0

so I'm a noob to PHP and I am trying to secure my url parameters that use PHP to gain unique pages, and currently they are open to cross site scripting and wondered how I could fix this? 

 <?php  if ($result = $link->query("SELECT league_name, role, start_date, 
 end_date, joincode, active
            FROM leagues
            WHERE unique_id='$unique_id'", MYSQLI_USE_RESULT))


            while($row = $result->fetch_assoc()){ ?>
              <tbody>
             <tr>
              <td scope="row" data-label="League Name"><a class="action" href="leagueinfo.php?league_name=<?php echo $row['league_name']; ?>&joincode=<?php echo $row['joincode']; ?>"><?php echo $row['league_name'] ?></a></td>

             </tr>
            <?php }  $result->close(); ?>
          </tbody>
              </table>

              <?php mysqli_close($link); ?>

So I need to find a way to make sure this doesn't happen:

Script has been entered into url

Phoebe
  • 23
  • 5
  • Use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky May 11 '18 at 14:57
  • Note, your edit doesn't show an example of SQL injection, it shows an example of cross-site scripting. – Alex Howansky May 11 '18 at 14:59
  • Ah, got them mixed up, working on both haha – Phoebe May 11 '18 at 15:01
  • Note, you *also* have SQL injection issues in this code. :) – Alex Howansky May 11 '18 at 15:02
  • `urlencode($row['league_name'])` – MonkeyZeus May 11 '18 at 15:04
  • Would be also nice to see /leagueinfo.php as that seems to be the source of most of your XSS issues (PHP code which accepts the GET parameters `league_name` and `joincode`). – Cillian Collins May 14 '18 at 07:13

2 Answers2

0

You can use PDO, prepared statements provide a good way of protection against SQL injection: 1. Prepare your query with empty values as placeholders. 2. Bind values to the placeholders. 3. Execute your query.

//PDO
$stmt = $link->prepare("SELECT league_name, role, start_date, end_date, joincode, active FROM leagues WHERE unique_id=:id");
$stmt->bindParam(':id', $id);
$stmt->execute();
Azhwani
  • 79
  • 1
  • 3
  • 7
0

There are a few different values that need to be encoded:

  • $unique_id should be escaped for MySQL, or the query should be parameterized instead. (See prepared statements.)

  • league_name and joincode inside the url should be url encoded, which also happens to remove html special characters. (See rawurlencode)

  • league_name in the anchor text should be html encoded (see htmlspecialchars).

fgb
  • 18,439
  • 2
  • 38
  • 52