XSS URL attack prevention

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
paul8088
Forum Newbie
Posts: 1
Joined: Mon May 30, 2016 10:24 pm

XSS URL attack prevention

Post by paul8088 »

I am beginner and I am struggling with kind of attack called (XSS). I tried this codes

Code: Select all

/"><script>alert('hacked')</script>
/>"><script>alert("XSS")</script>&
on my 127.0.0.1/myweb/home.php?u=paul and then this is the result: 127.0.0.1/myweb/home.php/"><script>aler ... &?u=daniel. And now it appears that my web page is been hacked, I do not have any security or validation code to prevent this so I am looking for sample codes, or advices to apply on my application thank you.
Top
User avatar
Celauran
Moderator
Posts: 6425
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS URL attack prevention

Post by Celauran »

Start with this: http://php.net/manual/en/function.htmlspecialchars.php
Top
User avatar
Vegan
Forum Regular
Posts: 539
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC

Re: XSS URL attack prevention

Post by Vegan »

paul8088 wrote:I am beginner and I am struggling with kind of attack called (XSS). I tried this codes

Code: Select all

/"><script>alert('hacked')</script>
/>"><script>alert("XSS")</script>&
on my 127.0.0.1/myweb/home.php?u=paul and then this is the result: 127.0.0.1/myweb/home.php/"><script>aler ... &?u=daniel. And now it appears that my web page is been hacked, I do not have any security or validation code to prevent this so I am looking for sample codes, or advices to apply on my application thank you.
I recommend using a secure password for your site, ftp credentials or WP as the case may be. This will keep miscreants out.
Top
User avatar
Celauran
Moderator
Posts: 6425
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS URL attack prevention

Post by Celauran »

Vegan wrote:
paul8088 wrote:I am beginner and I am struggling with kind of attack called (XSS). I tried this codes

Code: Select all

/"><script>alert('hacked')</script>
/>"><script>alert("XSS")</script>&
on my 127.0.0.1/myweb/home.php?u=paul and then this is the result: 127.0.0.1/myweb/home.php/"><script>aler ... &?u=daniel. And now it appears that my web page is been hacked, I do not have any security or validation code to prevent this so I am looking for sample codes, or advices to apply on my application thank you.
I recommend using a secure password for your site, ftp credentials or WP as the case may be. This will keep miscreants out.
No, no it won't. If your site is vulnerable to cross site scripting, having a "secure password" won't do anything to prevent that. Ditto SQL injection and other common vulnerabilities. Secure passwords are great, but they're not a panacea.
Top
User avatar
Christopher
Site Administrator
Posts: 13592
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: XSS URL attack prevention

Post by Christopher »

Celauran wrote:No, no it won't. If your site is vulnerable to cross site scripting, having a "secure password" won't do anything to prevent that. Ditto SQL injection and other common vulnerabilities. Secure passwords are great, but they're not a panacea.
Yes, this is exactly right. CSS and SQL injection can happen on public search forms, login pages, etc. that are irrelevant to password security. And yes, strong password are still a good thing.
(#10850)
Top
Post Reply

Return to “PHP - Security”