Page 1 of 1

Allowing user input in $_SESSION

Posted: Sun Dec 16, 2007 3:01 pm
by Chalks
The way my script is currently set up (I'm still developing it, so it's not live or anything), a user could put pretty much _any_ string into a $_SESSION variable. It would never be evaulated beyond this:

Code: Select all

<html>
  <body>
    <form>
      <input name="whatever" type="text" value="<?php if(isset($_SESSION['unsecured'])) echo $_SESSION['unsecured']; ?>">
    </form>
  </body>
</html>
I don't _think_ that creates a security hole, but I'm not sure. Does it? If so, how?

Posted: Sun Dec 16, 2007 3:13 pm
by John Cartwright
As a rule of thumb, all output should have htmlentities() applied to it to avoid XSS injection

Code: Select all

<input name="whatever" type="text" value="<?php if(isset($_SESSION['unsecured'])) echo htmlentities($_SESSION['unsecured']); ?>">
Moved to PHP-Security.