Jump to content

PHP XSS

spencer9772

By spencer9772
in PHP Coding Help

 Share

Recommended Posts

spencer9772 Member

spencer9772

Posted
Posted

So XSS attacks, are you safe from them if you are outputting the data into lets say a input box, without any security checks like htmlentites()? And does PDO prepare help prevent xss too? And what sort of functions should I use to be most secure of outputting data in input boxes, text etc.

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

So XSS attacks, are you safe from them if you are outputting the data into lets say a input box, without any security checks like htmlentites()?

No. I might enter

'">'
and that would break out of your .

 

And does PDO prepare help prevent xss too?

No, it has nothing to do with XSS. What prepared statements do help with is SQL injection.

 

And what sort of functions should I use to be most secure of outputting data in input boxes, text etc.

htmlspecialchars() is "better" than htmlentities(). There's also urlencode(), rawurlencode(), and http_build_query() for dealing with URLs.
Link to comment
Share on other sites
Tom10 Member

Tom10

Posted
Posted (edited)

When it comes to security i always use a variety of functions when handling data, forms etc.

 

Example:

<?php

        $username = $_POST['username'];
	$password = trim($_POST['password']);

	$username = htmlspecialchars($_POST['username']);
	$password = htmlspecialchars($_POST['password']);

	$username = mysqli_real_escape_string($con, $username);
	$password = mysqli_real_escape_string($con, $password);

	$username = stripslashes($_POST['username']);
	$password = stripslashes($_POST['password']);
	$password = hash('ripemd128', $password);

	$username = strip_tags($username);
	$password = strip_tags($password);

	$username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$password = filter_var($password, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);

	$username = htmlentities($username, ENT_QUOTES);
	$password = htmlentities($password, ENT_QUOTES);

?>
Edited by Tom10
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted (edited)

I'm going to assume each set of lines is to be taken in its own right, though the code suggests it's actually chaining all of these together (which is very, very bad).

 

$username = $_POST['username'];
$password = trim($_POST['password']);
Keeps the values as they were entered until, presumably, they are escaped at the last second. Which is how it should be.

 

$username = htmlspecialchars($_POST['username']);
$password = htmlspecialchars($_POST['password']);
Escapes the username and password immediately. These must not be used with anything except for HTML/XML output. Have to use $_POST to get the original values.

 

$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);
Escapes the values for use directly in a mysqli query. Don't use the values for anything else (including use in a mysql or PDO query, or a prepared statement).

 

$username = stripslashes($_POST['username']);
$password = stripslashes($_POST['password']);
Removes quotes that were added because of magic_quotes. If you don't have magic_quotes enabled then don't do this.

 

$password = hash('ripemd128', $password);
Hash. Esoteric algorithm.

 

$username = strip_tags($username);
$password = strip_tags($password);
Because you decided to alter the input such that anything that resembles like an HTML tag gets removed. Limits what I can enter for a password, may be reasonable for a username though.

 

$username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
$password = filter_var($password, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
Some arbitrary sanitization. Have to consult to manual to find out exactly what it does.

 

$username = htmlentities($username, ENT_QUOTES);
$password = htmlentities($password, ENT_QUOTES);
Convert anything not in the default character encoding (which is...?) into an HTML entity, as well as the regular HTML-unsafe characters and both types of quotes. Screws up unusual usernames, might not have any discernible effect on the password. Edited by requinix
  • Like 1
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Short answer is yes.

 

Longer answer is yes if you don't know what the value is and/or the value could contain arbitrary data. Something you've guaranteed to be a number (and I mean you've used code to ensure it is) doesn't need to be escaped because you know it's a number. Or maybe you ran a regex against a string to check that it only has letters and numbers - that's fine too. Point is that in both cases you know exactly what kind of value you have and thus you already know it's safe.

  • Like 1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.