I downloaded the wysiwyg plugin there added img and other html codes, but the problem is that hackers can also enter some sql queries how to fix it?

The problem is that if I turn on the conversion to html characters, then the html codes do not work, and if I don’t insert a conversion, hackers can do something ..

here's the news feed code:

<? include "bd.php"; $id = $_POST['id']; $result = mysqli_query($db, "SELECT * FROM users WHERE id='$id'"); $myrow = mysqli_fetch_array($result); $post = $_POST['post']; if($_POST){ $date = date("dmY H:i"); $result2 = mysqli_query ($db, "INSERT INTO wall_post (user_id,date,post) VALUES('$id','$date','$post')") or exit(mysqli_error($db)); if ($result2){ echo "<html><head><meta http-equiv='Refresh' content='0; URL=page?id=$id'></head></html>"; } } else{ echo "<html><head><meta http-equiv='Refresh' content='0; URL=fail_try?id=8'></head></html>"; } ?>

and here is the output code:

 <? session_start(); include "bd.php"; $id = $_GET['id']; $result = mysqli_query($db, "SELECT * FROM wall_post WHERE user_id='$id' ORDER BY id DESC"); $result2 = mysqli_query($db, "SELECT * FROM users WHERE id='$id'"); $myrow2 = mysqli_fetch_array($result2); while ($row = mysqli_fetch_array($result)){ $post_id = $row['id']; $md5_id = md5(md5(md5(md5($id)))); echo " <div class='profile_post'> <p> <a href='page?id=$id'><img class='avatar' src='$myrow2[avatar]' align='left'></a> <a href='page?id=$id' class='page_href'>$myrow2[lastname] $myrow2[firstname]</a><br> <font color='gray' size='2'>$row[date]</font> <div class='delete_news'><a href='delete_post?post_id=$post_id&hash=$md5_id&id=$id'></a></div> </p> <p>$row[post]</p> </div> "; } ?>

    2 answers 2

    It is better to use PDO and problems with SQL injection will disappear. And for complete control in your case, use

     $input_text = strip_tags($text_input, '<p>'); // разрешает только тег <p> $input_text = htmlspecialchars($input_text);

    Read more about filtering here.

    PS check <p onclick="alert('XSS-атака удалась')">проверить XSS (кликните)</p>

      Let's talk about two possible attack vectors. The first is sql injection. This is when a hacker gets into a database query, and forces him to execute his code.

      Protection - in the case of MySQL - all parameters pass through the function mysql_real_escape_string() . Very rarely a hacker can embed his data, most often it is a vector to steal data from a database.

      The second vector is javascript injection(xss) . Protection - if you know that this php variable does NOT assume HTML code - pass it through the htmlspecialchars() function.

      In general, a good solution is to use a template engine such as Twig to protect against such attacks, where all this is out of the box.

      PS: I am writing from the phone, because before using the names of the functions specified by me, google the syntax just in case ...

      • Does the mysql_real_escape_string () function need to be used during data entry or output? - BedOmar
      • When entering, because the data will be recorded in the database and if there is an injection, then it will be played. When outputting to the page, there is no sense to clear the variable on mysql_real_escape_string (), since it loads from the database - Vasily Medvedev
      • @BedOmar is neither. This function should not be used at all, especially since it is written in this answer. Injection will be guaranteed - Ipatiev
      • @ Ipatiev, why not? - Vyacheslav Potseluyko
      • Just because it is not intended to protect against any kind of injection. She does not have a single word in her name that is similar to “protection”, “injection”, and the like. It makes you wonder. - Ipatiev