0

I can't find any explicit information on this.

I have an HTML5 form...

  • which outputs to an external PHP script
  • which saves the variables output by the form as $_SESSION variables
  • which are then passed on to another page
  • which displays them

I've not (yet) escaped any of the data from any of the form fields.

Yet, when I enter a ' or a " or a & into the <textarea> of the form, everything continues working smoothly and nothing breaks.

I'm just as happy that it doesn't (since I want my form processing to be as robust as possible), but why doesn't it?

Is there some behind-the-scenes automatic escaping going on that I don't know about?

I am keen to find out if there is an authoritative source which explains what is going on.

The Form Page (HTML5):

<form class="contactform" method="post" action="/form-processing.php">
<fieldset>
<legend>Please Enter your Contact Details</legend>
<ul>
<li><label for="contactName">Contact Name:</label><input type="text" id="contactName" name="contactName" placeholder="Your Full Name" required /></li>
<li><label for="company">Company:</label><input type="text" id="company" name="company" placeholder="Your Company" required /></li>
<li><label for="telephone">Telephone:</label><input type="tel" id="telephone" name="telephone" placeholder="Your Work Telephone" required /></li>
<li><label for="email">Email:</label><input type="email" id="email" name="email" placeholder="Your Work Email" required /></li>
<li><label for="message">Message:</label>
<textarea id="message" name="message" placeholder="Write your message here..." required></textarea></li>
</ul>
</fieldset>

<input type="submit" value="Send your message" />
</form>

The Form Processing Page (PHP)

$Contact_Name = $_POST['contactName'];
$Company = $_POST['company'];
$Telephone = $_POST['telephone'];
$Email = $_POST['email'];
$Message = $_POST['message'];

if (($Contact_Name != '') && ($Company != '') && ($Telephone != '') && ($Email != '') && ($Message != '')) {

[...SCRIPT HERE...]

session_start();
$_SESSION['contactName'] = $Contact_Name;
$_SESSION['company'] = $Company;
$_SESSION['telephone'] = $Telephone;
$_SESSION['email'] = $Email;
$_SESSION['message'] = $Message;

header('Location: http://'.$_SERVER['HTTP_HOST'].'/confirmation-page.php');
}

The Confirmation Page (PHP)

if ((isset($_SESSION['contactName'])) && (isset($_SESSION['company'])) && (isset($_SESSION['telephone'])) && (isset($_SESSION['email'])) && (isset($_SESSION['message']))) {

$Contact_Name = $_SESSION['contactName'];
$Company = $_SESSION['company'];
$Telephone = $_SESSION['telephone'];
$Email = $_SESSION['email'];
$Message = $_SESSION['message'];

echo '<p>Your message has been sent.</p>

<dl>
<dt>Contact Name:</dt>
<dd>'.$Contact_Name.'</dd>
<dt>Company:</dt>
<dd>'.$Company.'<dd>
<dt>Telephone:</dt>
<dd>'.$Telephone.'<dd>
<dt>Email:</dt>
<dd>'.$Email.'</dd>
</dl>

<p>Message:</p>
<pre>'.$Message.'</pre>

<p>Thank you for your message.</p>
<p>We will be in touch.</p>';

I would have expected ' to break the PHP script the form data is passed to... but it doesn't. Any idea why not? I thought that's how XSS attacks were supposed to work?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Rounin
  • 27,134
  • 9
  • 83
  • 108
  • 4
    Those characters are dangerous for SQL injection, not session variables. – wogsland Feb 04 '16 at 18:30
  • again @Rounin it's hard to say (for me anyway) why it would behave like that. If you want to post all your related code, then I and/or others will be more than happy to have a look at it and possibly test it on our end. Might just be a quoting issue. or maybe I'm not grasping the question. – Funk Forty Niner Feb 04 '16 at 18:37
  • 1
    @Rounin I added your comment to your question as well as the related XSS tag for it. TBH, I didn't grasp the question at first because of that missing *important tidbit* of information ;-) – Funk Forty Niner Feb 04 '16 at 18:49
  • what you need to worry about is someone entering html/javascript/sql-injection. sanitize/validate user input.. `
    '.$Contact_Name.'
    ` should be `
    '.htmlspecialchars($Contact_Name).'
    ` nitpick... use camelCase for variable names     – Brad Kent Feb 04 '16 at 18:51
  • I appreciate your edit @Fred-ii- - I agree it very much clarifies the question. – Rounin Feb 04 '16 at 18:51
  • You're welcome @Rounin Have a read at these if you haven't already - http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/ - http://stackoverflow.com/q/1996122/ - https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet - should give you an insight. – Funk Forty Niner Feb 04 '16 at 18:54
  • @BradKent - Thank you. I understand that it is good practice to sanitize the input. What I don't understand is that before I have sanitized it, the server and the browser are behaving like I already have. (Re: Nitpick - I use camelCase for my javascript variables and I like to keep my javascript variables and my php variables distinct, with more than just a dollar sign to distinguish them). – Rounin Feb 04 '16 at 18:55
  • Just for clarification here... I'm _not_ trying to sanitize user input. (I'll be doing that next). Right now I'm trying (and failing) to break the form processing PHP script with unsanitized user input. – Rounin Feb 04 '16 at 18:58
  • 1
    @Rounin: 20 years ago the & and " (rather than & and ") may have broken some browsers rendering the html, but nowadays they're able to handle it OK. | any PHP variable may contain any arbitrary string (binary data even).. there's no issue with a var containing `'` or `"`. you may be thinking of the issue if you were to assign it progmatically... `$myVar = 'sha\'zam!'; // ' needs escaped as the string is enclosed with '` `$myVar = "dblquote -> \"!" // " needs escaped as the string is enclosed with "` – Brad Kent Feb 04 '16 at 19:01
  • 1
    @Rounin: as you're not doing any database stuff, there's nothing to "break" in that regard... but since you're not sanitizing stuff.... enter some stuff like this for values `` `` – Brad Kent Feb 04 '16 at 19:05
  • Thanks @BradKent. That's awesome. I tried out your example and it amply demonstrated the need to sanitize the user input. If you want to post your last two comments as an answer, I'll upvote and accept. – Rounin Feb 04 '16 at 19:10

1 Answers1

2

my comments in answer form:

20 years ago the & and " (rather than &amp; and &quot;) may have broken some browsers when rendering the html, but nowadays they're able to handle it OK (&amp; & &quot; are correct though).

PHP variables may contain any arbitrary string (binary data even).. there's no issue with a var containing ' or ". When assigning values pragmatically, they need escaped:
$myVar = 'sha\'zam!'; // ' needs escaped as the string is enclosed with '
$myVar = "dblquote -> \"!" // " needs escaped as the string is enclosed with "

As you're not doing any database stuff, there's nothing to "break" on the server side, but since you're not sanitizing stuff.... enter some values like
</form> or <script>alert('shazam!')</script>

This is how an attacker could end up getting session id (of victim) or other sensitive information.

Brad Kent
  • 4,982
  • 3
  • 22
  • 26