0

Consider we have a login.php file as follows:

<?php
$username = $_POST['username'];
$password = $_POST['password'];
// check fields and if they were correct and they are  secure against injection attacks anf if there was the username and password
echo '<script> javascript code </script>';
?>

Can the hackers attack to the simple php code using the XSS attack?

computer
  • 59
  • 6
  • Google those keywords. – Funk Forty Niner Aug 24 '15 at 13:58
  • you cannot echo script inside php – Syed mohamed aladeen Aug 24 '15 at 13:58
  • If you want to pass data between _php_ and _JavaScript_ then use _JSON_, even if it's the generated source. – Paul S. Aug 24 '15 at 14:00
  • 1
    You need to explain what you plan to place in the javascript code. Do you plan to put the username and password there? If so, it will be part of the text of the HTML document. Are you sending this over plain text? If so, everyone can see it. As for syed's comment "you cannot echo script inside php" - that is so wrong it can only be a joke. – kainaw Aug 24 '15 at 14:00

1 Answers1

0

  1. There is no differents between showing javascript/html by using php echo or just a plain html file.

  2. XSS is a risk in your example, if you place direct form input (like the post) in the 'echo':

WRONG: echo '<script> javascript '.$_POST['username'].' code </script>';

BETTER: echo '<script> javascript '.aEscapeFuntion($_POST['username']).' code </script>';

See this link for more information about building your 'aEscapeFunction'.

Community
  • 1
  • 1
sanderbee
  • 694
  • 7
  • 24