2

Normally I'm using a code like this for forms. The PHP code in it is to refill the form, e.g. if something is missing or so:

<form action="" method="post">
    <input type="text" name="first_name" <?php if (isset($_POST['first_name'])) { echo "value=\"".$_POST['first_name']."\"";} ?>><br>
    <input type="text" name="last_name" <?php if (isset($_POST['last_name'])) { echo "value=\"".$_POST['last_name']."\"";} ?>><br>
    <input type="submit" name="submit">
</form>

A security tool just told me a hacker could manipulate my code if filling e.g. "><p>Hello!!!</p> and then submit. Could a hacker also manipulate PHP code or only HTML?

Is this a big secure issue?

What's the best way to prevent this? Is it enough to just search an remove special characters like > and "? Or is there a better, more elegant way?

1 Answers1

0

Yes it is a serious issue. It is an XSS attack. An attacker can inject a malicious script this way. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

In order to avoid this kind of attacks, you should escape HTML tags. Here is a PHP library that does it: http://php.net/manual/en/function.htmlspecialchars.php

Iakovos
  • 1,842
  • 4
  • 25
  • 30
  • Thanks. While waiting for an answer on this question, I had this idea: `','"','\'','/'), array('','','','',''), $_POST['name'])."\"";} ?>>`. Do you think it makes sense? –  Feb 02 '17 at 15:04
  • I am not a PHP expert, but I guess you are trying to remove the tags in this way. It is not a bad idea, if it fits your scenario, but using a library might be a better solution, just in case you missed something (e.g. the library also covers the '&' symbol, that is not covered by your code). – Iakovos Feb 02 '17 at 15:09