How to stop data injection in web forms?

Question

I've got a website with multiple pages that have html forms. But I'm getting bombarded with weird data that does not belong in the field. Example:

\'\"><svg/onload=(new(Image)).src=\'//rytk88vs0h2tc4yierrvrpgr2i8lwdm1eo8cx\\56burpcollaborator.net\

But this is supposed to be a

<select><option></option></select>

It is not a text input field. So how is the person submitting weird code above? How can I prevent this?

[This](https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet) would be a good place start. — Script47, Apr 10 '18 at 08:44
@KhrisnaGunanasurya it is advisable to use `htmlspecialchars` instead if you wish to retain characters 'significant' to HTML. — Script47, Apr 10 '18 at 08:47
@proofzy to learn about security within PHP? The linked page has a vast array of information regarding security and how to overcome such insecurities. — Script47, Apr 10 '18 at 08:49
@Script47 how about using `htmlentities($str, ENT_QUOTES);`? — Khrisna Gunanasurya, Apr 10 '18 at 08:49
Possible duplicate of [How to prevent XSS with HTML/PHP?](https://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php) — Script47, Apr 10 '18 at 08:50
@KhrisnaGunanasurya https://stackoverflow.com/q/46483/2263631 — Script47, Apr 10 '18 at 08:52

score 5 · Answer 1 · answered Apr 10 '18 at 08:52

\'\"><svg/onload=(new(Image)).src=\'//rytk88vs0h2tc4yierrvrpgr2i8lwdm1eo8cx\\56burpcollaborator.net\

This is an attempt at an XSS attack.

So how is the person submitting weird code above?

A form describes a user interface.
The browser constructs that UI and presents it to the user
The user enters data into the form
The browser takes that data and formats it into an HTTP request

…BUT there is nothing stopping someone from using some other method to construct an HTTP request and sending it to your server.

How can I prevent this?

You can't control what people send to your server.

You can only take steps to prevent it being harmful.

There is plenty of documentation out there on how to defend against SQL injection, XSS, and CSRF (which are the most common attacks).

As mentioned in the OP's comment chain, [OWASP's PHP Security Cheat Sheet](https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet) is an excellent resource for common security vulnerabilities. — Script47, Apr 10 '18 at 08:54

score 0 · Answer 2 · answered Apr 10 '18 at 09:06

it is an attempt to propertyinjection. you should always check, what values your form sends on submit. in this case you will probably expect an id as it is a select. a simple method to check if it is valid:

$alloptions = array(1 => 'Option A', 2 => 'Option B');

if(isset($_POST['select'])){
 if(!array_key_exists($_POST['select'], $alloptions)){
  echo 'error';
 }
}

foreach($alloptions as $optionid => $optionname){
 echo '<option value="'.$optionid.'">'.$optionname.'</option>;
}

How to stop data injection in web forms?

2 Answers2