PHP Script to prevent Mail Exploits, SQL Injection and Cross Site Scripting

spicypixel · 2011-May-23

This is a little function that I wrote to pre validate POSTED data in PHP. Check the submitted data with the function prior to POSTING or updating your SQL dB.

Code (glbasic) Select



<?php
// .----------------------------------------.
// | Prevent XSS Hacks & SQL Injection      |
// '----------------------------------------'
function scrub($EXPLOIT,$SQL) {

         // Ensure we're using UTF-8
         $EXPLOIT = iconv("UTF-8", "ISO-8859-1", $EXPLOIT);

         // Pre-Scrub with HTMLENTITIES
         $EXPLOIT = htmlentities($EXPLOIT,ENT_QUOTES);

         // Change TEXTAREA "\r\n" to keep line breaks from being escaped
         $EXPLOIT = str_replace("\r\n","#KEEP_LINE_BREAK#",$EXPLOIT);

         // Exploit Prevention Code
         if ($SQL == true) {
             $scrubbed = mysql_real_escape_string($EXPLOIT);
             $scrubbed = ereg_replace("[\'\")(;|`,?<>]","",$scrubbed);
             } else {
             $scrubbed = ereg_replace("[\'\")(;|`,?<>]","",$EXPLOIT);
         }

         // Change TEXTAREA "#KEEP_LINE_BREAK#" to safe "<br />"
         $scrubbed = str_replace("#KEEP_LINE_BREAK#","<br />",$scrubbed);

         // Mail Check for exploit
         $scrubbed = preg_replace("(\n|\r)", "<br />", $scrubbed);

         // Return Value
         return $scrubbed;
}
?>

Happy PHP'ing

Slydog · 2011-May-24

Nice function!

Is this to prevent situations like the following?:

http://xkcd.com/327/

spicypixel · 2011-May-24

Quote from: Slydog on 2011-May-24
Nice function!

Is this to prevent situations like the following?:
http://xkcd.com/327/

Hehee Indeed

Kitty Hello · 2011-May-25

Where might this be a problem in my site?

spicypixel · 2011-May-25

Quote from: Kitty Hello on 2011-May-25
Where might this be a problem in my site?

As regards to the glbasic.com site it may be useful to pre validate any of the inputs in the contact form and the fields where you can submit a program or change your email address in the control panel section.

If for example where an email is entered with a message (especially if a copy of the message is sent to the sender) the email address entered can be appended with a list of email addresses by using the newline and carriage return (most likely in hexadecimal). The UTF8 will prevent hexadecimal entries. And the function removes any \n or \r commands. So your contact form cannot be used as an open mail relay by pre-validating with this script.

Also it prevents SQL injection so any fields which are submitted and then stored to your dB will also be validated. Where you allow the upload of an image or application you can always do some php checks yourself to limit filesize and imagesize which are worth doing too.

I use this function on any submitted form data, better to be safe than sorry

Moru · 2011-May-25

GLBasic isn't using a database for the homepage at the moment, only the boards. If you want real safety you should not depend on custom-made code, just use prepared statements :-)

spicypixel · 2011-May-26

Quote from: Moru on 2011-May-25
GLBasic isn't using a database for the homepage at the moment, only the boards. If you want real safety you should not depend on custom-made code, just use prepared statements :-)

I don't understand?

Kitty Hello · 2011-May-26

What part?
GLBasic is not using a database. I store all contents of the main site in .ini files. Silly me, I know.

For stability I should not use code that anyone can enter, but text that is static somewhere. I guess.

News:

PHP Script to prevent Mail Exploits, SQL Injection and Cross Site Scripting