php - Is this much escaping necessary?




If someone's name happened to be:

<script>document.write('<img src="'+document.cookie+'"/>');</script>

Then a worm could be unleashed on your site. In essence the worm is just a script that takes the users session cookie, logs in, and then does malicious stuff, replicating itself as more people view it.




It's not only for security. For example if you receiveFred&Jen as$_POST['name'] it would make a XML document invalid.




The threat here is XSS. It's Javascript code that an attacker would try to execute using an XSS attack.

To see for yourself, remove the htmlspecialchars() then post this asname:


You'll see that your PHP code will print that out and the browser will execute the Javascript. The most common XSS attacks are on web applications where a user has a logged in session. A successfull XSS attack could read the victim's session ID cookie usingdocument.cookie and then send it to the attackers website where the attacker could proceed with a session hijack.

This attack is known as a Reflective XSS. A more severe type of XSS is a Persistent XSS which is where you store the input to a database for example, then you print it out on your homepage for all users to see, or any other page. A persistent XSS is much more harmful because any visitor of the page where the XSS persists can be attacked without actually having to re-launch the attack for each victim.




If you are only going to print what that same users posts, they cannot do much harm to you or other users. However, it is useful nevertheless as user might use ">" and "<" and they would ruin the representation of the content.

However, if you are going to show the content which other users submit, this becomes much more dangerous.

User can inject anything from links to other sites to javascript.

<script>window.location = '';</script>

And all users who come to the site which displays this bit of user submitted content will be redirected to evilsite.




Yeah, someone could for example inject some Javascript code, which when displayed would for example redirect them to another site (which is fairly harmless).


<script type="text/javascript">
window.location = ""

Would redirect the user to google if it were to be posted without being escaped




PHP code cannot be injected into that field as it is not evaluated by the PHP interpreter, however it does introduce the potential for cross site scripting.

You can test this by using something like this:

<form action="" method="POST">
<input type="text" name="name"/>
<input type="submit"/>

    Hi <?php echo htmlspecialchars($_POST['name']); ?>.

Then in the "name" field, submit this code and see what happens:

<script type="text/javascript">alert("P0WN3D");</script>



Can someone actually put in malious code into that one line?

enter image description here

People are also looking for solutions to the problem: Apc user cache and php-fpm


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.