I have recently started work at a company that has a website. The previous programmers have not used any protection whatsoever on the input fields. Now I need to do something. The site consists of hundreds of PHP files included in just two files (index.php and main.php – first one for visiting users, second one-for registered). Is there a way to protect all of the fields in all of the files trough code that is only contained within those two files? Otherwise I’d have to edit every single PHP file which would take like.. a month.
Share
It depends on what you mean by protection.
If the user input is passed directly to unparameterized SQL statements, you will have one set of problems due to SQL injections. If the input is written directly back to HTML output, you will have another set of problems due to XSS, etc.
Any quick global fix such as heximal’s suggestion is probably going to result in errors such as double encoded data in your database or web pages. Of course, this could very well be a lesser evil than having your site taken down by hackers. Also note that it takes much more than just escaping the
'character.In the end, the proper solution for these kinds of vulnerabilities is to fix it in the vulnerable component. SQL injections should be fixed by using a proper database abstraction layer with parameterized statements. HTML output should be HTML-encoded when constructing the HTML view, preferably by using a view engine that does this by default. This is not to say that input should not be validated, but that validation cannot stand on its own.