Classes to Protect from SQL/XXS attacks?

Question

I'm building a MVC application for managing a creative portfolio (Going to put it on git hub). I need something to secure the DB connections, basically I have one class to manage ALL DB transactions.

I need to either create a class or find a class that can protect all SQL queries from XXS or SQL Attacks. What suggestions do you have for securing PHP Database connections?

@Snow_Mac: Tags in titles are just noise. We already have a tagging system that's consistent and indexable; no need to re-invent one which is not! — Lightness Races in Orbit, Jul 03 '11 at 17:24

score 3 · Answer 1 · answered Jul 03 '11 at 03:00

3

Using PDO's prepared statements to access databases makes queries immune to injection. http://us2.php.net/manual/en/pdo.prepare.php

Using htmlspecialchars() makes output immune to xxs. http://us2.php.net/manual/en/function.htmlspecialchars.php

answered Jul 03 '11 at 03:00

dqhendricks

19,030
11
50
83

on a side note, PDO also makes it easier to use different rdbms. – dqhendricks Jul 03 '11 at 03:01

score -1 · Accepted Answer · answered Jul 03 '11 at 02:08

-1

just try to filter you POST,GET requests with this function

function protect($string) 
 { 
      if (ini_get('magic_quotes_gpc') == 'off') // check if magic_quotes_gpc is on and if not add slashes
            { 
             $string = addslashes($string); 
            }  
// move html tages from inputs
$string = htmlentities($string, ENT_QUOTES);
//removing most known vulnerable words
$codes = array("script","java","applet","iframe","meta","object","html", "<", ">", ";", "'","%");
$string = str_replace($codes,"",$string);
//return clean string
return $string; 
}

you can easily apply it for the whole input using array_map function

$input = array_map('protect','$_POST');
$input = array_map('protect','$_GET');

answered Jul 03 '11 at 02:08

Marco

842
6
18
42

@Snow_Mac the method mentioned above is insecure as well as does things that are completely unecessary. first, the addslashes() function will not prevent SQL injection. You need to use what is specific to your database type such as mysql_real_escape_string(). second, your string replace is going to mess up all of your htmlentities... for instance htmlentities() will turn ' into the html entity ' (which will appear as a ' in the browser), but after you strip all of the ; out of the string, the html entity will just look like ' in your browser, because it won't be an html entity anymore – dqhendricks Jul 06 '11 at 17:48
@Snow_Mac and since html entities already converts ', <, and > into html entities, why would you then attempt to strip them out of your string after you already got rid of them? this sanitation function makes no sense at all. – dqhendricks Jul 06 '11 at 17:50

Classes to Protect from SQL/XXS attacks?

2 Answers2