Apr 7, 2012

Php: How to prevent from XSS Attacks

Data contains HTML or JavaScript can cause a really big Problem, which is being entered by user.
Let us take an example of a simple application like Blog, where user can submit the comments after reading the article, which are being displayed. If the user is good and behaves nicely and enters only plain text, then it has no problem. Let’s imagine if the user submit the data

What will happen? The situation gets complicated. Browsers are not going to tell the difference between HTML tags which are displaying from Blog, it will be embedded in the comments.

It is still good if the user close the HTML tags, like in above code. All the HTML codes are closed properly. Imagine the situation if it not properly closed. Now the situation will be getting extreme bad, it will cause the browser to prevent page being displayed correctly. Like if someone submits

The situation will be worse if it contains Java Script. Then you will feel the power of Java Script, a malicious hacker can steal your cookies to his inbox, can redirect your pages to another webpage, can steal your password which are saved in the browser. A lot of thing can be done by Java Script.

These kinds of problem are called XSS (Cross Site Scripting) attack.

If you want to remain safe from XSS then you need to code nicely as well as intelligently then you need to never display the direct input from the user. You need to remove the HTML tags first before displaying in the site.
But you will feel good to know, Php gives you two functions to remove the HTML tags or encode the special characters.
1. strip_tags() : It will removes the HTML tags from the string
2. htmlentities() : It will encode the special HTML characters.

Let’s see the how to use those functions:

if the ($_POST['comment']) have

it will display simply.
Hi.. Your article is awesome.

Now let’s see the of htmlentities function:

if the ($_POST['comment']) have

It will display.

The character has been changed to

Now the browser will not display the page correctly.

You also need to put a default value to being prevented form XSS.
Make an array of default value. See in the example

See how to set the default value in multiline text area.

This is how we can prevent of being XSS.

May 25, 2010

Google Pacman (Source Download)

Day before yesterday Google celebrated 30th anniversary of PAC-MAN. Might you have been noticed the change in Google Doodle, its just special...

You can view the pic below.

The special thing is that you can play the hackers favorite game on its doodle. You have to click on that and the game will start.

Many of the user liked it, so google make this permanent. You can access this page simply typing six more characters after www.google.com that is /pacman


I liked it, as many of person saying that its a wastage of time and money. I think that's a creativity. Thanks Google!! showing new way of creativity.

Now if you liked, then you want to save this. One thing to note down, simply saving the page won't work. This PAC-MAN is simply written in JAVA Script.

You can download the source by clicking here.

This doodle is open source by macek on GITHUB. You can alternatively download the latest version from there. The link is provided below.


Happy Sharing!!

Related Posts with Thumbnails