PHP - English

PHP Security – Form Elements



If you have things like textboxes and text areas on your forms, then you
need to do some security checking on the data that comes in. That’s because
of things like Cross-Site Scripting. This is when somebody enters scripts
into your textboxes to launch an attack on your site. Take this simple form
as an example:

<title>Test Attack</title>



$first_name = $_POST[‘first_name’];

echo $first_name;




<Form Method = “Post” action =”testSecurity.php”>
<input type = “text” name = “first_name” value =”test
<input type=”submit” name=”Submit” value=”Submit”>


This form is one of the files you download.
It can be found in the scripts folder and is called testSecurity.php.

Load it up and you’ll see that it’s just a textbox and a Submit button. Click
the button, and you should see “test name” printed on the page.

Now, click inside the textbox and enter the following Javascript:

<SCRIPT>alert(“Scary Script!”)</SCRIPT>

Click the Submit button, and then watch what happens. You should see this
(you need Javascript enabled in your browser):

A security alert

It’s just an alert box. But it could have been something

Another thing someone could do, especially if you have a forum, is to enter
HTML directly into your textboxes. They could flood your forum with links
to harmful or undesirable web sites. Try this as an example. Delete everything
from your textbox, and enter this:

<A HREF =”nastysite”>A Nasty Site</A>

When you click Submit this time, you should see the following:

HTML injected into a HTML form elelment

This time, a HTML hyperlink displays above a comments text area.
If that was your forum, guess where the link would be?

To stop this kind of thing happening, there are a number of techniques you
can use. We’ll explore them in the next few parts.

Kaynak : ‘sitesinden alıntı

Yorum Yap