2

I am learning php and I came across htmlspecialchars() that it is used to prevent hackers attack , How ? I have read it on google , did not understand yet.Can you please give an example how ?

<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>">
Website : <input type="text" name="website"><br>
<input type="submit" value="Submit" name="button">

</form>

<?php 
if($_SERVER["REQUEST_METHOD"] == "POST"){
    $website = $_POST['website'];
    echo "true";
if(empty($website)){

    echo  "empty";
    }
else{
    echo $website;
    }
}
?>

when I enter a url like this http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E the output is http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E


when I remove the htmlspecialchars() from <form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"> the output is same . Why ? what is the use of htmlspecialchars() then ??

and However, consider that a user enters the following URL in the address bar:

http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E


In this case, the above code will be translated to: (how and where this happens ?)

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

StealthTrails
  • 2,281
  • 8
  • 43
  • 67
  • Please try to answer my question instead of awarding it -1. After a 8 hours of searching I have come here to ask this question so Please try to clarify this to me :) . – StealthTrails Jul 03 '15 at 15:26
  • You're only escaping PHP_SELF for the action= URL. The browser then interprets HTML entities away when sending the POST request. PHP receives the raw value. And you're not escaping `$website` then. -- Also, is that comment complaint about [that previous question](http://stackoverflow.com/questions/31207902/how-to-convert-to-lt-and-convert-to-gt-using-php) posted a few minutes ago by a *different* user? – mario Jul 03 '15 at 15:39
  • possible duplicate of [Do you only run htmlspecialchars() on output or is there other functionality you also do?](http://stackoverflow.com/q/526438), [Is using htmlspecialchars() for input/output HTML sanitization, for MySQL database bad design?](http://stackoverflow.com/q/14148937), [Is htmlspecialchars() required on ALL output?](http://stackoverflow.com/q/17812833), [PHP & mySQL: When exactly to use htmlentities?](http://stackoverflow.com/q/2077576) – mario Jul 03 '15 at 15:56
  • @mario no , i did not complaint about that question , this happens a lot with a lot of users who come here to ask something and they get -1 , or this post is duplicate etc . Nobody (at least me ) comes here until they search there question on google. :) – StealthTrails Jul 03 '15 at 16:04
  • possible duplicate of [when to use htmlspecialchars() function?](http://stackoverflow.com/questions/4882307/when-to-use-htmlspecialchars-function) – Ben N Jul 03 '15 at 16:22
  • If you actually did some sort of prior research, then you could incorporate your findings into the question. Just saying that you googled isn't very convincing. And 8 hours sounds like hyperbole without showcasing any links. – mario Jul 03 '15 at 16:26
  • @mario , you should help if you can this is what I know , thanks btw – StealthTrails Jul 03 '15 at 16:47

2 Answers2

2

This function used to prevent XSS attacks it simple and powerful however if you want to prevent sql injection use mysqli_escape_string instead

about the code you provided you should use it in "echo , print" that entered by a user 

$website = hmtlspecialchars($_POST['website']);

If $website supposed to be url you can validate it :

$website = (filter_var($_POST['website'], FILTER_VALIDATE_URL) === false) ? '' : hmtlspecialchars($_POST['website']);
Bader
  • 825
  • 1
  • 9
  • 26
  • can you please explain this to me [link](http://prntscr.com/7oe6dh) , when i tried this code , no alert was there . – StealthTrails Jul 03 '15 at 16:14
  • It's correct in case you are displaying PHP_SELF which is given by the user you have to escape all the user entries – Bader Jul 03 '15 at 16:26
  • 1
    if you mean you can't execute JavaScript "maybe" because your browser protection – Bader Jul 03 '15 at 16:32
  • yes , the JS does not execute even without using `hmtlspecialchars()` – StealthTrails Jul 03 '15 at 16:37
  • chrome gave this error
    `The XSS Auditor refused to execute a script in 'http://localhost/php/new.php' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.`     – StealthTrails Jul 03 '15 at 16:40
  • Try with another browser – Bader Jul 03 '15 at 17:06
2

If you don't use htmlspecialchars() the attacker may execute the code especially javascript.

From your code try submitting the form with <h1>Hello, World!</h1> as input the result will be

Hello, World

and to prevent this type of attack we use htmlspecialchars()

Without htmlspecialchars() the code gets executed

and also submit <script>alert('alert');</script> the result will be alert box

provide <script>alert('alert');</script> in textbox and submit.

enter image description here

Result enter image description here

Malik Naik
  • 1,472
  • 14
  • 16
  • I like your answer. But according to this [link](http://prntscr.com/7oe6dh) here , the code should pop up an alert if I am not using `htmlspecialchars()` but nothing happens. why ? – StealthTrails Jul 03 '15 at 16:31
  • your code `` is not creating any alert like above any thoughts ? my code is
    `
    Name :
    `     – StealthTrails Jul 03 '15 at 16:35