Quick Question - XSS secure

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Quick Question - XSS secure

Post by synical21 »

Hey Gurus I consider this piece of code secure from XSS attacks but aparently it is not according to a program which analyses website vulnrabilities (Acunetix Web Scanner).

Code: Select all

 
if isset(($_GET['msg'])) {
      $msg = mysql_real_escape_string($_GET['msg']);
      echo "<div class=\"msg\">$msg</div>";
      }
 
Is the program wrong or am I wrong. For the record i dont rely on programs to find my security flaws I just use it out of curiosity, secound opionion doesn't hurt after all :)
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Quick Question - XSS secure

Post by Darhazer »

mysql_real_escape_string escapes data, which will be send to database
When you are outputing HTML, you have to escape data with htmlspecialchars / htmlentities

Data should be escaped when it is used, in the context of which it is used. There are different functions / ways to escape data for output, for database, for working with filesystem, etc...
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: Quick Question - XSS secure

Post by synical21 »

Oh right i thought maybe mysql_real_escape_string will work. Ok thanks for telling me this, now to secure this hole using htmlspecialchars.

Code: Select all

 
if (isset($_GET['msg'])) {
      $msg = htmlspecialchars($_GET['msg']);
      echo "<div class=\"msg\">$msg</div>";
      }
 
I think that is now fixed.
Post Reply