INTRODUCTION TO PHP AND MySQL – WRITING SECURE CODE – MAGIC QUOTES, REMOVING BACKSLASHES AND CONVERTING HTML INTO ENTITIES

PHP - Magic Quotes

Prior to PHP 6 there was a feature called’ magic quotes’ that was created to help protect newbie programmers from writing bad form processing code. Magic quotes would automatically escape risky form data that might be used for SQL Injection with a backslash \. The characters escaped by PHP include: quote ', double quote ", backslash \ and NULL characters.

However, this protection proved to cause more problems than it solved and is deprecated in PHP 6. Your server may, however, have magic quotes enabled.

Magic Quotes - Are They Enabled?

You should look up any new function that you use in the official PHP documentation at http://www.php.net.

1.  Create a new folder in your My PHP Sites folder called Secure Code.

2.  Create a new Dreamweaver site pointing to the Secure Code folder. You will need to add Remote Info and Testing Server information, and create a new folder on the server Secure Code to which you will publish.

First, you need to check to see if you have magic quotes enabled on you server. The get_magic_quotes_gpc function will return a 0 (off) or a 1 (on). These boolean values will fit nicely into an if statement where 1 is true and 0 is false.

3.  Create a new PHP file saved as magic_quotes.php enter the code as shown below:

<!doctype html>

<html

<head>

<meta charset="utf-8">

<title>Magic Quotes</title>

</head>

<body>

<?php

if (get_magic_quotes_gpc())

echo "Magic quotes are enabled";

else

echo "Magic quotes are disabled";

?>

</body>

</html>

4.  Publish magic_quotes.php and view the output in a browser.

Your output should display as shown below:

‘Magic quotes’ is enabled on our server!

Magic Quotes in Action

Now let’s make a simple form processor to show how servers with magic quotes enabled will escape those potentially risky characters. This form submits to itself, so you only need to make one file, magic-quotes2.php, to test it out.

5.  Create a new PHP file saved as magic_quotes2.php enter the code as shown below – or you can edit magic_quotes.php:

<!doctype html>

<html

<head>

<meta charset="utf-8">

<title>Magic Quotes Demo</title>

</head>

<body>

<?php

if (get_magic_quotes_gpc())

echo "Magic quotes are enabled<br />";

else

echo "Magic quotes are disabled<br />";

if (isset($_POST['submit'])){

echo "Altered Text: ".$_POST['question'];

}

?>

<form method='post'>

Question: <input type='text' name='question'/<br />

<input type='submit' name='submit'

</form>

</body>

</html>

6.  Publish magic_quotes2.php and view the output in a browser.

We will use this form to demonstrate the impact of magic quotes on the user’s input.

7.  Enter and submit the following string:

Sandy said, "It's a beautiful day outside and I like to use \'s."

The following will be displayed in the browser:

Notice that there is now a backslash before all the potentially risked input characters discussed above.

  • A backslash \ becomes \\
  • A single quote ' becomes \'
  • A double-quote " becomes \"

These backslashes can potentially cause problems with input processing.

If you want to remove these escaping characters, there are two options:

  • Disable magic quotes on the server
  • Strip the backslashes added by magic quotes

Removing Backslashes - stripslashes()

Before you use PHP's backslash removal function stripslashes, it may be a good idea to add some magic quote checking like the "Are They Enabled?" code above. This might prevent you removing required slashes if the PHP magic quotes setting changes in the future.

8.  Create a new PHP file saved as magic_quotes3.php enter the code as shown below - or you can edit magic_quotes2.php:

<!doctype html>

<html

<head>

<meta charset="utf-8">

<title>Magic Quotes Demo: stripslashes</title>

</head>

<body>

<?php

if (isset($_POST['submit'])){

echo "Removed Slashes: ";

if (get_magic_quotes_gpc())

echo stripslashes($_POST['question']);

else

echo $_POST['question'];

}

?>

<form method='post'>

Question: <input type='text' name='question'/<br />

<input type='submit' name='submit'>

</form>

</body>

</html>

9.  Publish magic_quotes3.php and view the output in a browser.

10.  Enter and submit the following string:

Sandy said, "It's a beautiful day outside and I like to use \'s."

The following will be displayed in the browser:

Our new output is devoid of added slashes – but now contains potentially risky input characters.

11.  As a simple example of this vulnerability, display magic_quotes3.php in your browser, and enter the following:

<script>alert("You are allowing your site to be hacked!")</script>

This is a very basic example of cross site scripting.

12.  Try entering some other examples of Javascript code. For example:

<script>write("<img src='hacker.png'> + "<br /<h1>Hacked</h1>")</script>

PHP htmlentities Function

Whenever you allow your users to submit text to your website, you need to be careful that you do not leave any security holes open for malicious users to exploit.

If you are ever going to allow user submitted text to be visible to the public you should consider using the htmlentities function to prevent malicious users from running html code and scripts that may be harmful to your visitors.

PHP - Converting HTML into Entities

The htmlentities function takes a string and returns the same string with HTML converted into HTML entities. For example, the string "<script>" would be converted to "&lt;script&gt;".

By converting the < and > into entities, it prevents the browser from using it as an HTML element and it prevents the code from running if you were to display some user's input on your website.

This may seem a little complicated, but if you think of the way a browser works in separate stages it becomes a little easier.

Let's look at the way the function htmlentities changes the data at three different levels - in PHP, in raw HTML and in the web browser. The sample string is a bad script that will redirect visitors to the malicious user's own website.

I am going to hack your site, hahaha!<script>window.location = 'http://www.bedford-college.co.uk/courses'</script>

13.  View magic_quotes3.php in your browser, and enter the above string.

Visitors will be directed to another website:

Dangerous code:

$userInput = " I am going to hack your site, hahaha!<script>window.location = 'http://www.beds.ac.uk'</script>";

echo $userInput;

Safe code using htmlentities:

$userInput = " I am going to hack your site, hahaha!<script>window.location = 'http://www.beds.ac.uk'</script>";

$userInputEntities = htmlentities($userInput);

echo $userInputEntities;

The HTML output of the above script would be as follows:

Safe raw HTML code:

I am going to hack your site, hahaha! &lt;script &gt; window.location = 'http://www.beds.ac.uk/'&lt;/script&gt;

If we had not used htmlentities to convert any HTML code into safe entities, this is what the raw HTML code would be and it would have redirected a visitor to example.com.

Dangerous raw HTML code:

I am going to hack your site, hahaha!<script>window.location = 'http://www.beds.ac.uk/'</script>

Those two HTML code examples are what you would see if you were to view source on the web page. However, if you were just viewing the output normally in your browser you would see the following:

Safe display:

I am going to hack your site, hahaha! <script type='text/javascript'> window.location = 'http://www.beds.ac.uk/'</script>

Dangerous display:

You would see whatever spammer site that the malicious user had sent you to.

14.  Edit magic_quotes3.php as shown below and save the page as htmlentities.php.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>htmlentities Demonstration</title>

</head>

<body>

<?php

if (isset($_POST['submit'])){

echo "Removed Slashes: ";

if (get_magic_quotes_gpc()){

$userInput = stripslashes($_POST['question']);

$userInputEntities = htmlentities($userInput);

echo $userInputEntities;

}

else {

$userInput = $_POST['question'];

$userInputEntities = htmlentities($userInput);

echo $userInputEntities;

}

}

?>

<form method='post'>

Question: <input type='text' name='question'/<br />

<input type='submit' name='submit'>

</form>

</body>

</html>

15.  Publish htmlentities.php and view the output in a browser.

16.  Enter the text string shown below and examine the display and raw HTML code (View/Source)

I am going to hack your site, hahaha!<script>window.location = 'http://www.bedford-college.co.uk/courses'</script>

When Would You Use htmlentities?

Anytime you allow users to submit content to your website, that other visitors can see, you should consider removing the ability to let them use HTML. Although this will remove a lot of smart things that your users can do - like making heavily customized content - it will prevent your site from a lot of common attacks. In addition, with some custom coding you can just remove specific tags from running.

Just remember, that when allowing users to submit content to your site you are also giving them access to your website. Be sure you take the proper precautions.

Activity - Introduction to PHP and MySQL - Writing Secure Code - Magic Quotes, Removing Backslashes and Converting HTML into entities.doc Version 2

Page 9 of 9