Universal protection against xss attacks and sql injections

It so happened that for the past year I have had to deal with technical support for hosting, as well as support for sites to which I have a rather indirect relationship. And since administrators quite often face all kinds of attacks on their sites, while not having the opportunity to hire a specialist, it occurred to me to come up with a single and universal solution for all sites that would help them protect their site without much effort. And although there are still a lot of minuses and nuances that I have not yet been able to solve, nevertheless this is the only solution at the moment that allows you to secure the site from the inside without resorting to all kinds of plug-ins and modules that need to be installed from the outside and which even inexperienced website developer is able to install and configure on his site. The essence of this solution is to process the data transmitted by the GET, POST and / or COOKIE methods, even before they are processed and written directly to the database.

In this article I will give examples of the use and disadvantages of a particular method.

Here is the code itself

$jsxss="onabort,oncanplay,oncanplaythrough,ondurationchange,onemptied,onended,onerror,onloadeddata,onloadedmetadata,onloadstart,onpause,onplay,onplaying,onprogress,onratechange,onseeked,onseeking,onstalled,onsuspend,ontimeupdate,onvolumechange,onwaiting,oncopy,oncut,onpaste,ondrag,ondragend,ondragenter,ondragleave,ondragover,ondragstart,ondrop,onblur,onfocus,onfocusin,onfocusout,onchange,oninput,oninvalid,onreset,onsearch,onselect,onsubmit,onabort,onbeforeunload,onerror,onhashchange,onload,onpageshow,onpagehide,onresize,onscroll,onunload,onkeydown,onkeypress,onkeyup,altKey,ctrlKey,shiftKey,metaKey,key,keyCode,which,charCode,location,onclick,ondblclick,oncontextmenu,onmouseover,onmouseenter,onmouseout,onmouseleave,onmouseup,onmousemove,onwheel,altKey,ctrlKey,shiftKey,metaKey,button,buttons,which,clientX,clientY,detail,relatedTarget,screenX,screenY,deltaX,deltaY,deltaZ,deltaMode,animationstart,animationend,animationiteration,animationName,elapsedTime,propertyName,elapsedTime,transitionend,onerror,onmessage,onopen,ononline,onoffline,onstorage,onshow,ontoggle,onpopstate,ontouchstart,ontouchmove,ontouchend,ontouchcancel,persisted,javascript"; $jsxss = explode(",",$jsxss); foreach($_GET as $k=>$v) { if(is_array($v)) { foreach($v as $Kk=>$Vv) { $Vv = preg_replace ( "'<script[^>]*?>.*?</script>'si", "", $Vv ); $Vv = str_replace($jsxss,"",$Vv); $Vv = str_replace (array("*","\\"), "", $Vv ); $Vv = strip_tags($Vv); $Vv = htmlentities($Vv, ENT_QUOTES, "UTF-8"); $Vv = htmlspecialchars($Vv, ENT_QUOTES); $_GET[$k][$Kk] = $Vv; } } ELSE { //       xss- $v = preg_replace ( "'<script[^>]*?>.*?</script>'si", "", $v ); //   javascript     xss- $v = str_replace($jsxss,"",$v); //     SQL- $v = str_replace (array("*","\\"), "", $v ); //         SQL $v = mysql_real_escape_string( $v ); //   . $v = strip_tags($v); //      HTML- $v = htmlentities($v, ENT_QUOTES, "UTF-8"); $v = htmlspecialchars($v, ENT_QUOTES); // GET  $_GET[$k] = $v; } } 

The above example only handles GET requests. So the loop needs to be repeated with at least POST and COOKIE. Unfortunately, I was not able to execute this solution recursively in a function, and pass all the arrays $ _GET, $ _POST and $ _COOKIE we needed at the same time. And the most important thing that could not be realized was a recursive traversal of multidimensional arrays of this type, which is associated with the peculiarity of data transfer of data inside a function, as well as the limited use of variable variables.

1) $ v = preg_replace ("'<script [^>] *?>. *? ' Si", "", $ v);

Here we remove explicitly unnecessary javascript code. A function may turn out to be superfluous if you still allow you to pass directly the code itself, not for its execution, but for familiarization. For example on the forums.

2) $ v = str_replace ($ jsxss, "", $ v);

The function is similar to the first, only in this case we cut out events that can be used for xss attacks. You can slightly modify this solution and cut out not only the event itself, but the content that they are trying to attach to it. But I have not yet seen the need for it

3) $ v = str_replace (array ("*", "\\"), "", $ v);

And these harmful characters, especially the backslash, can cause your SQL to be hacked. Since the symbol itself is used quite rarely, and its potential danger is quite large, I decided to destroy it in the bud.

4) $ v = mysql_real_escape_string ($ v);

Using this function can cause unnecessary escaping of characters, because most likely it is already used directly when writing data to the database, but on the other hand, it will help you protect yourself from sql injection and protect your data like no other. When using it, you must use the function after connecting to the database. Also, let's not forget that mysql_real_escape_string is not used in php 7, and the very use of such functions depends on the connection method. For example, when connecting to the database through mysqli, you may need to use the mysqli_real_escape_string function.

5) $ v = strip_tags ($ v);

Strip_tags will help to remove all unnecessary tags. Unfortunately, the necessary ones too. The second parameter you can specify the tags that you want to leave. But the trouble is that there are so many necessary tags that listing them is quite problematic, and most unfortunate, there are also tags that site developers add on their own to create certain functions on the site. Of course, it would be much more convenient to specify the tags that need to be removed, and not left. But we will be content with what we have. In addition, regular expressions can be used for such decisions.

6) $ v = htmlentities ($ v, ENT_QUOTES, "UTF-8");

7) $ v = htmlspecialchars ($ v, ENT_QUOTES);

I think that these two functions do not need to be presented and one is similar to the other, so it is enough to use one of them. Nevertheless, they are far from always appropriate.

At the moment, that's all I managed to collect. If someone has something to supplement this article with, I will only be glad;)

PS For those who want a solution and offer to use PDO, template engines, different server modules, etc. I in no way deny that this solution has its drawbacks, and somewhere it will distort the conclusion and may even affect the functionality, for which I wrote at the beginning of the post that the solution has its drawbacks.

This post is not for programmers, it is for site administrators who lack the knowledge and experience to change the code from the inside. For those who do not want, or cannot, pay for the completion of sites. What often happens when a developer makes websites cheaper on some inexpensive, and often completely free CMS.

And to prevent this from happening, you need to develop your sites on reliable and trusted CMS, with high-quality technical support. The most suitable and functional CMS for developing such projects is Bitrix. Ordering from us at https: // wazzup . Hosting and Bitrix License we are ready to configure and install the store for free.

Also, please note that we have a special offer for the purchase of a Bitrix License, up to 6 months of hosting is free.

Our clients choose Bitrix, as this is the only largest site management system in the Russian Federation with a huge technical support system and powerful functionality. The reliability of Bitrix is ​​determined not only by time, but also by the constant qualified technical support of programmers, in contrast to the free and inexpensive CMS, the development and support of which are constantly changing enthusiasts, without much experience.

Source: https://habr.com/ru/post/470193/


All Articles