I have a website, on one page it reads a cookie from the users computer and uses that as a variable in the php code, for example in echo statments.
I am not currently cleaning the cooking any way.
2 questions:
can someone hack their cookie to put stuff into my php code?
if yes, how can i prevent this? HOW can I clean it?
Thanks!
Yes, it's very very easy to edit the cookies on the client.You should handle the values of the cookies as any other user generated input: don't trust it and validate it.
Yes, one could very easily exploit this depending on how it's used in the code. One could for instance, forge the entire request and provide any desired value for the cookie.
The question of how to prevent this depends on what values you are expecting the cookie to contain. All you need to do is make sure that the value of the cookie fits within your specification. Without knowing what this specification is or how the value is being used, there is not much more to say.
If you are only echoing the cookie, then the vulnerability that the user can explode is called "XSS" that stands for Cross Site Scripting. Basically he would insert <script> tags in the website to execute javascript.
You can prevent this by using the function strip_tags in php to clean tags from the cookie.
If you use the cookie in some other way, there could be new security issues, please specify if that is the case.
Strip_tags does not protect you from being hacked nor does it strip XSS. It only strips the HTML and you don't need HTML to XSS a site.
The problem is not in the input per se, it's in how you output it. If you echo it directly into an HTML page then you need to HTML-encode it; that's true of all strings you include in an HTML page, not just cookies. If you are as a habit outputting unescaped strings into HTML then you probably have much easier to exploit XSS bugs than this(*).
The way to handle variable text properly for output into HTML is to wrap every variable in htmlspecialchars() at the point you echo it into HTML (not as an input handling step). Do not use strip_tags()—it is not designed as a security measure and it fails in a variety of circumstances. If you need to accept limited user-input markup use an HTML purifier library.
(*: how exploitable an HTML-injection-from-cookie is depends largely on how that cookie gets set. If there is any way an attacker can persuade your application to set another user's cookie to a specific value, it'll be easily exploitable; otherwise, in order to exploit the HTML injection they would have to find a cookie-fixation bug. That could be a header-injection bug in your app, or it could be any vulnerable application in a ‘neighbour domain’—an application at a.example.com can set a cookie that will be read by an application at b.example.com.)
As people have posted a cookie is super easy to manipulate on the client side. It's basicly just a text file. If you only echo and don't depend on the data in the cookie for db calls, function calls or file includes you pribably don't need to care becasue the user would only affect what's displayd on his local machine. On public computers this could ofcourse be a problem though. If you want more controll handle the data using serverside sessions. Or if you really need the data in the cookie, store a hash of the cookue values serverside so you can determine if it has bern tampered with
