Post: How to sanitize php :D
Options
12-22-2011, 09:05 PM
#1
Jakes625
Guest
To start off...
here is your basic html:
<form name="login" method="post">
Username:
<input type="text" name="username"/>
Password:
<input type="password" name="password"/>
<input type="submit" name="submit"/>
</form>
here is probably your php code.
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($_POST['submit']))
{
$set = mysql_query("SELECT * FROM table WHERE username = '".$username."' and password = '".$password."'
$set2 = mysql_num_rows($set);
}
if ($set2 < 1){
echo "no login";
}else{
echo "yes login";
}
now the $_POST is unsafe. that allows any attacker to put any information or unwanted chars into your script.
you want to use sanitasion.
here are a few examples:
we'll just use username in these examples
$username=trim($username);
$username=htmlspecialchars($username);
$username=mysql_real_escape_string($username);
trim will eliminate the spaces in the post to allow safe login.
htmlspecialchars will eliminate < > | { } etc.. and put it in hexadecimal so prevent XSS, RMI, and LMI
mysqlescape string will eliminate / to prevent mysql injection.
no you want to incorperate will all POST variables in your script.
but that is not all. you still want to verify your data. such as if it is an email $_POST you want to verify that it is an email.
$verify = filter_var($email, FILTER_SANITIZE_EMAIL);
then it will use verify.
so make sure your safe verifying your data, and I hope you learned something here.
BONUS: ENCRYPTING YOUR PASSWORDS
lets say you have your registration script active. but in your database it's in plain text
we'll be encrypting it.
now there are a couple of encryption's we'll just use the basic:
1. md4
2. md5
3. sha1
there are harder ones, but most hosts don't support them.
the code is quite simple. just put what you want.
$password = md4(md5(sha1($_POST['password'])));
just have that in your registration
. you can change the encryption anyway you want. even use it more than once.$password = md4(md4(md5(sha1(md4(md5(sha1(sha1($_POST['password']))))))));
note: it slows down your server with so much encryption..
now in your login script:
$password = md4(md5(sha1($_GET['password'])));
note: make sure the encryption in login is same as database/registration
simple as that, connect to your database and you're done!
you might have noticed get instead of post. this is because post will not work with encryption. idk why. ask php 5.0+ developers.. haha.
enjoy these tutorials, and stay classy NGU
12-23-2011, 12:29 AM
#2
Epic?
Awe-Inspiring
Originally posted by SatanicHispanic
Most of you have started using, or have being creating some sort of php, for fun, or just for testing purposes. Most of you have vulnrable scripts though. In this tutorial I will be showing you how to sanitize your scripts for safety
To start off...
here is your basic html:
here is probably your php code.
now the $_POST is unsafe. that allows any attacker to put any information or unwanted chars into your script.
you want to use sanitasion.
here are a few examples:
we'll just use username in these examples
trim will eliminate the spaces in the post to allow safe login.
htmlspecialchars will eliminate < > | { } etc.. and put it in hexadecimal so prevent XSS, RMI, and LMI
mysqlescape string will eliminate / to prevent mysql injection.
no you want to incorperate will all POST variables in your script.
but that is not all. you still want to verify your data. such as if it is an email $_POST you want to verify that it is an email.
$verify = filter_var($email, FILTER_SANITIZE_EMAIL);
then it will use verify.
so make sure your safe verifying your data, and I hope you learned something here.
BONUS: ENCRYPTING YOUR PASSWORDS
lets say you have your registration script active. but in your database it's in plain text
we'll be encrypting it.
now there are a couple of encryption's we'll just use the basic:
1. md4
2. md5
3. sha1
there are harder ones, but most hosts don't support them.
the code is quite simple. just put what you want.
just have that in your registration. you can change the encryption anyway you want. even use it more than once.
$password = md4(md4(md5(sha1(md4(md5(sha1(sha1($_POST['password']))))))));
note: it slows down your server with so much encryption..
now in your login script:
note: make sure the encryption in login is same as database/registration
simple as that, connect to your database and you're done!
you might have noticed get instead of post. this is because post will not work with encryption. idk why. ask php 5.0+ developers.. haha.
enjoy these tutorials, and stay classy NGU
To start off...
here is your basic html:
<form name="login" method="post">
Username:
<input type="text" name="username"/>
Password:
<input type="password" name="password"/>
<input type="submit" name="submit"/>
</form>
here is probably your php code.
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($_POST['submit']))
{
$set = mysql_query("SELECT * FROM table WHERE username = '".$username."' and password = '".$password."'
$set2 = mysql_num_rows($set);
}
if ($set2 < 1){
echo "no login";
}else{
echo "yes login";
}
now the $_POST is unsafe. that allows any attacker to put any information or unwanted chars into your script.
you want to use sanitasion.
here are a few examples:
we'll just use username in these examples
$username=trim($username);
$username=htmlspecialchars($username);
$username=mysql_real_escape_string($username);
trim will eliminate the spaces in the post to allow safe login.
htmlspecialchars will eliminate < > | { } etc.. and put it in hexadecimal so prevent XSS, RMI, and LMI
mysqlescape string will eliminate / to prevent mysql injection.
no you want to incorperate will all POST variables in your script.
but that is not all. you still want to verify your data. such as if it is an email $_POST you want to verify that it is an email.
$verify = filter_var($email, FILTER_SANITIZE_EMAIL);
then it will use verify.
so make sure your safe verifying your data, and I hope you learned something here.
BONUS: ENCRYPTING YOUR PASSWORDS
lets say you have your registration script active. but in your database it's in plain text
we'll be encrypting it.
now there are a couple of encryption's we'll just use the basic:
1. md4
2. md5
3. sha1
there are harder ones, but most hosts don't support them.
the code is quite simple. just put what you want.
$password = md4(md5(sha1($_POST['password'])));
just have that in your registration
. you can change the encryption anyway you want. even use it more than once.$password = md4(md4(md5(sha1(md4(md5(sha1(sha1($_POST['password']))))))));
note: it slows down your server with so much encryption..
now in your login script:
$password = md4(md5(sha1($_GET['password'])));
note: make sure the encryption in login is same as database/registration
simple as that, connect to your database and you're done!
you might have noticed get instead of post. this is because post will not work with encryption. idk why. ask php 5.0+ developers.. haha.
enjoy these tutorials, and stay classy NGU
Some things you ought to take note of, and these are just off the top of my head, so there could be more:
- PHP has no md4() function
- $_POST works fine, and you should never pass passwords through $_GET - plus either way you could just use $_REQUEST
- Your first snippet of PHP code won't work
- filter_var() will return false if it fails, yet you don't account for that and risk a possible error, furthermore, it doesn't verify whether the email is valid or not, it simply removes characters that are not legal in an email address
- Both MD4 and MD5 are no longer considered secure, and a few flaws have already been identified in the SHA-1 algorithm
- A salt is essential to prevent a dictionary attack
- Hashing multiple times won't significantly improve the security of your website, two or even three times may, but also note that going from SHA-1 to MD5 will lose input range as MD5 gives a 128 bit output, while SHA-1 gives a 160 bit output
- htmlspecialchars doesn't return a hexadecimal output, but just coverts certain characters to HTML entities, and it won't necessarily stop XSS - plus I'm fairly sure it won't convert the pipe or curly bracket characters
- mysql_real_escape_string doesn't eliminate the forward-slash, nor does the forward-slash cause SQLI
- Neither RMI nor LMI are real vulnerabilities, unless you were referring to RFI or LFI, and htmlsepcialchars won't fix that either
Last edited by
Epic? ; 12-23-2011 at 12:55 AM.
The following user thanked Epic? for this useful post:
12-23-2011, 04:45 AM
#3
Jakes625
Guest
php does have md4. I have used it before. maybe it was already on server idk..
md5 is safe enough.. vBulletin uses it haha (note: your database shouldn't be stolen in the first place anyways...)
htmlspecialchars does return to hexidecimal. check it out such as < would go to &nsp (idk code exactly) but in hex editor it returns <.
idk that's what I read, and tested it :p
but yeah this is just VERY basic. I know they are flaws, and that script was an example. this is for beginners, and if you have a better idea, make a thread yourself
md5 is safe enough.. vBulletin uses it haha (note: your database shouldn't be stolen in the first place anyways...)
htmlspecialchars does return to hexidecimal. check it out such as < would go to &nsp (idk code exactly) but in hex editor it returns <.
idk that's what I read, and tested it :p
but yeah this is just VERY basic. I know they are flaws, and that script was an example. this is for beginners, and if you have a better idea, make a thread yourself
12-23-2011, 06:48 AM
#4
Epic?
Awe-Inspiring
Originally posted by SatanicHispanic
php does have md4. I have used it before. maybe it was already on server idk..
md5 is safe enough.. vBulletin uses it haha (note: your database shouldn't be stolen in the first place anyways...)
htmlspecialchars does return to hexidecimal. check it out such as < would go to &nsp (idk code exactly) but in hex editor it returns <.
idk that's what I read, and tested it :p
but yeah this is just VERY basic. I know they are flaws, and that script was an example. this is for beginners, and if you have a better idea, make a thread yourself
md5 is safe enough.. vBulletin uses it haha (note: your database shouldn't be stolen in the first place anyways...)
htmlspecialchars does return to hexidecimal. check it out such as < would go to &nsp (idk code exactly) but in hex editor it returns <.
idk that's what I read, and tested it :p
but yeah this is just VERY basic. I know they are flaws, and that script was an example. this is for beginners, and if you have a better idea, make a thread yourself
Again, htmlspecialchars does not return hexadecimal, and you clearly do not know the meaning of hexadecimal either, because '&nsp' is not hexadecimal - also, &nsp is not even an HTML entity anyways. Also, there is definitely no MD4 function in PHP. You can reach it through the hash function though. Regardless, if it's not universal, it shouldn't be advertised as such.
And, if your methodology for security revolves around the idea "safe enough", you shouldn't be teaching security whatsoever.
All I'm saying is that if you're going to make a guide to teach security, you should ensure that all your code works and that what you're teaching is correct, especially when it comes to security.
Last edited by
Epic? ; 12-23-2011 at 06:53 AM.
12-23-2011, 10:39 PM
#5
Jakes625
Guest
Originally posted by Epic
Again, htmlspecialchars does not return hexadecimal, and you clearly do not know the meaning of hexadecimal either, because '&nsp' is not hexadecimal - also, &nsp is not even an HTML entity anyways. Also, there is definitely no MD4 function in PHP. You can reach it through the hash function though. Regardless, if it's not universal, it shouldn't be advertised as such.
And, if your methodology for security revolves around the idea "safe enough", you shouldn't be teaching security whatsoever.
All I'm saying is that if you're going to make a guide to teach security, you should ensure that all your code works and that what you're teaching is correct, especially when it comes to security.
And, if your methodology for security revolves around the idea "safe enough", you shouldn't be teaching security whatsoever.
All I'm saying is that if you're going to make a guide to teach security, you should ensure that all your code works and that what you're teaching is correct, especially when it comes to security.
oh my god.
vBulletin uses md5. so you're saying it's not safe. tell that to them. you database should be obtained in the first place. that's error of the user.
360 boom.
I found out my old host had the md4 function built in. sorry for the confusion there.
lastly I read that's what it turns into. I guess it's not. I know what hex ****ing means im not dumb. Just never tested if it was true.
It turns it into text so it can't be exploited...
site.com/?file=<
turns into
site.com/?file=&ns (w/e it is)
your all ****ing defensive and pissing me off jesus christ. don't bother replying go make your ****ing thread...
12-24-2011, 12:14 AM
#6
Pichu
PICHU.
PICHU.
Originally posted by Epic
Again, htmlspecialchars does not return hexadecimal, and you clearly do not know the meaning of hexadecimal either, because '&nsp' is not hexadecimal - also, &nsp is not even an HTML entity anyways. Also, there is definitely no MD4 function in PHP. You can reach it through the hash function though. Regardless, if it's not universal, it shouldn't be advertised as such.
And, if your methodology for security revolves around the idea "safe enough", you shouldn't be teaching security whatsoever.
All I'm saying is that if you're going to make a guide to teach security, you should ensure that all your code works and that what you're teaching is correct, especially when it comes to security.
And, if your methodology for security revolves around the idea "safe enough", you shouldn't be teaching security whatsoever.
All I'm saying is that if you're going to make a guide to teach security, you should ensure that all your code works and that what you're teaching is correct, especially when it comes to security.
+1
Originally posted by SatanicHispanic
oh my god.
vBulletin uses md5. so you're saying it's not safe. tell that to them. you database should be obtained in the first place. that's error of the user.
360 boom.
I found out my old host had the md4 function built in. sorry for the confusion there.
lastly I read that's what it turns into. I guess it's not. I know what hex ****ing means im not dumb. Just never tested if it was true.
It turns it into text so it can't be exploited...
site.com/?file=<
turns into
site.com/?file=&ns (w/e it is)
your all ****ing defensive and pissing me off jesus christ. don't bother replying go make your ****ing thread...
vBulletin uses md5. so you're saying it's not safe. tell that to them. you database should be obtained in the first place. that's error of the user.
360 boom.
I found out my old host had the md4 function built in. sorry for the confusion there.
lastly I read that's what it turns into. I guess it's not. I know what hex ****ing means im not dumb. Just never tested if it was true.
It turns it into text so it can't be exploited...
site.com/?file=<
turns into
site.com/?file=&ns (w/e it is)
your all ****ing defensive and pissing me off jesus christ. don't bother replying go make your ****ing thread...
I'd listen to Epic, out of every damn person on this site he would be one of the top 3 who knows what the hell he is talking about.
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
