Fenhopi Posted July 3, 2010 Share Posted July 3, 2010 Here's the code for my blog: <? echo "<div class='box2'><h2>Add a new blog entry</h2><BR>"; $req_user_info = $database->getUserInfo($req_user); $username = mysql_real_escape_string($_SESSION['username']); $id = mysql_real_escape_string($_GET['user']); $query = "SELECT * FROM blogs WHERE byuser='$id' ORDER BY blogid DESC"; $qq = $database->query($query); $result = mysql_fetch_array($qq); //Post a new blog ?> <form method="post" action="addingblog.php"> Title:<br /> <input name="title" size="40" maxlength="255"><br /> Introduction:<br /><textarea name="intro" rows="7" cols="30"></textarea> <br> Main post <br /><textarea name="blogpost" rows="7" cols="30"></textarea> <br> <INPUT NAME="post1" TYPE="image" SRC="images/OOitupbutton2.jpg" ALT="Submit Form"> <br /> </form> <? What would I have to change to prevent XSS attacks? Link to comment https://forums.phpfreaks.com/topic/206640-how-to-prevent-my-blog-from-xss-attacks/ Share on other sites More sharing options...
ChemicalBliss Posted July 3, 2010 Share Posted July 3, 2010 Nothing because your; A. Your not storing any user input. B. Your not displaying any user input. -cb- Link to comment https://forums.phpfreaks.com/topic/206640-how-to-prevent-my-blog-from-xss-attacks/#findComment-1080763 Share on other sites More sharing options...
Fenhopi Posted July 4, 2010 Author Share Posted July 4, 2010 Sorry, wrong code. This one: <?php include("include/session.php"); if (isset($_POST['post1_x']) || isset($_POST['post1_y'])) { $blogtitle = $_POST['title']; $blogintro = $_POST['intro']; $blogpost = $_POST['blogpost']; $username = mysql_real_escape_string($_SESSION['username']); // If no title, exit script. if(!$blogtitle) { echo "Your blog entry needs a title, fool"; exit(); } if(!$blogpost) { echo "You need to actually write something to post a new entry.."; exit(); } $query = "INSERT INTO blogs (title, intro, mainpost, byuser, dtime) VALUES ('$blogtitle','$blogintro','$blogpost', '$username', NOW())"; $result = $database->query($query); mysql_query($result); Header( "Location: selectedblog.php?blog=$username"); } ?> Link to comment https://forums.phpfreaks.com/topic/206640-how-to-prevent-my-blog-from-xss-attacks/#findComment-1080880 Share on other sites More sharing options...
ChemicalBliss Posted July 4, 2010 Share Posted July 4, 2010 All of your variables need to be prepared for insertion (not just username), and they should all be sanitized before they even go any further in the script. For ex, What if they were empty? What if they didnt have any letters/or numbers, had spaces etc. Use Preg_match and google for some santization techniques (goodones), no need to for a myriad of function used on one string. I only use mysql_real_escape_string() and preg_match() with an occaisional strip_tags when im allowing tag symbols. -cb- Link to comment https://forums.phpfreaks.com/topic/206640-how-to-prevent-my-blog-from-xss-attacks/#findComment-1080966 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.