What could be the problem? Well, many dynamic Web applications take information submitted by a user, store it in a database, and re-display that information on another page. For example, a message board or forum are two examples. If a user were to enter HTML code in their form data, this code could throw off the layout and and appearance of your site.
In addition, suppose a user placed Javascript into your web form. Javascript is also plain text, but text that has special meaning, which is executable code within a browser. If such code was entered into a form and re-displayed in the browser, it could create popup windows, steal cookies, or redirect the browser to another page. This is known as a Cross Scripting or XSS attack.
PHP includes several functions for handling HTML and other code found within strings, thus preventing XSS attacks. These include:
- htmlspecialchars(), which turns &, ', ", <, > into empty HTML formats
- htmlentities(), which turns all applicable characters into their HTML element format.
- strip_tags(), which removes all HTML and PHP tags.
//Check for the form submission and compare original data with what was submitted.
if (isset($_POST['submitted'])) {
{$_POST['data']}
//To keep submitted information from messing up a page or hacking the web browser.
htmlentities($_POST['data'])
//The strip_tags function completely removes any javascript, HTML, or PHP tags and is the most effective
if (isset($_POST['submitted'])) {
{$_POST['data']}
//To keep submitted information from messing up a page or hacking the web browser.
htmlentities($_POST['data'])
//The strip_tags function completely removes any javascript, HTML, or PHP tags and is the most effective
way to prevent XSS attacks.
strip_tags($_POST['data'])
}
Unrelated to security but quite useful is the nl2br() function. It turns every return(such as those entered into a text area) into an HTML br tag.
strip_tags($_POST['data'])
}
Posts
No comments:
Post a Comment