I want to make sure rogue users can't damage my site or database by inserting code in my input fields.
What kind of code should I use to test it?
I know there are html tags like iframe but I don't know what to put inside to test it.
Thanks.
HTML
I think using htmlspecialchars(doc) (It's a function in PHP but other language may has similar function) or using other markup system(?)s like phpBB and MediaWiki would be work. Using HTML tags by black/whitelisting tags can work but it's quite dangerous - a cracker would harm your site by XSSing.
For example, you may think that only allowing p, br, img, font, a is OK (BTW, it's not good to use font when one can use CSS), but XSS can be done by input <img src="asdf" onerror="alert('hi')"/> or <a href="javascript:alert('hi')">.
SQL
You should aware of SQLi - injecting SQL commands.
An example of SQLi is :
A way to avoid being SQLi'd in PHP is using mysql_real_escape_string(doc).
You could read about SQL Injections
Insert special characters, especially ', ?, ", $, ;, , and \. If your site doesn't fail on those, you're on the right track.
But the best is to use queries with parameters. You just pass the string as a parameter and the database takes care of escaping the characters for you. You can hardly make a mistake if you do that.
It really depends on the architecture and user interaction with your site.
SQL injection into user entered fields is a typical attack on systems that use databases for user logins etc. Hence restrictions on characters entered into user fields and screening them before use.
"About your son ..."
"Oh Little Billy !drop tables ?"
Related
I have many pages (posts) in a WP site with legacy short code that needs to be removed and cannot accomplish what I need using WordPress find/replace plug-ins - so I'm turning to MySQL queries.
The shortcodes to be removed all follow the same pattern: "[nivo... (variable content) .../nivo]
I need to remove the entire nivo shortcode and ONLY the nivo shortcode because other shortcodes exist on some pages.
I found something very close to what I think I need, and modified the obvious parameters for this particular application as follows...
UPDATE `post_content`
REPLACE(txt, SUBSTRING(txt, LOCATE('[nivo', txt), LENGTH(txt) - LOCATE('nivo]', REVERSE(txt)) - LOCATE('nivo]', txt) + 10), '')
WHERE txt LIKE '%(%)%'
That ^^^ is accepted in the SQL query window (no stop signs) but returns a #1064 error when executed.
Ideally I would like to TEST this first on a specific post ID just to be sure it's really catching everything but I couldn't figure out how to write that into the query.
I know VERY little about MySQL (I'm a designer) but I have DB backups ready for rollback just in case.
Help would be greatly appreciated.
The key is that you want to use a plugin or tool that allows you to use regex (regular expressions). I have used this Php tool, you just put it in your public_html and then access the path via a web browser: https://interconnectit.com/search-and-replace-for-wordpress-databases/
Just use a little regex in the Php tool or find a find and replace plugin that allows you to use regex. It would look something like this:
\[nivo.*?/nivo\]
\ means escaping a character, since the bracket has a special meaning in regex.
. means any character
* means any number of characters
? means 0 or more
.*? together means anything or nothing
For reference (and probably a better answer):
PHP - Remove Shortcodes and Content in between with Regex Pattern
I'm working on a WordPress-based project and I need to batch edit the posts from the database.
At the moment I have cells, where the content is Text <pre> Text\r\nText\r\nText </pre>
What I need to do is find all the \r\n strings and replace them with \r\n\r\n. So far I have this:
UPDATE `table_name`
SET `field_name` = replace(field_name, '\r\n', '\r\n\r\n\')
The issue is, there is also \r\n\ text outside the <pre> tags, which I don't want to affect. That's why I need to do something like find (start: '<pre>' end: '</pre>') before calling the replace. I just have no idea how to do this in MySQL.
When web searching, I found some stuff about regex but I have no idea how that works.
MySQL doesn't have the regexp replace functionality. I'd say you have two options - either create an user defined function that will do this kind of replacement, or, if you can't / don't know how to, you have to use a script/program written in a different language. It may be e.g. a PHP script that will connect to the db and do the desired replacement. Another way would be to dump the table containing your posts to a file, use sed or something similar and import the data once again.
Using sed would probably take less time than PHP and the syntax is fairly easy to learn.
Whatever you choose remember it's always a good idea to make a backup before.
So I have been developing a little system in which, at a point, the user can type in some HTML into ckeditor, that HTML is then stored in a database (it's kind of a microCMS).
The problem is When using Mysqli, It inserts escape characters before and after " and ' in order to stop injection, logically, which breaks loads of HTML code.
for example
becomes
or somthing close to that, which breaks the code
Is there a way i can disable the injection prevention, or input it into the database another way ? Or mabi replace the /" when it is being taken from the database ?
Thanks
-jman6495
EDIT :
I have resolved the problem
I replaced the /" by " using the php str_replace function.
here's the code :
$pagecontent = str_replace('\"','"',$pagecontent);
echo $pagecontent;
thanks anyway
-jman6495
If you're seeing these characters when you fetch data back out you're somehow double-escaping the content. Check that you're only escaping it once, and doing it with the placeholder and not mysql_real_escape_string. You haven't fixed the problem. You've un-done the damage of a serious bug.
The purpose of SQL escaping is to insert the data correctly and reliably. For instance, O'Reilly should be O''Reilly for MySQL. The actual content in the database should be O'Reilly regardless of quoting.
I have a database of phrases that users will search for from their own input. I want them to find the phrase regardless of what punctuation they use. For example if the phrase, "Hey, how are you?" is in the row, I want all of the following searches to return it:
"Hey! How are you?!"
"Hey how are you?"
"Hey :) How are you?"
Right now, I have the columns 'phrase' and 'phrase_search'. Phrase search is a stripped down version of phrase so our example would be 'hey-how-are-you'.
Is there anyway to achieve this without storing the phrase twice?
Thank you!
-Nicky
What you've done is probably the most time-efficient way of doing it. Yes, it requires double the space, but is that an issue?
If it is an issue, a possible solution would be to convert your search string to use wildcards (eg. %Hey%how%are%you%) and then filter the SQL results in your code by applying the same stripping function to the database input and the search string and comparing them. The rationale behind this is that there should be relatively few matches with non-punctuation characters in-between the words, so you're still getting MySQL to do the "heavy lifting" while your PHP/Perl/Python/whatever code can do a more fine-grained check on a relatively small number of rows.
(This assumes that you have some code calling this, rather than a user typing the SQL query from the command line, of course.)
What is the best function to run my strings through to ensure that MySQL injection is impossible?
Also, will it require running it through another function on the way out to make it display correctly?
See also
Are Parameters really enough to prevent Sql injections?
C# Parameterized Query MySQL with in clause
Can I protect against SQL Injection by escaping single-quote and
surrounding user input with
single-quotes?
Parameterized Queries
A parameter function.
Humor aside, I mean don't dynamically execute user-entered content as SQL if you can at all avoid it. Pass everything as parameters, and reference them from your query instead. See Chad Birch's answer for a good link explaining this.
As Chad says, always use parameterized queries to avoid SQL injection.
To answer the second half of your question, if your output is to a web page then always escape any special HTML characters (&, <, >) to protect against script injection.
Add to parameterized queries the use of input validation within the application. Never trust that the input is clean. Check it. For instance, if it's supposed to be an integer, check to make sure it converts to a numeric value without issue.
In PHP the best way is to use HTML escaping on strings.
It turns special characters into HTML compliant characters.
Example: " " (space) transforms into "%20".