0

Hello folks,


In short, this code is vulnerable:

<div class="search">
        <form action="/search" method="get" name="header_search">
            <label>{l t='Search Business'} <input name="searchtext" type="text" id="searchtext" placeholder="{l t='e.g.Marriott'}" /></label>
            <label>{l t='City'} <input name="cityname" type="text" id="Hsearchcity" autocomplete="off" placeholder="{l t='All Cities'}" class="commentColor cityname"/>
            </label>
             
            <a onclick="header_search.submit()" href="javascript:void(0)">{l t='Search'}</a>
        </form>
    </div>

I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??

3
Contributors
21
Replies
22
Views
6 Years
Discussion Span
Last Post by Stefano Mtangoo
0

I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??

What is the definition of with no success? You need to be explicit here!

0

It is either I Implemented it in the wrong way, OR, it gave no results.

My implementation was lacking the variable that takes the searchtext, or is it the $searchtext itself ??

0

Or to be precise, how to implement the mentioned functions in my code ?

0

Prevent XSS, in other words, Sanitize Tags ( <, >, ", etc...)

0

I read that before, but how to use it in the context of my code ? what's the variable that will be sanitized ?

0

You don't show your data handling code, only the input form. The sanitizing occurs with the validating of the $_GET vars.

0

Thanks ardav, things have become easier now, yet, here is my code:

if($_POST['type']=='biz')
{
					
	$keyword = $_POST['biz'];
	//NEWLY ADDED
	$keyword= filter_var($keyword, FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_LOW);
	$keyword= filter_var($keyword, FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_HIGH);
	$keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_HIGH);
	$keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW);
	//ADD END
	$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
	if($keyword=="")
	$query="select * from `business` order by business_id DESC LIMIT 0,20";
	else
	$query="select * from `business` where business_name like '%".$keyword."%' ORDER BY business_name asc limit 0,20";
	
	$rc=mysql_query($query);
	$i=0;
	while($row = mysql_fetch_array($rc))
	{
		$array[$row['business_id']]=$row;
	}
	if(!$array) exit;
	
	
		$str="<ul>";
		foreach($array as $business_id => $row)
		{
			$showName=preg_replace("/(".$keyword.")/i","<abbr>$1</abbr>",$row['business_name']);
			
			$str.="<li onClick=\"fillBiz('".$business_id."','".addslashes($row['business_name'])."','".addslashes($row['permalink'])."')\">".$showName."</li>";
		}
		$str.= "</ul>";
		
	echo $str;
}

Am I close ?

0

Don't sanitize verything. If the field is EMAIL sanitize it as EMAIL filter.
You have to know the type expected!
For your case $keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW); seems to be the right. If you put into my sql don't forget to escape it using mysql_real_escape_string()

0

Thanks,
I don't expect the user to enter anything but names and numbers, so I guess no harm with filtering.

But that doesn't seem to work anyway, I still get XSS upon entering a script in the keyword field, tried str_replace() as well, and it doesn't work, this is confusing!

0

Thanks,
I don't expect the user to enter anything but names and numbers, so I guess no harm with filtering.

But that doesn't seem to work anyway, I still get XSS upon entering a script in the keyword field, tried str_replace() as well, and it doesn't work, this is confusing!

What is your current code and how do you test it?

0

I test it by inserting the following in the search field / or url:

"><script>alert(document.cookie);</script>"

and I receive the pop-up showing the cookie info.


I tried working on mod_security level but didn't work as well ( didn't validate the input)

Edited by El Duke: n/a

0

OK I see, it's what the DB is spitting out that's causing the problem. Why not use htmlentities() on input? This should only kill off html (script) - should be none of that in your input fields right?

You don't need to html_decode_entity() to output as no html should be included.


I use mysql_real_escape_string() to stop SQL injection and htmlentities to avoid xss.

Edited by diafol: n/a

0

OK I see, it's what the DB is spitting out that's causing the problem. Why not use htmlentities() on input? This should only kill off html (script) - should be none of that in your input fields right?

You don't need to html_decode_entity() to output as no html should be included.


I use mysql_real_escape_string() to stop SQL injection and htmlentities to avoid xss.

Tried htmlentities() on every possible input, nothing but the bloody pop-up after testing.

Nothing is working, this is frustrating !!

0

Here is the combination:

$keyword = $_POST['biz'];
	$keyword = mysql_real_escape_string(htmlentities($keyword)); //this

or

$keyword = $_POST['biz'];
	$keyword = htmlentities($keyword, ENT_QUOTES); //this

Doesn't do anything.

Edited by El Duke: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.