Jump to content

How to prevent my blog from XSS attacks?

Fenhopi

By Fenhopi
in PHP Coding Help

 Share

Recommended Posts

Fenhopi Regular Member

Fenhopi

Posted
Posted

Here's the code for my blog:

<?
echo "<div class='box2'><h2>Add a new blog entry</h2><BR>";

		$req_user_info = $database->getUserInfo($req_user);
		$username = mysql_real_escape_string($_SESSION['username']);
		$id = mysql_real_escape_string($_GET['user']);
		$query = "SELECT * FROM blogs WHERE byuser='$id' ORDER BY blogid DESC";
		$qq = $database->query($query);
		$result = mysql_fetch_array($qq);

		//Post a new blog
		?>
		<form method="post" action="addingblog.php">
            
            Title:<br /> <input name="title" size="40" maxlength="255"><br />
            
		Introduction:<br /><textarea name="intro" rows="7" cols="30"></textarea>
		<br>
            Main post <br /><textarea name="blogpost" rows="7" cols="30"></textarea>
		<br>
            <INPUT NAME="post1" TYPE="image" SRC="images/OOitupbutton2.jpg" ALT="Submit Form">

            <br />

		</form>
            <?

 

What would I have to change to prevent XSS attacks?

Link to comment
Share on other sites
Fenhopi Regular Member

Fenhopi

Posted
  • Author
Posted

Sorry, wrong code. This one:

<?php

include("include/session.php");

if (isset($_POST['post1_x']) || isset($_POST['post1_y'])) {

$blogtitle = $_POST['title'];
$blogintro = $_POST['intro'];
$blogpost = $_POST['blogpost'];

$username = mysql_real_escape_string($_SESSION['username']);




// If no title, exit script.
if(!$blogtitle)
{
echo "Your blog entry needs a title, fool";
exit();
}
if(!$blogpost)
{
echo "You need to actually write something to post a new entry..";
exit();
}


$query = "INSERT INTO blogs (title, intro, mainpost, byuser, dtime) VALUES ('$blogtitle','$blogintro','$blogpost', '$username', NOW())";
$result = $database->query($query);
mysql_query($result);


Header( "Location: selectedblog.php?blog=$username");

}
?>

Link to comment
Share on other sites
ChemicalBliss Newbie

ChemicalBliss

Posted
Posted

All of your variables need to be prepared for insertion (not just username), and they should all be sanitized before they even go any further in the script.

 

For ex, What if they were empty? What if they didnt have any letters/or numbers, had spaces etc.

 

Use Preg_match and google for some santization techniques (goodones), no need to for a myriad of function used on one string.

 

I only use mysql_real_escape_string() and preg_match() with an occaisional strip_tags when im allowing tag symbols.

 

-cb-

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.