-1

I'm having this query;

$sql = "INSERT INTO statusups (pid, text) VALUES ('{$_SESSION['sess_id']}', '{$_POST['appendedInputButton']}')";

and I'm processing the variable $_POST['appendedInputButton'] like this;

$_POST['appendedInputButton'] = $purifier->purify($_POST['appendedInputButton']);
$_POST['appendedInputButton'] = strip_tags($_POST['appendedInputButton']);
$_POST['appendedInputButton'] = trim($_POST['appendedInputButton']);

Does this protect me from XSS and eventually SQL injections? I've looked into mysqli and prepared statements and it looks like it takes to much code to do a simple thing. If this protects me from SQL injections and XSS I would love to keep to this method or should I upgrade to mysqli?

The function $purifier->purify comes from the plugin HTMLpurifier

Magnus
  • 391
  • 1
  • 7
  • 35
  • Prepared statements are the best. Why not use an ORM, like Doctrine2 or a lightweight one like Zend_Db? – Eddie Jaoude May 13 '13 at 05:29
  • 2
    If you _can_ avoid `mysql_`, do so. It's been deprecated already. – John Dvorak May 13 '13 at 05:30
  • *Will these functions protect me fromm XSS and SQL injections?* That's two different contexts, and should be treated differently. There is no magic bullet (well, at least one which won't mangle your text in some fashion). – alex May 13 '13 at 05:30
  • The data sanitize process should be for a particular output, not all at once. That means: you should create 2 particular functions: one agains sql inj, another against xss. – zerkms May 13 '13 at 05:30
  • 1
    At a glance Purifier doesnt seem to mention anything against sql protection. – Eddie Jaoude May 13 '13 at 05:31

3 Answers3

1

No, it won’t. HTML and SQL are totally different languages and you can’t use a single magic function to process them both. Additionally, it depends on the actual context in which the data is inserted into.

As for the SQL Injection, a simple ' will not get properly escaped by HTMLpurifier, which suffices to break out from the SQL string literal.

Regarding the Cross-Site Scripting, HTMLpurifier may protect you depending on the actual context.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • Thank you for your response. Seems like I'll have to dig into these issues and learn a few things! – Magnus May 13 '13 at 05:54
0

No. This solution will not protect you against anything.

I think Purifier is to prevent XSS only, by passing your output (that what you are going to echo out) through it. But what you are doing now is only passing your input through it.

And there is no SQL injection protection at all here.

If you are using the deprecated mysql_query() function, you will need to do $_POST['appendedInputButton'] = mysql_real_escape_string($_POST['appendedInputButton']); to protect against SQL injections.

nl-x
  • 11,762
  • 7
  • 33
  • 61
-2

A cross site scripting attack allows an attacker to execute code hosted on another server on your webpage. I would say that stripping the tags and running it through the purifier are a good start as long as you aren't whitelisting the that way an attacker can't link or embed code using inline JavaScript.

I would look at a good framework like CodeIgnitor which would handle much of the xss and sql injection automatically.

Remember that while it may seem like a lot of code, you should be able to write some type of function (or use an existing framework) that will make future projects faster to code and more secure.

To answer your question, it's a good start for xss but an attacker may still be able to insert an sql injection as the plugin you are using does not specifically mention anti-sql injection.

user2353007
  • 86
  • 1
  • 10
  • 1
    check out this post. Might want to use mysql_real_escape_string() – user2353007 May 13 '13 at 05:39
  • http://stackoverflow.com/questions/14939148/how-to-clean-post-and-get-vars-in-php-for-xss-and-sql-injection?rq=1 – user2353007 May 13 '13 at 05:39
  • Thank you for your answer! I've quickly looked into CodeIgniter and I can't find that it protects from SQL injections anywhere. Is this done behind the scenes or what? – Magnus May 13 '13 at 05:52
  • It is done behind the scenes have a look at this section to learn how to construct sql queries http://ellislab.com/codeigniter/user-guide/database/active_record.html – user2353007 May 13 '13 at 06:02
  • Aquillo - that's fair. I was not aware that it was deprecated as I am using a framework. Thanks for the tip. – user2353007 May 13 '13 at 06:04