On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote: > That would do the job. > > If you are already digging into it, take a look at XSRF/CSRF which are > both can be very harmful, especially for ecommerce websites. > > On Wed, Jun 10, 2009 at 8:08 PM, Ashley > Sheridan<ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: > >> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: > >> > Ashley Sheridan wrote: > >> > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: > >> > > > >> > >>> I've been doing a bit of reading, and I can't really understand why XSS > >> > >>> is such an issue. Sure, if a user can insert a <script> tag, what > >> > >>> difference will that make to anyone else, as it is only on their own > >> > >>> browser. > >> > >>> > >> > >>> > >> > >> 1. User 1 logs on to the application. Fills up the form with malicious > >> > >> JS code in it. The server accepts the input, is stored in the database. > >> > >> 2. User 2 logs on to the application. Goes to the view the information > >> > >> stored in the database. The JS gets executed on user 2's browser. User > >> > >> is attacked by XSS. > >> > >> > >> > >> I hope that clarifies the question. > >> > >> > >> > >> > >> > >> > >> > > It does to a degree. So I shouldn't really worry about it in this case, > >> > > as input from one user will never be displayed to any other user. If it > >> > > was a forum or something, it would, but the search string is only ever > >> > > shown to the user who entered it, and never stored for later display. > >> > > > >> > > > >> > It is easy to slip by. I recall a website was hacked using XSS on the > >> > page the admin views the log entries. Just in case, you or somebody else > >> > tries to add the search log feature in the future, keep this at the back > >> > of your mind. Having the user to click on a harmful URI is ridiculously > >> > easy. > >> > > >> > > >> > > >> > > >> > -- > >> > > >> > With warm regards, > >> > Sudheer. S > >> > Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net > >> > > >> > > >> Yeah, I never realised what a minefield it could be, but I've been doing > >> a lot of reading today! > >> > >> Thanks > >> Ash > >> www.ashleysheridan.co.uk > >> > >> > > So something like this would be acceptable?: > > > > $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > > $searchTerms = htmlentities($searchTerms); > > $dbSearchTerms = mysql_real_escape_string($searchTerms); > > > > Giving me two variables, one for display output to user, the other for > > use in the database? > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > Thanks, I will. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
