php sees html input as a code

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Toxicous8
    New Member
    • Oct 2015
    • 57
    #1

    php sees html input as a code

    Hi everybody.I'm recently working with PHP and i've made a mini forum page(usable) and when I put it in test,I obviously used commas,periods and others, it treats those symbols as codes.And I think this would result an XSS vulnerablity when launched in the future.How can I prevent this from happening?
    Tags: None
    • Claus Mygind
      Contributor
      • Mar 2008
      • 571
      #2
      Most likely you are not separating your php code from your html code. But there really is no way to answer your question because you did not show us your code. Would like to have been of more help.

        Comment

        • Toxicous8
          New Member
          • Oct 2015
          • 57
          #3
          Okay lemme just write a simple sample of the code.
          Code:
           <form method="POST" action="<?php $_PHP_SELF ?> "> 
<input name="test" /> 
<input type="submit" /> 
<form> 

<?php

$test = $_POST['test']; 

echo 'You wrote '.$test.'!'; 

?>

            Comment

            • Claus Mygind
              Contributor
              • Mar 2008
              • 571
              #4
              Ok first a few minor errors in your code, but since it is just an example that does not really matter.

              Exploitation of your code is not possible when the page is streamed out, because the periods and other PHP command codes you insert in your page are not streamed out to the client machine.

              From your example
              Code:
               <?php
 
$test = $_POST['test']; 
 
echo 'You wrote '.$test.'!'; 
 
?>
              the streamed out page would not include any of the php code
              ie: echo, the single quotes, ., or even the variable $test.

              The only thing the user would see and have access to would be
              You wrote something where something is the content of the variable $test.

              To exploit your page the hacker would have to inject some code into one of your input fields.

              It may be helpful for you to read this link

              PHP code is not exposed to the user like javaScript. So you have no concern here.

                Comment

                • Dormilich
                  Recognized Expert Expert
                  • Aug 2008
                  • 8694
                  #5
                  notes:
                  - $_PHP_SELF, not sure where you get that, but if you copy it over from $_SERVER['PHP_SELF'] you have an XSS vulnerability. better use $_SERVER['SCRIPT_NAME']
                  - the self-closing tags (/>) are invalid in HTML, though browsers conveniently ignore that

                  and a personal preference, semantically it makes more sense to write the submit button as button (<button type="submit">… </button>). it has the advantage that you cannot confuse it with an input box and you have better control of the content (<input> only allows text, <button> allows HTML)

                    Comment

                    Previous template Next
                    Working...