Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
social_experiment
DevNet Master
Posts: 2793 Joined: Sun Feb 15, 2009 11:08 am
Location: .za
Post
by social_experiment » Tue Nov 15, 2011 3:27 am
I did a test on an existing website with the following code for a query string
page.php?id=Value<script type="text/javascript">alert('XSS')</script> . Not suprisingly it displays the alert. However, in the php code, i have the following
Code: Select all
<?php
$value = $_GET['id'];
// before i use it in the query
$cleanValue = trim(htmlentities($value, ENT_QUOTES));
?>
Yet even with this, the alert message is still displayed when i load the page.
What am i missing?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
twinedev
Forum Regular
Posts: 984 Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio
Post
by twinedev » Tue Nov 15, 2011 5:18 am
what is the code where you are displaying $cleanValue ?
social_experiment
DevNet Master
Posts: 2793 Joined: Sun Feb 15, 2009 11:08 am
Location: .za
Post
by social_experiment » Tue Nov 15, 2011 5:25 am
That's my problem then, the results don't use
htmlentities() when i display them back to the browser
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
twinedev
Forum Regular
Posts: 984 Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio
Post
by twinedev » Tue Nov 15, 2011 6:27 am
Do you have any place on the page that echos out $_SERVER['PHP_SELF'] as that will also give the full URL.
social_experiment
DevNet Master
Posts: 2793 Joined: Sun Feb 15, 2009 11:08 am
Location: .za
Post
by social_experiment » Tue Nov 15, 2011 6:33 am
No but when i enter it in the URL i assume it is parsed as part of $_GET['id']; that value is displayed elsewhere on the page
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering