Search code examples
phpsecuritymysqlixsssql-injection

Issue about XSS Attack and SQL Injection

I'm new to web security.After spending time reading some blogs and community sites like SO,I have found some techniques to be safe from XSS Attack and SQL Injection.But the problem is,most of that security related questions are very old.So,my question is

does my following code has any major security holes that can be bypassed by amateur or mid-level attacker(hacker).

Is there anything else I can do to be safe from attack?By the way,I'm using HTMLPurifier to be safe from XSS Attack

PHP

require_once '/path/to/HTMLPurifier.auto.php';

$connect_dude=mysqli_connect('localhost','root','','user');

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);

if(isset($_POST["sub"])){
  $name=$_POST["namex"];
  $email=$_POST["email"];
  $ques=$_POST["ques"];
  $clean_name = $purifier->purify($name);
  $clean_email = $purifier->purify($email);
  $clean_ques = $purifier->purify($ques);

  $stmt = mysqli_stmt_init($connect_dude);
     if(mysqli_stmt_prepare($stmt, 'INSERT INTO question (name,email,question) VALUES(?,?,?)')) {

        mysqli_stmt_bind_param($stmt, "sss", $clean_name, $clean_email, $clean_ques);
        mysqli_stmt_execute($stmt);
      }
}

HTML FORM

<div id="form">
  <form id="sub_form" action="ask.php" method="post" enctype="multipart/form-data">
     <p id="nam" class="indi">Name</p><input type="text" id="namex" name="namex" placeholder="Your Name" required></br>
     <p id="ema" class="indi">Email</p><input type="text" id="email" name="email" placeholder="Email" required></br>
     <p id="que" class="indi">Question</p><textarea id="ques" name="ques" placeholder="Question" required></textarea></br>
     <input type="submit" id="sub" name="sub" value="Send">
  </form>
</div>
Solution

  • The SQL stuff is fine, parameterised queries are the best-practice approach to prevent SQL injection.

    The approach to XSS is... a bit weird.

    HTMLPurifier is of use where you want to allow the user to input limited HTML markup. That can be reasonable for formattable freetext fields (like I'm guessing ques is) if you can't be bothered to go as far as providing your own custom mini-markup language like Markdown.

    But do you really want the user to be able to input markup for all fields, including their name and e-mail address? Should I be able to have the name “Edward Boing Jr”? Are users going to have to enter &amp; every time they want to use an ampersand?

    A better approach is usually to accept plain text as it is, and then HTML-escape it at the point you insert it into an HTML page (eg with <?php echo htmlspecialchars($value); ?>) so that the exact string entered by the user appears in the page. The fields where you deliberately allow markup (and so use HTMLPurifier instead of htmlspecialchars) are typically very much exceptional cases.

    Note that if you are injecting into other contexts you need different escaping functions: for example if you are injecting into a JavaScript string in a <script> block then you need JS-string escaping and neither htmlspecialchars nor HTMLPurifier will help you with that.