5 replies to this topic

[Chris.]

Does anyone have a function that I can use to protect form Javascript injection? Or can anyone tell me a way to protect form Javascript injection? Thanks

[Mr. Matt]

Well for one you want to be using htmlspecialchars() or the striptags() on your input to stop people from injecting javascript into your website

[dotbart]

If you're worrying about people injecting cookie's.
Just double check the cookies in PHP when reloading the page.

e.g: Login script

Don't store a value in your cookies such as Logged_in = true
This would be too easy to inject. You want to store a unique SessionId in the cookie as well as in your database.
This you could compare with each other, also try to store IP - adresses, browser information.
This way you can be (nearly) sure your script isn't messed with.

If you're asking for a JS-function wich completely avoids any injection, I can't help you



B

EDIT: this might help you http://www.testingsecurity.com/how-to-test...cript-Injection

Edited by dotbart, 20 July 2007 - 04:36 AM.

[Demonslay]

This function (technically two, but you only use one) works just fine for this.

// Strip HTML Function
function strip_html($data){
	$search = array('@<script[^>]*?>.*?</script>@si', // Strip Javascript
					'@<style[^>]*?>.*?</style>@siU',  // Strip Style Tags
					'@<[\/\!]*?[^<>]*?>@si',		  // Strip HTML tags
					'@<![\s\S]*?--[ \t\n\r]*>@'		  // Strip Multi-line Comments (CDATA)
	);
	return preg_replace($search, '', $data);
}

// Clean User Data Function
function cleandata($data){
	return trim(htmlspecialchars(strip_html($data)));
}

[Chris.]

thanks demonslay, that is exactly what I was looking for.

But, could I do something like this to put my sql injection cleaning function in with it?

// Strip HTML Function
function strip_html($data){
	$search = array('@<script[^>]*?>.*?</script>@si', // Strip Javascript
					'@<style[^>]*?>.*?</style>@siU',  // Strip Style Tags
					'@<[\/\!]*?[^<>]*?>@si',		  // Strip HTML tags
					'@<![\s\S]*?--[ \t\n\r]*>@'		  // Strip Multi-line Comments (CDATA)
	);
	return preg_replace($search, '', $data);
}

function CheckString($string)
{
	if(is_array($string))
	{
		return array_map("Clean", $string);
	}
	else
	{
		if(get_magic_quotes_gpc())
		{
			$string = stripslashes($string);
		}
		if($string == '')
		{
			$string = 'NULL';
		}
		return mysql_real_escape_string($string);
	}
}
// Clean User Data Function
function Clean($data){
	return trim(htmlspecialchars(CheckString(strip_html($data))));
}

Edited by Chris., 21 July 2007 - 12:56 AM.

[Demonslay]

Ya, absolutely no problem with that. I personally would keep the two separate, as not all the time are you cleaning user input for SQL. I would actually have CleanString() call Clean instead of the other way around.

And instead of having the recursive array_map() call Clean() on each member of an array, have it call CleanString(), as otherwise you might run into some problems using double htmlspecialchars() on the same string, and may end up with something like '&' instead of a simple '&'.