Stop people from using illegal characters on sign up

Question

I just opened my site for public beta, and i have been amazed at what people try and do to hack your site.

they are using illegal characters , i had one just now trying to import a XSS script via their username etc.

how do i stop them from using those on sign up, here is my form.

<?php
if (!isset($_POST['submitted'])) {
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="language" content="en">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Add server - Rs-List</title>
<meta name="description" content="Register your server and get ranked by votes on the top rsps list.">
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link href="style.css" rel="stylesheet">
<link href='http://fonts.googleapis.com/css?family=Oswald:300,400,700|Open+Sans:400,700,300' rel='stylesheet' type='text/css'>
<!--[if lt IE 9]>
    <script src="/js/ie.js"></script>
<![endif]-->
<script src="/js/rslist.js"></script>
</head>
<body class="wow">
<div class="all-servers">
<div class="row">
<div class="col-md-3">
<div class="text-center">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".top-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</div>
<div class="side-bar-wrapper collapse navbar-collapse top-collapse">
<?php include 'nav.php'?>

</div>
</div>
<div class="col-md-9">
<div class="content-wrapper">
<div class="content-inner">
<div class="page-header">
<h1>Add Runescape Private Server</h1>
</div>
<div class="main-content">
<div class="row">
<div class="col-md-12">
<div class="widget">
<script src="/js/1up.js"></script>
<script language="JavaScript" type="text/javascript">
function checkform ( form )
{

  if (form.url.value.length < 5) {
    alert( "URL is empty or to short. Must start with http://" );
    form.url.focus();
    return false ;
  }

  if (form.banner.value.length < 5) {
    alert( "URL is empty or to short. Must start with http:// and end with .png, .gif, .jpg" );
    form.banner.focus();
    return false ;
  }

  if (form.title.value.length < 4) {
    alert( "Title empty or to short. Must be minimum 4 characters long." );
    form.title.focus();
    return false ;
  }

  if (form.description.value.length < 10) {
    alert( "Description is empty or to short. Use minimum 10 characters long." );
    form.description.focus();
    return false ;
  }
  if (form.description.value.length > 200) {
    alert( "Description must not contain more than 250 words" );
    form.description.focus();
    return false ;
  }

  return true ;
}

</script>
<script type="text/javascript">
$(document).ready(function(){
  $('#title_size').maxlength( {maxCharacters: 45, status: true, showAlert: false, alertText:"You have reached the 45 characters limit for title", slider: true } );
  $('#description_size').maxlength( {maxCharacters: 200, status: true, showAlert: true, alertText:"You have reached the 200 characters limit for short description", slider: true } );  
});

</script>
<form action="" method="post" name="join_form" class="form-horizontal" role="form" enctype="multipart/form-data" onSubmit="return checkform(this);">
<div class="form-group ">
<label for="join_email" class="col-md-1 control-label"><span class="required">*</span>Server Title</label>
<div class="col-md-5">
  <input name="name" value="<?php if (isset($_POST['name'])) echo $_POST['name']; ?>" class="form-control" placeholder="Example Scape" required>
</div>
</div>
<div class="form-group ">
<label for="join_password" class="col-md-1 control-label"><span class="required">*</span>Website URL</label>
<div class="col-md-5">
<input name="url" value="<?php if (isset($_POST['url'])) echo $_POST['url']; ?>" class="form-control" placeholder="http://yourdomain.com" required>
</div>
</div>
<div class="form-group ">
<label for="join_url" class="col-md-1 control-label"><span class="required">*</span>Banner URL</label>
<div class="col-md-5">
<input name="banner" value="<?php if (isset($_POST['banner'])) echo $_POST['banner']; ?>" class="form-control" type="text" placeholder="http://example.com/example.png" required>
</div>
</div>
<div class="form-group ">
<label for="join_title" class="col-md-1 control-label"></label>
<div class="col-md-5"></div>
</div>
<div class="form-group ">
<label for="join_description" class="col-md-1 control-label"><span class="required">*</span>Description</label>
<div class="col-md-5">
<textarea cols="50" rows="5" value="<?php if(isset($_POST['description'])) echo $_POST['description']; ?>" name="description" id="description_size" class="form-control" placeholder="Short description, rates, features, etc..." required></textarea>
</div>
</div>
<input type="submit" name="submit" value="Add" />
<input type="hidden" name="submitted" value="TRUE" />
</form>
<br>
<span class="required">*</span><i>Required fields</i>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<center><?php
}
else {

// MySQL connect
require_once('mysql_connect.php');

if (empty($_POST['name'])) {
print '<font color="red">Please add the name of the server</font><br />';
$n = FALSE;
} else {
$name = $_POST['name'];
$query = "SELECT id, name FROM websites WHERE name = '$name'";
$result = mysql_query($query) OR die($mysql_error());
$num = mysql_num_rows($result);

if ($num > 0) {
$n = FALSE;
print '<font color="red">There is a server with this name ! Please pick another one.</font><br />';
} else {
$n = mysql_real_escape_string($_POST['name']);
}
}

if (empty($_POST['url'])) {
print '<font color="red">Please add a link to your website.</font><br />';
$u = FALSE;
} else {
$u = mysql_real_escape_string($_POST['url']);
}

if (empty($_POST['banner'])) {
print '<font color="red">Please add a banner for your server</font><br />';
$b = FALSE;
} else {
$b = mysql_real_escape_string($_POST['banner']);
}

if (empty($_POST['description'])) {
print '<font color="red">Please add a description for your server.</font><br />';
$d = FALSE;
} else {
$d = mysql_real_escape_string($_POST['description']);
}

if ($n && $u && $b && $d) {
$query = "INSERT INTO websites (name, url, banner, description, date, password) VALUES ('$n', '$u', '$b', '$d', now(), SHA('$p'))";
$result = mysql_query($query) or die(mysql_error());

if ($result) {
print '<h3>Your server has been successfuly added.</h3>
<p>Your server was added. Please copy the vote link below to gain votes for your server.</p>';

$query = "SELECT id, name FROM websites WHERE name = '$n'";
$result = mysql_query($query) OR die(mysql_error());
$row = mysql_fetch_array($result, MYSQL_ASSOC);
?>
<div align="center"></div>
<?php

} else {
print 'There is an error with adding your website !';
}
} else {
print '<font color="red"><a href="add-site.php">Back.</a>';
}
}

?><h4>Html code</h4>
<input name="code" type="text" value="&lt;a href=&quot;http://rs-list.com/vote.php?id=<?php echo $row['id']; ?>&quot;&gt;Vote for us !&lt;/a&gt;" size="50" maxlength="100"><br>
<h4>Direct Link</h4>
<input name="code" type="text" value="http://rs-list.com/vote.php?id=<?php echo $row['id']; ?>" size="50" maxlength="100"></center>
<script src="js/up.js"></script>
</body>
</html>

Have a maximum length for usernames, but otherwise you can allow pretty much any character. You just need to be careful how you render the username - see Neil's link. — halfer, Jun 06 '15 at 23:16
[**OWASP XSS Prevention Cheat Sheet** https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) — spencer7593, Jun 07 '15 at 00:09
Consider using PDO instead of the deprecated `mysql_*` functions. It's much more expressive and when used properly it guards you from things like SQL attacks. — Bailey Parker, Jun 07 '15 at 00:47

Jon Bates · Answer 1 · 2015-06-07T10:39:57.307

I guess I have two answers for you. For the form-validation proper, you can actually use pure html now. Check out https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Forms/Data_form_validation.

I see that you are ~~using parameterised SQL, which is good,~~ not using parameterised sql, which is super-dangerous (as per the comments on the question); If you don't fix that, people can hack your site for fun pretty easily, and bypass any client-side validation you wish to add.

For the XSS part, you can simply make sure you html-encode everything you spit out form the database. As @Strawberry said, it is well-discussed. I usually use a framework for this kind of stuff, so you could look at something like Cake PHP etc

One more thing - SHA1 is not generally thought of as a 'good thing' now, because it is relatively easy to crack in the event of a DB breach (especially in the way you are using it). See http://adambard.com/blog/3-wrong-ways-to-store-a-password/. Consider using something like bcrypt or scrypt

The example code is *not* using "parameterised SQL", it's incorporating values into the SQL text, using the deprecated `mysql` interface. And, there's a **SQL injection vulnerability** with `$name` variable. — spencer7593, Jun 07 '15 at 00:11
Gah! thanks @spencer7593 ! I am primarily a c# dev, and I just saw the $ signs and thought 'all is well'. Serves me right for trying to think at 1am haha — Jon Bates, Jun 07 '15 at 10:41

Stop people from using illegal characters on sign up

1 Answers1