I know how you can use cross site scripting if you can steal cookies and do
bad stuff with JS. My question now though is if I have a form, and I post
to myself and just echo the value of that post, is that bad? Nobody else
would see the result of my post so no malicous JS could ever do anything.
I'm not doing any database calls, just storing what they typed in either an
array or a variable and echoing it. Simple as that. Is that insecure?
- Dan
""Daniel Brown"" <parasane@xxxxxxxxx> wrote in message
news:ab5568160708071520n20ee9f85l81b294b73c467ec@xxxxxxxxxxxxxxxxx
I'm just forwarding this as a courtesy to the list, because
Anthony accidentally just sent it to me, as opposed to "Reply-All'ing"
the list.
If you want more information on this subject you should search Google
for "Cross Site Scripting" and "XSS".
Of particular interest is this site: http://ha.ckers.org/xss.html
which demonstrates various ways XSS can be exploited.
Also if you aren't just echo'ing the data, but taking unsanitized data
and making database calls with it, you will want to look for MySQL
injection techniques.
Cheers,
distatica.
On 8/7/07, Daniel Brown <parasane@xxxxxxxxx> wrote:
On 8/7/07, Dan <frozendice@xxxxxxxxx> wrote:
> I've always heard it is bad if you let a user type some input, then
> show it
> back to them w/o sanatizing the code. Eg. I have a form, where the
> user
> types something, they hit submit and it submits to itself then prints
> back
> to the user something like, account created with password: whatever
> they
> typed.
>
> Why and how do you sanatize what they typed before echoing it back to
> them?
> I figured it was something like they could type in PHP commands but I
> tried
> typeing phpinfo(); into the box and submitting. All that happened is
> that
> it echoed phpinfo();
>
> Can someone explain this?
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
It's actually not so much for echo'ing as it is for processing the
data in another manner that makes it dangerous not to do some
sanitizing and checking.... such as database manipulation.
--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107
Hey, PHP-General list.... to give something back to everyone, you guys
can have 50% off every month on hosting plans of $10/mo. or more (list
price) at http://www.pilotpig.net/.
Use the coupon code phpgeneralaug07
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
---------------------------------
Anthony Hiscox
Video Watch Group
Public Site Currently Under Development
Group Members Site Fully Operational
---------------------------------
--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107
Hey, PHP-General list.... to give something back to everyone, you guys
can have 50% off every month on hosting plans of $10/mo. or more (list
price) at http://www.pilotpig.net/.
Use the coupon code phpgeneralaug07
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
