HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpModerate

Are my forms a danger towards code injection?

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
aretowardsinjectiondangercodeforms

Problem

I'm writing a PHP tutorial and I would like to display some forms where the users could enter values that are displayed in the same webpage, just as a demonstration.

The forms do nothing special, they only use print instructions to display the input.

I would like to know if these apparently innofensive forms could be a real danger for my server because of script injection.

The code that processes the form is:

Solution

The Short answer is yes you are vulnerable to injection. XSS to be precise which you can read more about here https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Explaination:

All user input should be sanatized for example:

if you input alert("This will alert"); into your form you will notice an alert message will appear on your page

however if you sanatize the code i.e.

print "Hello, " . htmlentities($_POST['user']);


you will no longer see the alert message

using htmlentities() will help protect you from the script injection.

You would also be better validating the data that will be expected from the user

Other points which you can see here https://stackoverflow.com/questions/11554432/php-post-dynamic-variable-names-security-concerns which are based more on dynamically creating variables

Code Snippets

print "Hello, " . htmlentities($_POST['user']);

Context

StackExchange Code Review Q#39983, answer score: 11

Revisions (0)

No revisions yet.