hey!
look at what i made! - http://photography.aesthetic-design.co.uk/cms/view.php

i'm hoping to develop it further and allow people to download it for free, what do you think?

Solidgold

Purty..

You need to do some serious cleaning routines on user input. Your presentation may be cute but if you are intending to offer this for download you will also have to think of security!

You weren't spammed someone tried a cross site scripting attack (XSS exploit) which worked!

yeah true, i think it was just spammed - i had to delete all the comments, i'm just working on a capcha script

ps. i'm glad you think the presentation is cute! haha

what is it? how do i stop it happening again?

If you don't mind me demonstarting on your site I can show you what XSS is.

Mitigating against an XSS or MySQL attack is relatively straight forward and centres around taking the POST or GET arrays and stripping out anything bad.

if its not going to mess up the site then ok

You will need to delete the entry but I won't touch the data base. If that's OK please say.

urm, ok

ok, now what?

The first bit of code I injected didn't work. Basically I tried to use an image tag to display a javascript alert.

The second bit of code uses a variety of escaped and unescaped characters and character encoding to inject some javascript onto your page. (Basically what I saw a few minutes ago).

If you look at the code you will see "alert(String.fromCharCode(88,83,83))". Obviously 88 is character encoding for X while 83 is S.

I could go on running a range of exploits but you probably get what XSS is now. The injection of code into a page using remote site scripting possibilities is a major concern for all developers. Therefor protecting against the exploitation of JS tags, image tags etc is important.

how can i protect them?

The basic routine when accepting user input is:
1st clean any input
2nd process input

A very simple script is

function scrubber($in){
$bad = array('(',')', '<', '>'); // We don't want these symbols at all
$good = array('','', '~', '~'); // Replace the bad with the "good" - either nothing or a tilde
foreach($in as $key => $val){
//Keys are as vulneralble as values
$K = htmlentities(str_replace($bad, $good, $key), ENT_QUOTES); //First perform the string/replace
//Then convert remaining characters to html
//entities.
$V = htmlentities(str_replace($bad, $good, $val), ENT_QUOTES);
$html_ent_done[$K] = $V;
}
return $html_ent_done; //Pop the result into a variable to go
}


It is worth reading up on regular expressions and writing your own cleaning routine.

The kind of thing you are looking to clean are (and this is the tip of the ice berg as I really should be working right now):
1: <> or character replacements for these symbols as they are THE tag wrappers. If you can (if your users don't need to use them), simply remove them altogether, otherwise start learing about character encoding.

2: the strings "alert" and "javascript"

3: Ideally you will run a cleaning routine as a while statement. Why? Take this example (bad word is javascript) javajavascriptscript. As you can see, if I match javascript without re-checking the value I will have created bad word and allowed it through.

i'm still really new to php, where does this need to go? and what do i need to change to make it suit my site?

You probably don't need to change much... whenever you accept the POST or GET variables send them straight to your cleaning function which will then return an array with exactly the same key-value pairings but clean!

so:
function buildContent(){
//First clean the user input
$cleanPG = cleanPostGet($_POST); //The input could be GET or another array entirely.
//Now do whatever you were doing in your script before.
}


I think we are cross posting now and I'm really sorry but I have to go. Have a look at it all and if you need more help please do not hesitate to say.

thanks

ok thanks! you've been a massive help

i think that i've made it more secure, i tried one or two xss attacks from the cheatsheet at ha.ckers.org/xss.html and it seemed to hold up against them, do you know what else i need to look out for?