Form stores data in mysql database - XSS vulnerability

Question

I have a form with one textarea field. The field is set to accept anything and stores the input in the database when submitted. The code is then made public as a url ex: domain.com/asd. I'm not doing any type of strip_tags, htmlentities or any type of xss prevention.

My Question is, what harm can this possibly cause. Can a user do any type of xss to fetch information from the database during either input or output.

possible duplicate of [What is the general concept behind XSS ?](http://stackoverflow.com/questions/2233015/what-is-the-general-concept-behind-xss) — BalusC, Jun 28 '11 at 05:13
@balus this is not a duplicate and does not answer my question. I'm not using htmlentities or strip_tags — Pinkie, Jun 28 '11 at 05:17

score 3 · Answer 1 · answered Jun 28 '11 at 05:20

You might be in serious threat of stored xss attacks, Stored cross site scripting :

A Stored Cross Site Scripting vulnerability occurs when the malicious user can store some attack which will be called at a later time upon some other unknowing user. The attack is actually stored in some method to be later executed.

So, if the malicious code is in the text area and you store it. At a later point of time when you display the data stored in the db, its like you are executing the code right. Apart from this, there are a lot other ways to play with your database whenever you use the data from the textarea in your SQL query.

score 3 · Accepted Answer · answered Jun 28 '11 at 05:26

3

XSS does not make any attacks possible against your server which would not be possible without XSS. What XSS does is to enable an unauthorized user to act as an authorized user. If you don't have user authentication on your site, XSS is usually not a threat.

answered Jun 28 '11 at 05:26

Tgr

27,442
12
81
118

if you receive input from the browser and output to the other users you are vulnerable. A lot of blogs allow you to post a comment without authentication(as anonymous user) and are vulnerable to XSS. – Alfred Jun 28 '11 at 13:06
@Alfred: *You* are not vulnerable; your users might be. All XSS does is to enable the attacker to perform an action which would normally require authentication. It does not enable SQL injection type attacks, which is what the question seems to be about. (That said, there is no reason not to encode the output; it never hurts, and it can prevent attacks which you forgot to consider.) – Tgr Jun 28 '11 at 14:57
when you have XSS your cookies could be stolen, but you are right about the SQL-injection part. They could do really bad things with your service when cookies get stolen. Purchase things for example and you might get to pay for that... – Alfred Jun 28 '11 at 16:36

score 2 · Answer 3 · answered Jun 28 '11 at 05:45

When you accept input from the user you should at least:

for database use PDO to prevent SQL-injections.
use filter to prevent XSS

Otherwise your code is going to be unsafe as hell.

I would recommend you to read OWASP to know more about a lot of vulnerabilities. Especially the page OWASP top 10 is a must read.

Form stores data in mysql database - XSS vulnerability

3 Answers3