advice on sql injection/XSS prevention

Hi,

I'm not an experienced PHP developer. We're hosting a content management
system that allow authorized people to add PHP contents. Their PHP codin=
g
levels varies. Some are very security sensitive, but some are not. I
want to know if PHP has any ready-to-use funtion to validate form input t=
o
help prevent SQL injection/XSS? So each programmer doesn't have to write
their own form validation code. I'd appreciate any advice or pointers.

Thanks in advance,

Bing

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: advice on sql injection/XSS prevention

I think it is generally a Bad Idea to allow users to submit code into
your system...
you would be better off if you would provide some pseudo-coding
possibilities which would allow them to insert certain functionalities
into their content - with you providing the real code running behind and
replacing the pseudo-codes with the process results

greets
Zoltán Németh

2007. 04. 5, csütörtök keltezéssel 09.17-kor Bing Du ezt írta:
> Hi,
>
> I'm not an experienced PHP developer. We're hosting a content management
> system that allow authorized people to add PHP contents. Their PHP coding
> levels varies. Some are very security sensitive, but some are not. I
> want to know if PHP has any ready-to-use funtion to validate form input to
> help prevent SQL injection/XSS? So each programmer doesn't have to write
> their own form validation code. I'd appreciate any advice or pointers.
>
> Thanks in advance,
>
> Bing
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: advice on sql injection/XSS prevention

Hello,

on 04/05/2007 11:17 AM Bing Du said the following:
> Hi,
>
> I'm not an experienced PHP developer. We're hosting a content management
> system that allow authorized people to add PHP contents. Their PHP coding
> levels varies. Some are very security sensitive, but some are not. I
> want to know if PHP has any ready-to-use funtion to validate form input to
> help prevent SQL injection/XSS? So each programmer doesn't have to write
> their own form validation code. I'd appreciate any advice or pointers.

You may want to take a look at this article. It explains the security
problems of publishing unaudited HTML and how XSS can be prevented even
without filtering.

http://www.phpclasses.org/blog/post/55-Improved-browsing-and -cross-site-scripting-prevention.html

--

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: advice on sql injection/XSS prevention

Hello,

on 04/05/2007 11:17 AM Bing Du said the following:
> Hi,
>
> I'm not an experienced PHP developer. We're hosting a content management
> system that allow authorized people to add PHP contents. Their PHP coding
> levels varies. Some are very security sensitive, but some are not. I
> want to know if PHP has any ready-to-use funtion to validate form input to
> help prevent SQL injection/XSS? So each programmer doesn't have to write
> their own form validation code. I'd appreciate any advice or pointers.

You may want to take a look at this article. It explains the security
problems of publishing unaudited HTML and how XSS can be prevented even
without filtering.

http://www.phpclasses.org/blog/post/55-Improved-browsing-and -cross-site-scripting-prevention.html

--

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: advice on sql injection/XSS prevention

Actually there is a tool available for automated validation of PHP code.
It's called static source code analysis which, very simply stated, acts like
a spell checker for custom developed code. This tool is very accurate at
finding, especially SQL injection and XSS, and can be run directly against
the source code so it doesn't need the application to be up and running.

This company

http://www.armorize.com/services/securityasaservice?utm_sour ce=jordan&utm_medium=post

is offering this kind of tool delivered as a service directly over the Web
which means you can either request that those authorized people verify thier
code security before posting, or you can do it after they have posted. The
tool shows the vulnerability as well as the tainted origin that introduces
it and provides fix suggestions, etc so everything can be fixed in a very
short time with very little effort -- no installation required.

>From: Zoltán Németh
>To: Bing Du
>CC: php-general@lists.php.net
>Subject: Re: [PHP] advice on sql injection/XSS prevention
>Date: Thu, 05 Apr 2007 16:23:23 +0200
>
>I think it is generally a Bad Idea to allow users to submit code into
>your system...
>you would be better off if you would provide some pseudo-coding
>possibilities which would allow them to insert certain functionalities
>into their content - with you providing the real code running behind and
>replacing the pseudo-codes with the process results
>
>greets
>Zoltán Németh
>
>2007. 04. 5, csütörtök keltezéssel 09.17-kor Bing Du ezt írta:
> > Hi,
> >
> > I'm not an experienced PHP developer. We're hosting a content
>management
> > system that allow authorized people to add PHP contents. Their PHP
>coding
> > levels varies. Some are very security sensitive, but some are not. I
> > want to know if PHP has any ready-to-use funtion to validate form input
>to
> > help prevent SQL injection/XSS? So each programmer doesn't have to
>write
> > their own form validation code. I'd appreciate any advice or pointers.
> >
> > Thanks in advance,
> >
> > Bing
> >
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>

____________________________________________________________ _____
Message offline contacts without any fire risk!
http://www.communicationevolved.com/en-za/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: advice on sql injection/XSS prevention

If you know you are using MySQL, you could pass all database input
through mysql_real_escape_string.

Or you could use prepared statements and not have to worry about
escaping the data, as MySQL *knows* it's data.

You'll probably not be able to defeat XSS in any meaningful way,
however...

Perhaps you need to EDUCATE the authorized people...


On Thu, April 5, 2007 9:17 am, Bing Du wrote:
> Hi,
>
> I'm not an experienced PHP developer. We're hosting a content
> management
> system that allow authorized people to add PHP contents. Their PHP
> coding
> levels varies. Some are very security sensitive, but some are not. I
> want to know if PHP has any ready-to-use funtion to validate form
> input to
> help prevent SQL injection/XSS? So each programmer doesn't have to
> write
> their own form validation code. I'd appreciate any advice or
> pointers.
>
> Thanks in advance,
>
> Bing
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php