spencer9772 Posted February 12, 2015 Share Posted February 12, 2015 So XSS attacks, are you safe from them if you are outputting the data into lets say a input box, without any security checks like htmlentites()? And does PDO prepare help prevent xss too? And what sort of functions should I use to be most secure of outputting data in input boxes, text etc. Quote Link to comment https://forums.phpfreaks.com/topic/294563-php-xss/ Share on other sites More sharing options...
requinix Posted February 12, 2015 Share Posted February 12, 2015 So XSS attacks, are you safe from them if you are outputting the data into lets say a input box, without any security checks like htmlentites()?No. I might enter '">'and that would break out of your . And does PDO prepare help prevent xss too?No, it has nothing to do with XSS. What prepared statements do help with is SQL injection. And what sort of functions should I use to be most secure of outputting data in input boxes, text etc.htmlspecialchars() is "better" than htmlentities(). There's also urlencode(), rawurlencode(), and http_build_query() for dealing with URLs. Quote Link to comment https://forums.phpfreaks.com/topic/294563-php-xss/#findComment-1505577 Share on other sites More sharing options...
Tom10 Posted February 12, 2015 Share Posted February 12, 2015 (edited) When it comes to security i always use a variety of functions when handling data, forms etc. Example: <?php $username = $_POST['username']; $password = trim($_POST['password']); $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); $username = stripslashes($_POST['username']); $password = stripslashes($_POST['password']); $password = hash('ripemd128', $password); $username = strip_tags($username); $password = strip_tags($password); $username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $password = filter_var($password, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $username = htmlentities($username, ENT_QUOTES); $password = htmlentities($password, ENT_QUOTES); ?> Edited February 12, 2015 by Tom10 Quote Link to comment https://forums.phpfreaks.com/topic/294563-php-xss/#findComment-1505578 Share on other sites More sharing options...
requinix Posted February 13, 2015 Share Posted February 13, 2015 (edited) I'm going to assume each set of lines is to be taken in its own right, though the code suggests it's actually chaining all of these together (which is very, very bad). $username = $_POST['username']; $password = trim($_POST['password']); Keeps the values as they were entered until, presumably, they are escaped at the last second. Which is how it should be. $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); Escapes the username and password immediately. These must not be used with anything except for HTML/XML output. Have to use $_POST to get the original values. $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); Escapes the values for use directly in a mysqli query. Don't use the values for anything else (including use in a mysql or PDO query, or a prepared statement). $username = stripslashes($_POST['username']); $password = stripslashes($_POST['password']); Removes quotes that were added because of magic_quotes. If you don't have magic_quotes enabled then don't do this. $password = hash('ripemd128', $password); Hash. Esoteric algorithm. $username = strip_tags($username); $password = strip_tags($password); Because you decided to alter the input such that anything that resembles like an HTML tag gets removed. Limits what I can enter for a password, may be reasonable for a username though. $username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $password = filter_var($password, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); Some arbitrary sanitization. Have to consult to manual to find out exactly what it does. $username = htmlentities($username, ENT_QUOTES); $password = htmlentities($password, ENT_QUOTES); Convert anything not in the default character encoding (which is...?) into an HTML entity, as well as the regular HTML-unsafe characters and both types of quotes. Screws up unusual usernames, might not have any discernible effect on the password. Edited February 13, 2015 by requinix 1 Quote Link to comment https://forums.phpfreaks.com/topic/294563-php-xss/#findComment-1505580 Share on other sites More sharing options...
spencer9772 Posted February 13, 2015 Author Share Posted February 13, 2015 So I should use htmlspecialchars() for EVERY user input display? Quote Link to comment https://forums.phpfreaks.com/topic/294563-php-xss/#findComment-1505588 Share on other sites More sharing options...
requinix Posted February 13, 2015 Share Posted February 13, 2015 Short answer is yes. Longer answer is yes if you don't know what the value is and/or the value could contain arbitrary data. Something you've guaranteed to be a number (and I mean you've used code to ensure it is) doesn't need to be escaped because you know it's a number. Or maybe you ran a regex against a string to check that it only has letters and numbers - that's fine too. Point is that in both cases you know exactly what kind of value you have and thus you already know it's safe. 1 Quote Link to comment https://forums.phpfreaks.com/topic/294563-php-xss/#findComment-1505591 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.