4

Update:

I'm still confused as ever. Can someone please reply to my last comment?

If all my data (+title1+ and +title2+ in this example -- see below) is sanitized using PHP do I need to worry about javascript as well? I'm concerned about my use of title='"+title2+"' (the apostrophes is my concern) in my code below.

html\javascript:

 <div id="verification"></div>

 <script>


function update() {
    $.ajax({
    url: 'update.php', //php          
    data: "", 
    dataType: 'json',   
    success: function (data) {
        //on receive of reply
        var title1 = data[0];
        var title2 = data[1];          

        $('#verification').html("<img src=images/test"+title1+".gif title='"+title2+"'></img>");     //output to html
        }
    });
}

</script>

json response

["1","test test test"]

output (by Mouseover text with Title)

test test test

php (php sanitizing omitted)

$result = mysql_query("SELECT title1, title2 FROM users WHERE username = '$foobar'")
or die(mysql_error());
$array = mysql_fetch_row($result);
echo json_encode($array);
michelle
  • 623
  • 2
  • 6
  • 22
  • 2
    Need to explain your issue in more detail. Really not clear what you are asking or what problems you are having – charlietfl Aug 29 '15 at 21:49
  • I asked if I sanitized the data +title1+ +title2+ previously with PHP if my use of title='"+title2+"' (the apostrophes is my concern) is safe – michelle Aug 29 '15 at 21:50
  • 1
    You should worry more about using deprecated PHP functions `mysql_*`. – Charlotte Dunois Aug 29 '15 at 21:56
  • Right. I should be using PDO, but what about my question. – michelle Aug 29 '15 at 21:57
  • Could this help you: http://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks – EugenSunic Aug 29 '15 at 22:03
  • So what I learned from that link is there are two types of XSS attacks... self-XSS and DOM based. The rest is jargon to me. – michelle Aug 29 '15 at 22:08
  • So if the data is sanitized via PHP... can $('#verification').html(""); //output to html be exploited in any way or is it structurally sound? – michelle Aug 29 '15 at 22:21
  • I wish there was some sort of bump button on this site. I'm still confused as ever. I'm just going to assume since I used preg_replace a-zA-Z0-9 (PHP) for the data saved to my mysql db for title1 and title2 that $('#verification').html(""); is safe against XSS javascript exploits I guess – michelle Aug 29 '15 at 23:16

1 Answers1

1

There are two different elements that need to be considered:

  • database: use prepared statements (PDO or mysqli) to avoid SQL injection via user input
  • UI: escape user input as required to avoid XSS attacks

While the user input has been 'santizied' for queries against the database through the PDO/mysqli prepared statements, further consideration is required before presenting the user input back on the web page in the browser.

Keith
  • 168
  • 1
  • 11
  • ... and there are even [2nd Level SQL injection](http://stackoverflow.com/a/134138/457723) attack vectors. – Keith Aug 31 '15 at 02:51