chris.. i'm still confused... w/r to your example, what's wrong with using the $_GET['username'] that you present. unless you're saying it should be checked/validated before using it.. in which case the app could do something like $_GET['username'] = reg_check($_GET['username'])... is this what you're driving at.... if this is the case, then what you're really stating is that every piece of data you get from the user/client should be checked/verified/validated... is this in essence what you're stating? thanks -bruce -----Original Message----- From: Chris Shiflett [mailto:shiflett@xxxxxxx] Sent: Wednesday, September 21, 2005 4:07 PM To: bedouglas@xxxxxxxxxxxxx Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists' Subject: Re: security/sql issues with php bruce wrote: > i'm confused!!!! regarding XSS. Cross-Site Scripting appears to be > due to somehow allowing a user to insert 'html'/data/etc into the > URL that you as the app are expecting? is this correct? A XSS vulnerability exists whenever you output tainted data. For example, if a user can submit data to your application, and you use this data in an echo statement without filtering it (or escaping it, as Jasper noted), you have a XSS vulnerability. Here's an example: echo $_GET['username']; Here's another example: <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> > wouldn't this be easy enough to solve in most cases, if the app > did the proper validation/data checking? Yes, but the more important point is to escape output. If you have data that you want to display in HTML without it being interpreted as HTML, use something like htmlentities() to escape it. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
