Protect GET variables in URLs
  */

  // 901119URL5918AMP18930PROTECT8198

  $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);

  /*
  * Validate standard character entities
  *
  * Add a semicolon if missing.  We do this to enable
  * the conversion of entities to ASCII later.
  *
  */
  $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str);

  /*
  * Validate UTF16 two byte encoding (x00) 
  *
  * Just as above, adds a semicolon if missing.
  *
  */
  $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);

  /*
  * Un-Protect GET variables in URLs
  */
  $str = str_replace($this->xss_hash(), '&', $str);

  /*
  * URL Decode
  *
  * Just in case stuff like this is submitted:
  *
  * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
  *
  * Note: Use rawurldecode() so it does not remove plus signs
  *
  */
  $str = rawurldecode($str);

  /*
  * Convert character entities to ASCII 
  *
  * This permits our tests below to work reliably.
  * We only convert entities that are within tags since
  * these are the ones that will pose security problems.
  *
  */

  $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);

  $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_html_entity_decode_callback'), $str);

  /*
  * Remove Invisible Characters Again!
  */
  $str = $this->_remove_invisible_characters($str);

  /*
  * Convert all tabs to spaces
  *
  * This prevents strings like this: ja vascript
  * NOTE: we deal with spaces between characters later.
  * NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
  * so we use str_replace.
  *
  */

    if (strpos($str, "\t") !== FALSE)
  {
    $str = str_replace("\t", ' ', $str);
  }

  /*
  * Capture converted string for later comparison
  */
  $converted_string = $str;

  /*
  * Not Allowed Under Any Conditions
  */

  foreach ($this->never_allowed_str as $key => $val)
  {
    $str = str_replace($key, $val, $str);   
  }

  foreach ($this->never_allowed_regex as $key => $val)
  {
    $str = preg_replace("#".$key."#i", $val, $str);   
  }

  /*
  * Makes PHP tags safe
  *
  *  Note: XML tags are inadvertently replaced too:
  *
  * <?xml
  *
  * But it doesn't seem to pose a problem.
  *
  */
  if ($is_image === TRUE)
  {
    // Images have a tendency to have the PHP short opening and closing tags every so often
    // so we skip those and only do the long opening tags.
    $str = preg_replace('/<\?(php)/i', "&lt;?\\1", $str);
  }
  else
  {
    $str = str_replace(array('<?', '?'.'>'),  array('&lt;?', '?&gt;'), $str);
  }

  /*
  * Compact any exploded words
  *
  * This corrects words like:  j a v a s c r i p t
  * These words are compacted back to their correct state.
  *
  */
  $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
  foreach ($words as $word)
  {
    $temp = '';

    for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
    {
      $temp .= substr($word, $i, 1)."\s*";
    }

    // We only want to do this when it is followed by a non-word character
    // That way valid stuff like "dealer to" does not become "dealerto"
    $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
  }

  /*
  * Remove disallowed Javascript in links or img tags
  * We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared
  * to these simplified non-capturing preg_match(), especially if the pattern exists in the string
  */
  do
  {
    $original = $str;

    if (preg_match("/<a/i", $str))
    {
      $str = preg_replace_callback("#<a\s+([^>]*?)(>|$)#si", array($this, '_js_link_removal'), $str);
    }

    if (preg_match("/<img/i", $str))
    {
      $str = preg_replace_callback("#<img\s+([^>]*?)(\s?/?>|$)#si", array($this, '_js_img_removal'), $str);
    }

    if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
    {
      $str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str);
    }
  }
  while($original != $str);

  unset($original);

  /*
  * Remove JavaScript Event Handlers
  *
  * Note: This code is a little blunt.  It removes
  * the event handler and anything up to the closing >,
  * but it's unlikely to be a problem.
  *
  */
  $event_handlers = array('[^a-z_\-]on\w*','xmlns');

  if ($is_image === TRUE)
  {
    /*
    * Adobe Photoshop puts XML metadata into JFIF images, including namespacing, 
    * so we have to allow this for images. -Paul
    */
    unset($event_handlers[array_search('xmlns', $event_handlers)]);
  }

  $str = preg_replace("#<([^><]+?)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str);

  /*
  * Sanitize naughty HTML elements
  *
  * If a tag containing any of the words in the list
  * below is found, the tag gets converted to entities.
  *
  * So this: <blink>
  * Becomes: &lt;blink&gt;
  *
  */
  $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
  $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);

  /*
  * Sanitize naughty scripting elements
  *
  * Similar to above, only instead of looking for
  * tags it looks for PHP and JavaScript commands
  * that are disallowed.  Rather than removing the
  * code, it simply converts the parenthesis to entities
  * rendering the code un-executable.
  *
  * For example:  eval('some code')
  * Becomes:    eval&#40;'some code'&#41;
  *
  */
  $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);

  /*
  * Final clean up
  *
  * This adds a bit of extra precaution in case
  * something got through the above filters
  *
  */
  foreach ($this->never_allowed_str as $key => $val)
  {
    $str = str_replace($key, $val, $str);   
  }

  foreach ($this->never_allowed_regex as $key => $val)
  {
    $str = preg_replace("#".$key."#i", $val, $str);
  }

  /*
  *  Images are Handled in a Special Way
  *  - Essentially, we want to know that after all of the character conversion is done whether
  *  any unwanted, likely XSS, code was found.  If not, we return TRUE, as the image is clean.
  *  However, if the string post-conversion does not matched the string post-removal of XSS,
  *  then it fails, as there was unwanted XSS code found and removed/changed during processing.
  */

  if ($is_image === TRUE)
  {
    if ($str == $converted_string)
    {
      return TRUE;
    }
    else
    {
      return FALSE;
    }
  }

  log_message('debug', "XSS Filtering completed");
  return $str;
}
?>

Select allOpen in new window

i think he does not want to sanitize per php file.
he wants a universal sanitizer.

i think firewalls/ids can block viruses by setting a hex fingerprint, but cannot detect php injection attacks.

let me check and get back