Danny620 Posted September 7, 2009 Share Posted September 7, 2009 hi i have just started to use XXS ME as a firefox add on the thing is when i scan diffrent types of my website i get diffrent results and i dont think i fully understand them so here is a result form my page with the code i used <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>testing</title> </head> <body> <form id="form2" name="form2" method="post" action=""> <label>test: <input type="text" name="attack" id="texboxtest" /> </label> <label> <input type="submit" name="test" id="test" value="test" /> </label> </form> </body> </html> <?php if($_POST[test]){ $first = strip_tags($_POST[attack]); $second = addslashes($first); //addslashes($attack); echo $second; } ?> i just want some help with trying to prevent mysqli attacks and XSS attack maybe somebody could show me some code Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/ Share on other sites More sharing options...
Danny620 Posted September 7, 2009 Author Share Posted September 7, 2009 oh btw does pass means that the attack has passed or the attack has failed please explain what it all means thanks Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914177 Share on other sites More sharing options...
lynxus Posted September 7, 2009 Share Posted September 7, 2009 The only 2 things i would suggest is. If user inputtable data is going into a mysql db then use mysql_real_escape_string(); ie: $data = mysql_real_escape_string($data); This makes data safe to sql input. Also i personally use a thing called: Sql inject me ( from the same people as your FF plugin, ) This plugin is good at checking if they can inject to your DB ( it will fill your DB of crap if it isnt locked down mind.. ) A PASS will mean it passed, IE: OK Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914179 Share on other sites More sharing options...
Danny620 Posted September 7, 2009 Author Share Posted September 7, 2009 does a pass mean that it broke your code and did the xss or does it mean it failed and there fore your code is fine for protecting againist xss attacks Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914183 Share on other sites More sharing options...
lynxus Posted September 7, 2009 Share Posted September 7, 2009 A pass will mean that it didnt find a problem with the code for that particular test. Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914185 Share on other sites More sharing options...
Danny620 Posted September 7, 2009 Author Share Posted September 7, 2009 so fails means that the attack was succssful and i need to find a way to protect against it Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914193 Share on other sites More sharing options...
lynxus Posted September 7, 2009 Share Posted September 7, 2009 Yeah more than likely. Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914197 Share on other sites More sharing options...
Danny620 Posted September 7, 2009 Author Share Posted September 7, 2009 btw are do all fails need fixing before it can be xss safe and do warning mean that you should consider sorting them but say i have 5 fails does that mean that there are 5 possable ways of using xss on my app Link to comment https://forums.phpfreaks.com/topic/173415-xxs-me/#findComment-914202 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.