Bound paramters and strip_tags

Square1

Hi all:

I think I know the answer, but just need a little reassurance on this.

If I am running a query using bound parameters there is no need to run a variable through strip_tags, right? This is for SQL injection prevention, BTW.

Thanks!

Derokorian

Use strip tags to prevent XSS, or Cross-site Scripting, it does nothing for SQL injection.

Prepared statements with bound parameters tell the DB here is the query with spots for data, and then here is the data separately. It (I believe) does everything you need to prevent injection.

Square1

Derokorian;10995594 wrote:
Use strip tags to prevent XSS, or Cross-site Scripting, it does nothing for SQL injection.

Prepared statements with bound parameters tell the DB here is the query with spots for data, and then here is the data separately. It (I believe) does everything you need to prevent injection.

Thank you. From what I read strip_tags are far from 100% effective in preventing XXS. htmlentities as well aren't 100%. Has anyone used HTML Purifier?

laserlight

Derokorian wrote:
Prepared statements with bound parameters tell the DB here is the query with spots for data, and then here is the data separately. It (I believe) does everything you need to prevent injection.

I agree.

Square1 wrote:
From what I read strip_tags are far from 100% effective in preventing XXS. htmlentities as well aren't 100%.

When used correctly, and assuming no bugs in their implementation, they will be 100% effective in preventing cross site scripting to the extent that they are used. A major problem with strip_tags though is that it is destructive to the data.

Square1

laserlight;10995607 wrote:
I agree.

When used correctly, and assuming no bugs in their implementation, they will be 100% effective in preventing cross site scripting to the extent that they are used. A major problem with strip_tags though is that it is destructive to the data.

What is the best solution for XXS? Is using htmlentities and no strip_tags secure? HTML PURIFIER is spoken of highly but it sounds like it slows things down a lot. When I Google this different folks have come up with different home-made functions. Right now I have strip tags running on my inputs.

Derokorian

You shouldn't call any functions that modify the data for storage, instead you should call htmlentities and/or strip_tags when you retrieve and output the data.

laserlight

Square1 wrote:
What is the best solution for XXS?

It depends on your requirements. Maybe the "best solution for XXS" is to not use the Web for what you are trying to do.

By the way, the abbreviation is usually XSS, not XXS.

Square1 wrote:
Is using htmlentities and no strip_tags secure?

Yes.

Square1 wrote:
HTML PURIFIER is spoken of highly but it sounds like it slows things down a lot.

In exchange for features that may or may not be useful to you. (Disclaimer: I don't really know if there is any truth to "slows things down a lot", but certainly there is some cost attached with respect to performance.)

Square1

laserlight;10995614 wrote:
It depends on your requirements. Maybe the "best solution for XXS" is to not use the Web for what you are trying to do.

LOL! Yes. At times I fell like I should have stayed in accounting

laserlight;10995614 wrote:
By the way, the abbreviation is usually XSS, not XXS.

Thanks. Just sloppy typing

It sounds like the best options are to change my strip_tags to htmlentities or consider HTML PURIFIER

Square1

The more I am getting into this the more confused I am getting 😕

If an input is solely going to a SQL query with bound parameters does it need strip tags? Meaning, is XSS a concern in this case?
Right now I have my database inputs set up with strip tags. So if I insert a new record into the DB such as Jack O'Reilly it is entered as Jack O/'Reilly.
Why isn't just removing the word "script" from any input sufficient?

laserlight

Square1 wrote:
1. If an input is solely going to a SQL query with bound parameters does it need strip tags? Meaning, is XSS a concern in this case?

No, XSS is not a concern at that point.

Square1 wrote:
2. Right now I have my database inputs set up with strip tags. So if I insert a new record into the DB such as Jack O'Reilly it is entered as Jack O/'Reilly.

I am not sure what to make of this because the fact that you are using strip_tags has nothing to do with "Jack O'Reilly" becoming "Jack O/'Reilly" (or more likely, "Jack O\'Reilly").

Square1 wrote:
3. Why isn't just removing the word "script" from any input sufficient?

If vbulletin did that, you would effectively have posted:

3. Why isn't just removing the word "" from any input sufficient?

Square1

laserlight;10995676 wrote:
I am not sure what to make of this because the fact that you are using strip_tags has nothing to do with "Jack O'Reilly" becoming "Jack O/'Reilly" (or more likely, "Jack O\'Reilly").
:

Geesh...OK, I thought this had to do with strip_tags or htmlentities but I removed both and it is still happening. I am using PHP 5.3.8. Magic quotes are off by default. The only thing I am doing is running the POST through a SQL INSERT using binding parameters.

laserlight

Square1 wrote:
Magic quotes are off by default.

Check that both magic_quotes_gpc and magic_quotes_runtime and turned off.

Square1

laserlight;10995680 wrote:
Check that both magic_quotes_gpc and magic_quotes_runtime and turned off.

Yes, both are off by default

Square1

Actually by default they were NOT off! I corrected it and it is now working.

So moving ahead, if I do not need strip_tags or htmlentities for data being input into SQL with bound parameters, I would think I would need them for all other input. Is that correct?

Derokorian

I will re-iterate:

strip-tags and htmlentities do NOTHING to prevent SQL injection. This is NOT their function. They alter the data run through them (or at least have the ability to alter it).

Derokorian;10995611 wrote:
You shouldn't call any functions that modify the data for storage, instead you should call htmlentities and/or strip_tags when you retrieve and output the data.

Square1

Thank you. So to beat a dead horse, all data that is displayed as a result of queries as well as any data coming in from user input needs to cleansed with htmlentities.

NogDog

Square1;10995693 wrote:
Thank you. So to beat a dead horse, all data that is displayed as a result of queries as well as any data coming in from user input needs to cleansed with htmlentities.

Ultimately, there is no single, correct, all-inclusive answer to that, other than, "It depends." For instance, if you are creating a blog app that is designed to accept HTML marked up text for the actual article text, then you probably would not want to apply striptags() or htmlentities() to it when outputting it to the browser.

A decent general rule is to apply htmlentities() to text being output to a browser when that text is not expected/allowed to contain HTML mark-up of any kind.

Square1

There is no input on my site should need HTML text.

Does this code hold water:

	function sanitize($str) 
{
    $pattern[0] = '/script/';
    $pattern[1] = '/on/';
    $replacement[0] = 'scr<b></b>ipt';
    $replacement[1] = 'o<b></b>n';
	$str = htmlentities($str);
    $string = preg_replace($pattern,$replacement,$str);
    return $string;
}

bradgrafelman

No, it doesn't, for (relatively obvious) reasons that have already been stated...

Square1;10995674 wrote:
3. Why isn't just removing the word "script" from any input sufficient?

laserlight;10995676 wrote:
If vbulletin did that, you would effectively have posted:

3. Why isn't just removing the word "" from any input sufficient?

Square1

bradgrafelman;10995710 wrote:
No, it doesn't, for (relatively obvious) reasons that have already been stated...

But this doesn't remove script. It just adds <b></b> inside of it having no effect on how it is viewed.

I got this script from http://www.webhostingtalk.com/showthread.php?t=682647