-6

One of my websites has recently, and is (ongoing) continuously, under attack. A JavaScript script is being inserted into the MySQL database somehow.

I am using the following:

$unsafe_variable = addslashes(htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['user_input'])))); 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

However, the hacker is still able to insert a "script" tag. I have no idea how. I have a word filter and blacklisted the word "script", which gets blocked when I post a test to the site. How is he/she able to get it through?

enter image description here

The above is a screenshot of the entry into the database. Anyone have any ideas on how I can prevent this?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Guage
  • 85
  • 10
  • All four functions aren't "protection mechanisms". They convert data. How that data makes it into your database is relevant. Please post *that* code instead, so we can help. – Linus Kleen Mar 21 '16 at 21:44
  • There really isn't enough information to go on here. How are the functions you've specified applied and in what order? It's possible if they are in the wrong order then your protection is self-defeating. – Chris Mar 21 '16 at 21:45
  • 5
    Don't fix the *input*. Fix the *output*. Use `htmlspecialchars` where that field is displayed to your users. – ceejayoz Mar 21 '16 at 21:45
  • Some idea of the ways in which they are able to insert data and what you're doing to it would help rather than a random list of functions. – Jonathan Mar 21 '16 at 21:49
  • adding sql injection protection is **NOT** going to help, unless the attack vector is done via sql injection. you need to figure out how/where this extra JS code is getting added to your site. – Marc B Mar 21 '16 at 21:53
  • 4
    **WARNING**: If you're just learning PHP, please, do not learn the obsolete [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface. It's awful and has been removed in PHP 7. A replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) helps explain best practices. Make **sure** your user parameters are [properly escaped](http://bobby-tables.com/php) or you will end up with severe [SQL injection bugs](http://bobby-tables.com/). – tadman Mar 21 '16 at 22:06

1 Answers1

3

For a start, JavaScript is code that a user can actually edit using DOM tools (like inspect element) and should never be used as a mechanism to security with Databases.

You should firstly start to research about prepare statements in PDO if you're using un-trusted user input; the bind paramtter in the PDO interface automatically strips the HTML content out of the input.

You can also look at the preg_replace function inside of PHP. This can be used to do more unique and to-the-point strips and allows functionality like BB Code.

There are plenty of resources on stack over-flow which cover the security issues raised in this question and certainly solve each layer attack.

Source 1
Source 2

Also note, the attack you're specifying is an XSS attack used to inject malicious JavaScript code. If you want to allow this code, never directly insert it to a global page (ie: comments that multiple users can see). Only allow the single user to view the code they put in. Otherwise, view the above sources for further information.

Community
  • 1
  • 1
Jaquarh
  • 6,493
  • 7
  • 34
  • 86
  • You need to mention [`htmlspecialchars`](http://php.net/manual/en/function.htmlspecialchars.php) which is used to escape user content for HTML display. It should be used everywhere **any** user data is displayed. – tadman Mar 21 '16 at 22:05
  • By all means edit it in if you think it should be added, I'd of hoped them sources contained such information on it though. Nice addition however @tadman – Jaquarh Mar 21 '16 at 22:23