Page 2 of 2
Posted: Wed Apr 05, 2006 10:01 pm
by crackedPavement
Posted: Thu Apr 06, 2006 12:34 am
by RobertGonzalez
The Gold Nugget Museum web site wrote:The Gold Nugget Museum was incorperated in 1973. Our mission is to preserve and protect The Ridge heritage through our collection and artifacts and with community education programs...
Who is managing the content? They might want to consider spell checking before posting (or maybe you can charge them to develop and implement a spell checking tool. Hmm. Hmm?). Also, do they mean "collection
of artifacts"?
Posted: Thu Apr 06, 2006 11:53 am
by Luke
No they mean collection and artifacts. She is a hard lady to deal with. This site was free (donation

), and she still complains about EVERYTHING on it. Thank you all so much for all your advice. I will fix those problems with injection.
What would I do to prevent XXS?
Posted: Thu Apr 06, 2006 12:06 pm
by RobertGonzalez
One thing you could do is not use $_GET for the message text in your contact form. Allowing a user to pass a variable to your scripts through a URI is a big risk, unless you validate what is being passed. In your case, you could use an array index as a passed parameter and echo back the array value for that index as an error message after validating the numeric value of the $_GET var. Or you could just not use $_GET at all and rely on preprogrammed error messages based on triggers thrown by the script (I tend to use this method).
Posted: Thu Apr 06, 2006 12:08 pm
by Luke
I apologize for not completely understanding what you mean by "triggers thrown by the script" could you elaborate?
Posted: Thu Apr 06, 2006 1:42 pm
by RobertGonzalez
Well, I suppose I mean whatever in the script would give cause to show the message. Relying on the $_GET['message'] var being set and then using the value of it is insecure. Ususally, I do some checking of the values of the form data and post an error message as needed. This is typically generated within the script using a check of some sort. That way nothing gets passed to the script though the URI.
Posted: Thu Apr 06, 2006 1:51 pm
by John Cartwright
If ever displaying dynamic content, play it safe with
htmlentities(), in combination with whitelisting values, example:
Code: Select all
if ($validator->isString($_GET['blah'])) {
echo htmlentities($_GET['blah']);
}