PDA

View Full Version : XSS Vuln. Check



WinDrop
04 Jun 2011, 03:23 PM
Hello WebDevForums.com members. I'm new here, and I'm also new in PHP.
Would like to receive some help from members of this forum, and maybe some day i will get better and will be able people like i am atm ;)
So, i have register.php page, and i been told that it's XSS vulnerable, I know that i have to use htmlentities to prevent prevent such attacks, but i don't know what is the right way to use it in my script.

<?
session_start();
include "header.php";
include "mysql.php";
include "config.php";
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = trim(mysql_real_escape_string($_POST['username']));
$password = md5(trim(mysql_real_escape_string($_POST['password'])));
$rpassword = md5(trim(mysql_real_escape_string($_POST['rpassword'])));
$email = trim(mysql_real_escape_string($_POST['email']));
$remail = trim(mysql_real_escape_string($_POST['remail']));
$ap = trim(mysql_real_escape_string($_POST['alertpay']));
$pp = trim(mysql_real_escape_string($_POST['paypal']));
$country = trim(mysql_real_escape_string($_POST['country']));
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F j, Y, g:i a");
if ($_POST['ref']) {
$ref = trim(mysql_real_escape_string($_POST['ref']));
} else {
$ref = '';
}
if (!$username) { $error .= '<font color=red>Please Enter Username.</font><br>'; }
if (!$password) { $error .= '<font color=red>Please Enter Password in Password Field.</font><br>'; }
if (!$email) { $error .= '<font color=red>Please Enter E-Mail in E-Mail Field.</font><br>'; }
if ($password != $rpassword) { $error .= '<font color=red>Passwords Doesn\'t Match.</font><br>'; }
if (!is_valid_email($email)) { $error .= '<font color=red>Invalid E-Mail Address.</font><br>'; }
if ($email != $remail) { $error .= '<font color=red>E-Mails Doesn\'t Match.</font><br>'; }
$query=mysql_query("SELECT * FROM `users` WHERE username='".$username."'");
if (mysql_num_rows($query)>0) { $error .= '<font color=red>Username Already In Use.</font><br>'; }
$query=mysql_query("SELECT * FROM `users` WHERE email='".$email."'");
if (mysql_num_rows($query)>0) { $error .= '<font color=red>E-Mail Already In Use.</font><br>'; }
}
if (($username) && ($password) && (!$error)) {
$rand = md5(rand(5000, 10000));
$query = "INSERT INTO `users` VALUES('','{$username}','{$password}','0','{$email}','{$rand}','0','{$pp}','{$ap}','{$country}','{$i p}','{$ip}','{$date}','0','0','0','0','{$ref}','')";
mysql_query($query);
mail($email, "$sitename Email Verification", "Hi {$ui['username']},

To verify your email address please visit the link below.
$siteurl/verify.php?email=$email&code=$rand to verify your account.

Thank you for verifying your email,
The $sitename Staff", "From: $siteadmin");
echo "<center>Registration successful.<br>Please check your email for verification link.</center>";
} else {
require_once 'geoip.inc';
$gi=geoip_open('GeoIP.dat',GEOIP_STANDARD);
$country=geoip_country_name_by_addr($gi,$_SERVER['REMOTE_ADDR']);
echo $error."
<form method='POST'>
<table border=0>
<tbody>
<tr>
<td>Username<font color=red>*</font></td><td><input type=text name='username' value='".$_POST['username']."'></td>
</tr><tr><td>E-Mail<font color=red>*</font></td><td><input type=text name='email' value='".$_POST['email']."'></td>
</tr><tr><td>Repeate Email<font color=red>*</font></td><td><input type=text name='remail' value='".$_POST['remail']."'></td>
</tr><tr><td>Alertpay</td><td><input type=text name='alertpay' value='".$_POST['alertpay']."'></td>
</tr><tr><td>PayPal</td><td><input type=text name='paypal' value='".$_POST['paypal']."'></td>
</tr><tr><td>Password<font color=red>*</font></td><td><input type=password name='password' value=''><br></td>
</tr><tr><td>Repeat Password<font color=red>*</font></td><td><input type=password name='rpassword' value=''><br></td>
</tr><tr><td>Country</td><td>".$country."</td>";
if ($_COOKIE['ref']) { echo "</tr><tr><td>Referrer</td><td>".$_COOKIE['ref']."</td><input type=hidden name=ref value='".$_COOKIE['ref']."'>"; }
echo "
</tr>
</tbody>
</table>
<input type=hidden name=country value='".$country."'>
<input type=submit value=Submit>
</form>
";
}
include "side.php";
include "footer.php";
?>
This is the register.php page
So which is the best way to actually prevent XSS attacks on this kind of page? just add htmlentities() to each variable in the beginning or there is some other way?
I also created function

function InputCheck ($input) {
$html = htmlentities($input);
if ( !preg_match("/^[A-Za-z0-9@.-_]+$/i", $html) ) {
return false;
}
return true;
}
As you can see it checks does script have any other symbols except A-Z, a-z, 0-9, @, ., -, _
Seems that the function actually works and doesn't allow to process any field with symbols like < or > or " or what ever else there is... but how to implement this function into my register.php page?
So could you give me some suggestions about XSS vuln. fixes?
Thank you.

WinDrop
04 Jun 2011, 07:32 PM
Anybody, please?