PHP injection test cases list

Question

I have a lit of php test cases that I want to take your word on and see how would that be a possible injection threat.

1. <BODY ONLOAD=alert("Oops! Huston we have a problem! X")>
2. ±±¾©
3. &#1575;&#1610;&#1585;&#1575;&#1606;
4. &#1605;&#1740;&#1579;&#1605;
5. *.doc
6. ')++
7. "text"
8. test*
9. ·ï·É·É
10. <div>
11. "admin" -"possible"
12. ãÏá áÈÇÓ
13. admin OR possible
14. "administrator"
15. SET PAGES
16. result page
17. -word
18. public_html
19. leave domain
20. search results
21. else
22. for multiple
23. AND or
24. keyword="<script language=JavaScript> alert('XSS Alert');</script>" 
25. "must not include"  
26.     %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E  
27. DELETE * FROM 
28. "DELETE * FROM *"
29. <script>alert("Oops! Huston we have a problem!");</script>  
30. $pos = strstr(strtolower($query),"site:"; if ($pos) include     ("$include_dir/search_links.php";
31. <a href=".httacess"><FONT FACE="arial" SIZE=50>PAREJAS FACEBOOK</FONT></a>
32. "><script>alert("XSS")</script>
33. (maybe must) set
34. &lt;input name="_index_pdf" type="checkbox" value="0; system($_GET[a])" id="index_pdf" &gt; 
35. <input name="_index_pdf" type="checkbox" value="0; system($_GET[a])" id="index_pdf" > THE NAME SHOULD BE THE SAME AS ONE OF THE FORM'S TARGETTED INPUT FIELD
36. Options +FollowSymLinks RewriteEngine on RewriteRule seriesdetails-name-(.*)-page1-(.*).htm$ seriesdetails.php?name=$1&page1=$2 
37. <?php session_start(); if(isset($_SESSION['id']) && !empty($_SESSION['id'])) { include("profilemenu.php"); } else { include("menu.php"); } ?>   
38. g"><script src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js" type="text/javascript"></script><script type="text/javascript">function doSubmitNow() {alert("Test.");} $(document).ready(function() {setTimeout("doSubmitNow()", 3000);});</script> 
39. $temporizador = new temporizador (1); // Construtor inicializa o temporizador, então não é preciso sermos nós a fazê-lo /* ... mysql query ... */ $query_time = $temporizador->get(); /* ... Processar a Página... */ $tempo_processamento = $temporizador- 
40. $crawler->addURLFollowRule("#^http://www.druckerzubehoer.de/shop/subcategory/catid/.*/subcatid/.*/site/1/lng/de_DE?shopid=a8931d4fda24240b3dab45f6b07e3f58&visitid=&refid=# i");    
41. $pos = strstr(strtolower($query),"site:"; if ($pos) include ("$include_dir/search_links.php";   

I am using mysql_real_escape_string to enter in the database and htmlspecialchars to output to web page. Is that enough to cover the above injection cases?

Answer 1

To be brief:

• For strings always use mysql_real_escape_string()
• For integers always use intval()
• And for showing the data in a webpage, htmlspecialchars() would do the trick, but I also always use strip_tags()

And yes, if you do the filters above, you'll be secure.