A function written for secuirty

**Ethan-27** · Mar 21, 2011 11:21

I've tried to write a function which will go through the security steps needed for login/register fields on a form. It will be placed in an include file and only called on those two pages. This is what I've come up with.

PHP Code:



$username = spray_text_inputs $_POST['username'];
$password = spray_text_inputs $_POST['password']


// function for stopping basic hacking.

function spray_text_inputs ()

{

$username = htmlspecialchars ($username)
$password = htmlspecialchars($password)

//MySQL injection protection
$username = stripslashes("" "");
$password = stripslashes("" "");

$username = mysql_real_escape_string("" "");
$password = mysql_real_escape_string("" "");

//these two Im quite sure are being used wrong.
$username = htmlentities($username, ENT_QUOTES, 'UTF-8');
$password = htmlentities($usernam, ENT_QUOTES, 'UTF-8');

}

Is this a good idea..? Im quite sure it's wrong and as you can see I have asked many questions in my comments. The brackets I have left empty with double double quotes is because Im not sure what to write in there, either the variable or the value of the field in the HTML file...??

I thought of putting them in an array and looping through each one and moving onto the next one using if statements but that might cause more code than needed.

**tangoforce** · Mar 21, 2011 11:30

PHP Code:


$username = spray_text_inputs $_POST['username'];
$password = spray_text_inputs $_POST['password']

Already your functions won't work because you're not passing the parameters properly using () like this: spray_text_inputs($_POST['username'])

On that second line you have a ; missing at the end.

The entire function also looks like you've just looked at a bunch of random functions that look like they do something and slapped them all together into one function. In one place you're setting $password from running $usernam (without the e) through htmlentities. Why?

**Ethan-27** · Mar 21, 2011 11:39

Originally Posted by tangoforce

PHP Code:


$username = spray_text_inputs $_POST['username'];
$password = spray_text_inputs $_POST['password']

Already your functions won't work because you're not passing the parameters properly using () like this: spray_text_inputs($_POST['username'])

On that second line you have a ; missing at the end.

The entire function also looks like you've just looked at a bunch of random functions that look like they do something and slapped them all together into one function. In one place you're setting $password from running $usernam (without the e) through htmlentities. Why?

Thanks for your advice.

You have pointed out some schoolboy errors that I will need to fix. Your last part regarding htmlentities I was meant to have them both as $password as the code above it was $username.

Regarding slapping them together, yes I have chosen functions that I have learnt regarding security and put them together.. may I ask what is wrong with that....?

Can you suggest another way I should use them all in a function, this really is the only way I know how to put them all in together.

The only other idea I had was to assign the different functions to different variables. Or write a switch statement.

**tangoforce** · Mar 21, 2011 12:04

htmlentities is not really anything to do with security and neither is stripslashes - which is mainly used to get rid of slashes used by magic quotes - a built in defence that comes with php which was nothing but a pain to many.

What on earth makes you think that htmlentities and stripslashes are going to protect you?

Your main problem is that you don't actually really understand what they do or how to use them effectively. You've basically just thrown them all together and hoped for the best without even realising that 2 of the functions render eachother completely useless. You have used stripslashes() right before mysql_real_escape_string will put the slashes back where you've just stripped them from which will leave you with the very same string you had before stripslashes. Just grabbing a few functions that you think are for security and mixing them together into one large function and hoping for the best is not the answer. You need to read up and understand what they are actually doing, play with them, debug the output etc until you clearly understand them.

You only really need the minimum of mysql_real_escape_string and that needs to be strategically placed in your code so that it protects the database but doesn't mess up your php coding.

FYI using htmlentities simply takes odd characters like < and turns them into their html source equivalent so that the browser displays it instead of seeing it as part of a source tag. It does nothing to protect your database.

**aamonkey** · Mar 21, 2011 12:06

Originally Posted by Ethan-27

Regarding slapping them together, yes I have chosen functions that I have learnt regarding security and put them together.. may I ask what is wrong with that....?

The problem is that you don't seem to understand what those functions do, when to use them, and why you use them.

1. stripslashes should never be necessary because you should have PHP configured with magic quotes off - the function itself doesn't have anything to do with security.
2. mysql_real_escape_string is used to prevent sql injection attacks. Although the preferred way is to simply use PDO (or mysqli) and prepared statements.
3. htmlentities is often used to prevent a user from being able to have the html of their choosing output to your web pages - preventing xss attacks, etc.

you don't use htmlentities and mysql_real_escape_string in conjunction with each other - one is used prior to writing to the database and the other is used prior to outputting to the web page.

**Ethan-27** · Mar 21, 2011 12:16

Originally Posted by tangoforce

htmlentities is not really anything to do with security and neither is stripslashes - which is mainly used to get rid of slashes used by magic quotes - a built in defence that comes with php which was nothing but a pain to many.

What on earth makes you think that htmlentities and stripslashes are going to protect you?

Your main problem is that you don't actually really understand what they do or how to use them effectively. You've basically just thrown them all together and hoped for the best without even realising that 2 of the functions render eachother completely useless. You have used stripslashes() right before mysql_real_escape_string will put the slashes back where you've just stripped them from which will leave you with the very same string you had before stripslashes. Just grabbing a few functions that you think are for security and mixing them together into one large function and hoping for the best is not the answer. You need to read up and understand what they are actually doing, play with them, debug the output etc until you clearly understand them.

You only really need the minimum of mysql_real_escape_string and that needs to be strategically placed in your code so that it protects the database but doesn't mess up your php coding.

FYI using htmlentities simply takes odd characters like < and turns them into their html source equivalent so that the browser displays it instead of seeing it as part of a source tag. It does nothing to protect your database.

Cheers for your advice, its pretty obvious I gotta go back to the drawing board, I must've misunderstood quite a bit.

Regarding the function, would it be ok to include the htmlspecialchars and mysql_real_escape in it...? As it wont be as code heavy now is there a better way to use these than to put them in a function.

Really appreciate your help guys.

**aamonkey** · Mar 21, 2011 12:20

Originally Posted by Ethan-27

Regarding the function, would it be ok to include the htmlspecialchars and mysql_real_escape in it...?

re-read my post above

**Ethan-27** · Mar 21, 2011 12:30

Originally Posted by aamonkey

re-read my post above

Thanks... but I'm still not clear.

You mention not using htmlentities in conjunction with mysql_real_escape_string
but I want to use htmlspecialchars with it.

Also I am sure htmlentities does have something to do with security, but it seems Im using it wrong.

I understand I've placed alot of the code in the wrong place and used it incorrectly but can you see what I'm trying to achieve...? A function which encases all the security checks needed for form submission.

**aamonkey** · Mar 21, 2011 12:36

i give up.

**Ethan-27** · Mar 21, 2011 12:40

Originally Posted by aamonkey

i give up.

Cheers anyway :-)

I think Ive figured out that htmlentities and htmlspecialchars are used for security purposes when the form is sent back, not when it is sent through.

Is the only way to secure it before it is sent is to use mysql_real_escape_string..? Strip tags can be used to prevent javascript attacks though...

**ngduc** · Mar 21, 2011 12:46

Why don't you use PHP built in sanitize and filter functions to do this?

<snip/>

**tangoforce** · Mar 21, 2011 13:00

Originally Posted by aamonkey

i give up.

I'm almost there.. some people refuse to accept good clear advice when its given to them.

Originally Posted by Ethan-27

You mention not using htmlentities in conjunction with mysql_real_escape_string
but I want to use htmlspecialchars with it.

Also I am sure htmlentities does have something to do with security, but it seems Im using it wrong.

htmlentities is nothing to do with database security at all. It is simply used to output characters to a webpage which are normally only seen in the source code. If you do not understand this then why are you so intent on using it anyway?

For stopping cross site scripting (xss) (EG people inserting javascript and html links into your form for say a guestbook) you use striptags - but again you only use it in certain situations or your entire code logic will have completely unpredicted results. You don't just throw it in and hope for the best.

Originally Posted by Ethan-27

I understand I've placed alot of the code in the wrong place and used it incorrectly but can you see what I'm trying to achieve...? A function which encases all the security checks needed for form submission.

I see what you're trying to do but you're trying to do it all wrong and trying to ignore us in the process. If you want to use it then fine please do. Just be sure to run a damn good debug session by echoing out all of your variables so you can see why its all gone south afterwards.

I can see you're trying to write one function that covers everything. Unfortunately it doesn't work like that. Just as with any good plan you have to know what you're doing and target specific issues with specific ideas. Not just throw everything at one issue and hope that miraculously it will work out.

In short, learn to walk. Not just walk but balance and turn on the spot. Once you can do that you can run. PHP programming is one of those languages that people jump into with a specific project in mind thinking "Hey I'm going to make that today it looks easy" and the reality is pretty different. You need to be able to read and understand the php manual at php.net, understand how to use functions, what parameters to pass to them and how to use the result properly. Also debugging your code is an acquired skill. You can't just publish code and expect it to work flawlessly (EG like your initial sample which I found problems with pretty quick). You need to be able to read, understand and debug your own code because most of the time these forums can't debug your project which is spread across 6 or 7 files all containing code. I spent years learning php and I am no expert but I can survive without asking for any help because I've learnt how to debug and created my own tools and functions to help me test ideas and debug code. I'm not an expert though but I can understand php enough to support my own projects and help others here on sitepoint and another forum.

I'm not trying to put you off, on the contrary you're clearly serious about being a php programmer because many new folk don't want to know about security at all - they're just interested in getting data into their database and don't want to worry about the added problem of sql injection etc. You've actually realised at least that your forms are your first port of call for an attacker and you're clearly concerned enough to try and block this. Thats GREAT and it is why i'm still here and not ignoring you, but you do need to listen to our advice when we give it. If you don't understand it then ASK. Don't just "Well can I still do it anyway.." type thing as it will not do you any favours and you won't learn. If you don't understand something ASK for more details. If the person who wrote it doesn't explain it to you then the chances are someone else will. If you still don't get a reply then start a new topic and ask! As soon as someone seens a topic with 0 replies they'll read it and answer if they can

**Ethan-27** · Mar 21, 2011 13:08

Cheers for tonight guys, its been a real wake up call.

I've obviously jumped the gun a bit and need to go back over things. Some things in php I can write but as tonight has shown some things I cant. I'm gonna take a couple of days to get everything in order and have another go at writing something half decent, no matter how simple it is and then hopefully work from there.

Once agan thanks for your help and I really really appreciate your patience.

User Tag List

Thread: A function written for secuirty

Thread Tools

Display

A function written for secuirty

Bookmarks

Bookmarks

Posting Permissions