0

Can someone help me adding the htmlspecialchars to prevent XSS in this code:

<?PHP
    if(isset($_POST['update'])) { 
        $ts=$_POST['ts'];
        $user=$_POST['user'];

        mysql_query("UPDATE users SET block_newfriends='". mysql_real_escape_string($ts). "'  WHERE username='" .mysql_real_escape_string($user) . "'");
        echo '<div class="rounded-container">';
        echo '<div class="rounded-green rounded-done">';
        echo '<b>reload</b><br>';
        echo '</div>';
        echo '</div>';
    }
?>

I don't know where to put them, it should be in the POST function right?

Icarus
  • 1,627
  • 7
  • 18
  • 32
IbraDigga
  • 1
  • 2
  • XSS prevention action usually happens on info output not input. But, if you want to make sure those two post values don't have html chars when input to the database you can pass them through htmlspecialchars. – MarkSkayff Jan 17 '17 at 23:08
  • yeah I wanna do that Mark, but do you know HOW I can add them in my script? I'm not sure where to place them. – IbraDigga Jan 17 '17 at 23:08
  • $ts = htmlspecialchars($_POST['ts']); and the same for the user var. – MarkSkayff Jan 17 '17 at 23:09
  • Preventing XSS attacks: http://stackoverflow.com/q/30280370/2298301. Also, `mysql_` functions are prone to SQL Injections and to prevent which you should consider using [PDO](https://phpdelusions.net/pdo) – Dhruv Saxena Jan 17 '17 at 23:12
  • Thanks Mark, I have changed both variables. Do I need to add more? – IbraDigga Jan 17 '17 at 23:13

2 Answers2

0

Replace the $ts and $user lines with:

$ts=htmlspecialchars($_POST['ts']);
$user=htmlspecialchars($_POST['user']);

Then leave the query alone, it will then use mysql_real_escape_string() on the htmlspecialchars stripped value.

Patrick Murphy
  • 2,311
  • 14
  • 17
  • Thank you Patrick, I have replaced both lines. Should I do/add more in this script or is it enough? – IbraDigga Jan 17 '17 at 23:12
  • This is BAD advice. You'll be html-escaping the values you put into the database, Then, when you get it back out of the database, you're unsure of whether your screen output (echo) function needs to escape it or not. Always keep the "raw" value in memory, and convert when you output / insert into the database etc and then you won't get confused. – Robbie Jan 17 '17 at 23:18
0

You need to make it safe using different functions depending on what you want to do:

When you output to HTML, make it "html-safe" by wrapping in htmlspecialchars.

echo 'Writing to browser ' . htmlspecialchars($_POST['t']);

When you output to SQL, make it "sql-safe" by escaping it for sql (see note below).

$sql = 'UPDATE table SET field="' . mysql_escape_string($_POST['t']);

When you output to a URL, make it "url-safe" by escaping it for urls.

$link = 'http:/example.com?value=' . urlencode($_POST['t'])

Similar rules apply for JSON encoding, outputting to XML etc.

Note on mySQL: you are correct to escape it, but you are using functions that no longer exist in PHP (you are therefore using an old version of PHP). Check mysqli or pdo in the manual and use those functions instead.

Robbie
  • 17,605
  • 4
  • 35
  • 72
  • thanks Robbie, I know it's an old one but my current host uses an old version, I will update very soon! I changed both variables, do you think that will be enough? – IbraDigga Jan 17 '17 at 23:17
  • 1
    mysqli and PDO have been around for 10 years+; even "old" versions of PHP on any host should have them. They won't, in a year or two, have mysql(). So convert now to save you learning an invalid class. – Robbie Jan 17 '17 at 23:23
  • Also see my comment to Patrick's answer: if you html-escape and then insert into database, you may lose track of what values have been escaped and what haven't. So keep "raw" values in hand and escape/convert when outputting/inserting into the database; then you follow a simple rule of ALWAYS escaping for output and not need to do it selectively. It'll also make the transition easier when you use a template engine a little down the line. – Robbie Jan 17 '17 at 23:23