Page 1 of 1

Quick Question - XSS secure

Posted: Sat Dec 26, 2009 1:04 pm
by synical21
Hey Gurus I consider this piece of code secure from XSS attacks but aparently it is not according to a program which analyses website vulnrabilities (Acunetix Web Scanner).

Code: Select all

 
if isset(($_GET['msg'])) {
      $msg = mysql_real_escape_string($_GET['msg']);
      echo "<div class=\"msg\">$msg</div>";
      }
 
Is the program wrong or am I wrong. For the record i dont rely on programs to find my security flaws I just use it out of curiosity, secound opionion doesn't hurt after all :)

Re: Quick Question - XSS secure

Posted: Sat Dec 26, 2009 1:53 pm
by Darhazer
mysql_real_escape_string escapes data, which will be send to database
When you are outputing HTML, you have to escape data with htmlspecialchars / htmlentities

Data should be escaped when it is used, in the context of which it is used. There are different functions / ways to escape data for output, for database, for working with filesystem, etc...

Re: Quick Question - XSS secure

Posted: Sat Dec 26, 2009 2:18 pm
by synical21
Oh right i thought maybe mysql_real_escape_string will work. Ok thanks for telling me this, now to secure this hole using htmlspecialchars.

Code: Select all

 
if (isset($_GET['msg'])) {
      $msg = htmlspecialchars($_GET['msg']);
      echo "<div class=\"msg\">$msg</div>";
      }
 
I think that is now fixed.